Resubmissions
18-11-2020 06:33
201118-kp3zay4l8x 1017-11-2020 14:23
201117-x4r9kx1cm2 1017-11-2020 12:54
201117-2kn67e3lma 1017-11-2020 11:51
201117-b3wmz3vflx 1017-11-2020 05:56
201117-59lqra7tjj 1016-11-2020 19:43
201116-cnkkc8tqbj 1016-11-2020 19:34
201116-6lrkrq9qle 10Analysis
-
max time kernel
5s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
16-11-2020 19:34
Static task
static1
Behavioral task
behavioral1
Sample
1.bin.exe
Resource
win7v20201028
General
Malware Config
Extracted
formbook
4.0
http://www.worstig.com/w9z/
crazzysex.com
hanferd.com
gteesrd.com
bayfrontbabyplace.com
jicuiquan.net
relationshiplink.net
ohchacyberphoto.com
kauegimenes.com
powerful-seldom.com
ketotoken.com
make-money-online-success.com
redgoldcollection.com
hannan-football.com
hamptondc.com
vllii.com
aa8520.com
platform35markethall.com
larozeimmo.com
oligopoly.net
llhak.info
fisioservice.com
tesla-magnumopus.com
cocodrilodigital.com
pinegrovesg.com
traveladventureswithme.com
hebitaixin.com
golphysi.com
gayjeans.com
quickhire.expert
randomviews1.com
eatatnobu.com
topmabati.com
mediaupside.com
spillerakademi.com
thebowtie.store
sensomaticloadcell.com
turismodemadrid.net
yuhe89.com
wernerkrug.com
cdpogo.net
dannynhois.com
realestatestructureddata.com
matewhereareyou.net
laimeibei.ltd
sw328.com
lmwworks.net
xtremefish.com
tonerias.com
dsooneclinicianexpert.com
281clara.com
smmcommunity.net
dreamneeds.info
twocraft.com
yasasiite.salon
advk8qi.top
drabist.com
europartnersplus.com
saltbgone.com
teslaoceanic.info
bestmedicationstore.com
buynewcartab.live
prospect.money
viebrocks.com
transportationhappy.com
Extracted
gozi_rm3
86920224
https://sibelikinciel.xyz
-
build
300869
-
exe_type
loader
-
server_id
12
-
url_path
index.htm
Extracted
formbook
4.1
http://www.norjax.com/app/
http://www.joomlas123.com/i0qi/
niresandcard.com
bonusscommesseonline.com
mezhyhirya.com
paklfz.com
bespokewomensuits.com
smarteralarm.info
munespansiyon.com
pmtradehouse.com
hotmobile-uk.com
ntdao.com
zohariaz.com
www145123.com
oceanstateofstyle.com
palermofelicissima.info
yourkinas.com
pthwheel.net
vfmagent.com
xn--3v0bw66b.com
comsystematrisk.win
on9.party
isnxwa.info
my-smarfreen3.com
eareddoor.com
kfo-sonnenberg.com
conceptweaversindia.online
ledgermapping.com
fashionartandmore.com
broemail.com
bs3399.com
minds4rent.com
182man.com
dionclarke.com
naakwaley.com
huoerguosicaiwu.net
langongzi.net
haz-rnatresponse.com
confidentcharm.com
yshtjs.com
phiscalp.com
walletcasebuy.com
history.fail
al208.com
kitkatwaitressing.com
fxmetrix.com
riyacan.com
garrettfitz.com
worldaspect.win
serviciodomicilio.com
yngny.com
acaes.info
jujiangxizang.com
mysteryvacay.com
extensiverevive.com
feelgoodpainting.com
dtechconsultants.com
manufacturehealth.com
khmernature.com
archaicways.com
westlakegranturismo.com
transporteselruso.com
cultclassics.net
anne-nelson.com
warminch.com
bihusomu40.win
Extracted
danabot
92.204.160.54
2.56.213.179
45.153.186.47
93.115.21.29
185.45.193.50
193.34.166.247
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
resource yara_rule behavioral2/memory/1796-83-0x0000000004F50000-0x0000000004F52000-memory.dmp coreentity -
Danabot x86 payload 4 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
resource yara_rule behavioral2/files/0x00040000000190b0-247.dat family_danabot behavioral2/files/0x00040000000190b0-246.dat family_danabot behavioral2/files/0x00040000000190b0-262.dat family_danabot behavioral2/files/0x00040000000190b0-261.dat family_danabot -
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
AgentTesla Payload 10 IoCs
resource yara_rule behavioral2/files/0x000100000001ab6e-43.dat family_agenttesla behavioral2/files/0x000100000001ab6e-42.dat family_agenttesla behavioral2/files/0x0002000000019266-202.dat family_agenttesla behavioral2/files/0x0002000000019266-200.dat family_agenttesla behavioral2/memory/4256-236-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral2/memory/4256-238-0x000000000044CCFE-mapping.dmp family_agenttesla behavioral2/memory/2736-363-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral2/memory/2736-364-0x000000000044C82E-mapping.dmp family_agenttesla behavioral2/memory/4164-370-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral2/memory/4164-382-0x000000000044CF8E-mapping.dmp family_agenttesla -
resource yara_rule behavioral2/files/0x000100000001ab6c-29.dat cryptone behavioral2/files/0x000100000001ab6c-28.dat cryptone behavioral2/files/0x000100000001ab81-361.dat cryptone behavioral2/files/0x000100000001ab81-360.dat cryptone behavioral2/files/0x000100000001ab81-398.dat cryptone behavioral2/files/0x000400000001ab61-421.dat cryptone behavioral2/files/0x000400000001ab61-420.dat cryptone -
Formbook Payload 12 IoCs
resource yara_rule behavioral2/memory/1364-16-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/1364-18-0x000000000041E2D0-mapping.dmp formbook behavioral2/memory/2600-54-0x0000000000000000-mapping.dmp formbook behavioral2/memory/4356-235-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/4332-251-0x0000000000000000-mapping.dmp formbook behavioral2/memory/4356-237-0x000000000041E270-mapping.dmp formbook behavioral2/memory/4600-291-0x0000000000000000-mapping.dmp formbook behavioral2/memory/4600-331-0x00000000AD2F2D84-mapping.dmp formbook behavioral2/memory/2600-328-0x0000000003130000-0x0000000003264000-memory.dmp formbook behavioral2/memory/4332-402-0x0000000006620000-0x0000000006739000-memory.dmp formbook behavioral2/memory/4600-404-0x0000000000000000-mapping.dmp formbook behavioral2/memory/4028-441-0x000000000041E2D0-mapping.dmp formbook -
Guloader Payload 1 IoCs
resource yara_rule behavioral2/memory/4504-160-0x00000000004015B0-mapping.dmp family_guloader -
ReZer0 packer 3 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
resource yara_rule behavioral2/memory/1796-86-0x00000000082F0000-0x0000000008343000-memory.dmp rezer0 behavioral2/memory/5104-342-0x0000000008730000-0x0000000008783000-memory.dmp rezer0 behavioral2/memory/4156-399-0x0000000006430000-0x0000000006481000-memory.dmp rezer0 -
Executes dropped EXE 7 IoCs
pid Process 1324 2.exe 772 3.exe 2016 4.exe 1364 2.exe 2264 5.exe 376 6.exe 2164 7.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/memory/2212-50-0x0000000002BB0000-0x0000000002BBF000-memory.dmp agile_net -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1324 set thread context of 1364 1324 2.exe 82 PID 1364 set thread context of 3116 1364 2.exe 58 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1324 2.exe 1324 2.exe 1364 2.exe 1364 2.exe 1364 2.exe 1364 2.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1324 2.exe 1364 2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1364 2.exe Token: SeDebugPrivilege 2264 5.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 772 3.exe 2264 5.exe 2164 7.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4068 wrote to memory of 2516 4068 1.bin.exe 75 PID 4068 wrote to memory of 2516 4068 1.bin.exe 75 PID 2516 wrote to memory of 2488 2516 cmd.exe 78 PID 2516 wrote to memory of 2488 2516 cmd.exe 78 PID 2516 wrote to memory of 1324 2516 cmd.exe 79 PID 2516 wrote to memory of 1324 2516 cmd.exe 79 PID 2516 wrote to memory of 1324 2516 cmd.exe 79 PID 2516 wrote to memory of 772 2516 cmd.exe 80 PID 2516 wrote to memory of 772 2516 cmd.exe 80 PID 2516 wrote to memory of 772 2516 cmd.exe 80 PID 2516 wrote to memory of 2016 2516 cmd.exe 81 PID 2516 wrote to memory of 2016 2516 cmd.exe 81 PID 2516 wrote to memory of 2016 2516 cmd.exe 81 PID 1324 wrote to memory of 1364 1324 2.exe 82 PID 1324 wrote to memory of 1364 1324 2.exe 82 PID 1324 wrote to memory of 1364 1324 2.exe 82 PID 2516 wrote to memory of 2264 2516 cmd.exe 84 PID 2516 wrote to memory of 2264 2516 cmd.exe 84 PID 2516 wrote to memory of 2264 2516 cmd.exe 84 PID 2516 wrote to memory of 376 2516 cmd.exe 86 PID 2516 wrote to memory of 376 2516 cmd.exe 86 PID 2516 wrote to memory of 376 2516 cmd.exe 86 PID 3116 wrote to memory of 2600 3116 Explorer.EXE 88 PID 3116 wrote to memory of 2600 3116 Explorer.EXE 88 PID 3116 wrote to memory of 2600 3116 Explorer.EXE 88 PID 2516 wrote to memory of 2164 2516 cmd.exe 89 PID 2516 wrote to memory of 2164 2516 cmd.exe 89 PID 2516 wrote to memory of 2164 2516 cmd.exe 89
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\1.bin.exe"C:\Users\Admin\AppData\Local\Temp\1.bin.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\System32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\33B8.tmp\33B9.tmp\33BA.bat C:\Users\Admin\AppData\Local\Temp\1.bin.exe"3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\1.jar"4⤵PID:2488
-
-
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
-
-
C:\Users\Admin\AppData\Roaming\3.exeC:\Users\Admin\AppData\Roaming\3.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:772
-
-
C:\Users\Admin\AppData\Roaming\4.exeC:\Users\Admin\AppData\Roaming\4.exe4⤵
- Executes dropped EXE
PID:2016
-
-
C:\Users\Admin\AppData\Roaming\5.exeC:\Users\Admin\AppData\Roaming\5.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2264
-
-
C:\Users\Admin\AppData\Roaming\6.exeC:\Users\Admin\AppData\Roaming\6.exe4⤵
- Executes dropped EXE
PID:376
-
-
C:\Users\Admin\AppData\Roaming\7.exeC:\Users\Admin\AppData\Roaming\7.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2164
-
-
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1656
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵PID:2600
-