Resubmissions

18-11-2020 06:33

201118-kp3zay4l8x 10

17-11-2020 14:23

201117-x4r9kx1cm2 10

17-11-2020 12:54

201117-2kn67e3lma 10

17-11-2020 11:51

201117-b3wmz3vflx 10

17-11-2020 05:56

201117-59lqra7tjj 10

16-11-2020 19:43

201116-cnkkc8tqbj 10

16-11-2020 19:34

201116-6lrkrq9qle 10

General

  • Target

    1.bin.zip

  • Size

    12MB

  • Sample

    201116-cnkkc8tqbj

  • MD5

    5b872c529a9be9f8eb81411c9f639ec7

  • SHA1

    20fb81d7c046952e092267b8f88d1d85d2d1299f

  • SHA256

    e926d3ee85fd63c937375ed6e117264dd30c785f6b642104c086a7be3a168243

  • SHA512

    16b25e9ac50451946e27c6347799ec2760378fe7984308dd4fa00c78986df5ea1d77177daef4ad28b7b591544d9e9d646e402f089fa924c4f485a7202f3d3b97

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.pro-powersourcing.com
  • Port:
    587
  • Username:
    vivi@pro-powersourcing.com
  • Password:
    china1977

Extracted

Family

formbook

Version

4.0

C2

http://www.worstig.com/w9z/

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

Extracted

Family

gozi_rm3

Botnet

86920224

C2

https://sibelikinciel.xyz

Attributes
  • build

    300869

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Extracted

Family

danabot

C2

92.204.160.54

2.56.213.179

45.153.186.47

93.115.21.29

185.45.193.50

193.34.166.247

rsa_pubkey.plain

Extracted

Family

formbook

Version

4.1

C2

http://www.joomlas123.com/i0qi/

http://www.norjax.com/app/

Decoy

mytakeawaybox.com

goutaihuo.com

kuzey.site

uppertenpiercings.amsterdam

honeygrandpa.com

jenniferabramslaw.com

ncarian.com

heavilymeditatedhouston.com

gsbjyzx.com

akisanblog.com

taoyuanreed.com

jasperrvservices.com

yabbanet.com

myhealthfuldiet.com

flipdigitalcoins.com

toes.photos

shoottillyoumiss.com

maserental.com

smarteacher.net

hamdimagdeco.com

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email Bit_decrypt@protonmail.com YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: Bit_decrypt@protonmail.com Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

Bit_decrypt@protonmail.com

Extracted

Family

qakbot

Botnet

spx129

Campaign

1590734339

C2

94.10.81.239:443

94.52.160.116:443

67.0.74.119:443

175.137.136.79:443

73.232.165.200:995

79.119.67.149:443

62.38.111.70:2222

108.58.9.238:993

216.110.249.252:2222

67.209.195.198:3389

84.247.55.190:443

96.37.137.42:443

94.176.220.76:2222

173.245.152.231:443

96.227.122.123:443

188.192.75.8:995

24.229.245.124:995

71.163.225.75:443

75.71.77.59:443

104.36.135.227:443

Targets

    • Target

      1.bin

    • Size

      12MB

    • MD5

      af8e86c5d4198549f6375df9378f983c

    • SHA1

      7ab5ed449b891bd4899fba62d027a2cc26a05e6f

    • SHA256

      7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

    • SHA512

      137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Danabot x86 payload

      Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Gozi RM3

      A heavily modified version of Gozi using RM3 loader.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • AgentTesla Payload

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Formbook Payload

    • Guloader Payload

    • Looks for VirtualBox Guest Additions in registry

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Drops startup file

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks