Overview

overview

10

Static

static

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows7_x64

10

Resubmissions

18-11-2020 06:33

201118-kp3zay4l8x 10

17-11-2020 14:23

201117-x4r9kx1cm2 10

17-11-2020 12:54

201117-2kn67e3lma 10

17-11-2020 11:51

201117-b3wmz3vflx 10

17-11-2020 05:56

201117-59lqra7tjj 10

16-11-2020 19:43

201116-cnkkc8tqbj 10

16-11-2020 19:34

201116-6lrkrq9qle 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1.bin.zip

  • Size

    12.5MB

  • Sample

    201117-59lqra7tjj

  • MD5

    5b872c529a9be9f8eb81411c9f639ec7

  • SHA1

    20fb81d7c046952e092267b8f88d1d85d2d1299f

  • SHA256

    e926d3ee85fd63c937375ed6e117264dd30c785f6b642104c086a7be3a168243

  • SHA512

    16b25e9ac50451946e27c6347799ec2760378fe7984308dd4fa00c78986df5ea1d77177daef4ad28b7b591544d9e9d646e402f089fa924c4f485a7202f3d3b97

Score
10/10
agenttesladanabotdharmaformbookgozi_rm3guloaderqakbotwarzonerat86920224spx1291590734339agilenetbankerbotnetcoreentitycryptonedownloaderevasionguloaderinfostealerkeyloggerpackerpersistenceransomwareratrezer0spywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.pro-powersourcing.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    china1977

Extracted

Family

formbook

Version

4.0

C2

http://www.worstig.com/w9z/

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

Extracted

Family

gozi_rm3

Botnet

86920224

C2

https://sibelikinciel.xyz

Attributes
  • build

    300869

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Extracted

Family

danabot

C2

92.204.160.54

2.56.213.179

45.153.186.47

93.115.21.29

185.45.193.50

193.34.166.247
rsa_pubkey.plain

Extracted

Family

formbook

Version

4.1

C2

http://www.norjax.com/app/

http://www.joomlas123.com/i0qi/
Decoy

niresandcard.com

bonusscommesseonline.com

mezhyhirya.com

paklfz.com

bespokewomensuits.com

smarteralarm.info

munespansiyon.com

pmtradehouse.com

hotmobile-uk.com

ntdao.com

zohariaz.com

www145123.com

oceanstateofstyle.com

palermofelicissima.info

yourkinas.com

pthwheel.net

vfmagent.com

xn--3v0bw66b.com

comsystematrisk.win

on9.party

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Family

qakbot

Botnet

spx129

Campaign

1590734339

C2

94.10.81.239:443

94.52.160.116:443

67.0.74.119:443

175.137.136.79:443

73.232.165.200:995

79.119.67.149:443

62.38.111.70:2222

108.58.9.238:993

216.110.249.252:2222

67.209.195.198:3389

84.247.55.190:443

96.37.137.42:443

94.176.220.76:2222

173.245.152.231:443

96.227.122.123:443

188.192.75.8:995

24.229.245.124:995

71.163.225.75:443

75.71.77.59:443

104.36.135.227:443

Targets

    • Target

      1.bin

    • Size

      12.5MB

    • MD5

      af8e86c5d4198549f6375df9378f983c

    • SHA1

      7ab5ed449b891bd4899fba62d027a2cc26a05e6f

    • SHA256

      7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

    • SHA512

      137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1

    Score
    10/10
    agenttesladanabotdharmaformbookgozi_rm3guloaderqakbotwarzonerat86920224spx1291590734339agilenetbankerbotnetcoreentitycryptonedownloaderevasionguloaderinfostealerkeyloggerpackerpersistenceransomwareratrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Danabot x86 payload

      Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

      botnet

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Gozi RM3

      A heavily modified version of Gozi using RM3 loader.

      bankertrojangozi_rm3

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Turns off Windows Defender SpyNet reporting

      evasion

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Windows security bypass

      evasiontrojan

    • AgentTesla Payload

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

      cryptonepacker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Formbook Payload

      rat

    • Guloader Payload

      guloader

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Adds policy Run key to start application

      persistence

    • Blocklisted process makes network request

    • Disables Task Manager via registry modification

      evasion

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Drops startup file

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks