General
-
Target
Downloads.exe
-
Size
124.3MB
-
Sample
201118-39bpwbt7a2
-
MD5
2cff55bcc8fb7625df5ba84a52916cbe
-
SHA1
3190b1e8108aff05e92d39fd1bba4d8530e94172
-
SHA256
5b1596929b6b32bc87f4ceca8ebe28540c04a884e8d5d98fbb46e37beeef00d6
-
SHA512
86d9dc74404471871d13d0899fd792eb9851d0b03a6ef63e78bd7335e83481269f127ee9403cf5499d761c24a3f14e6c80f41168eb93b0cd8ebd0afa6a802481
Malware Config
Extracted
Protocol: ftp- Host:
109.248.203.81 - Port:
21 - Username:
alex - Password:
easypassword
Extracted
azorult
http://kvaka.li/1210776429.php
http://195.245.112.115/index.php
Extracted
smokeloader
2020
http://naritouzina.net/
http://nukaraguasleep.net/
http://notfortuaj.net/
http://natuturalistic.net/
http://zaniolofusa.net/
http://vintrsi.com/upload/
http://woatdert.com/upload/
http://waruse.com/upload/
Extracted
smokeloader
2019
http://advertserv25.world/logstatx77/
http://mailstatm74.club/logstatx77/
http://kxservx7zx.club/logstatx77/
http://dsmail977sx.xyz/logstatx77/
http://fdmail709.club/logstatx77/
http://servicestar751.club/logstatx77/
http://staradvert9075.club/logstatx77/
http://staradvert1883.club/logstatx77/
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
Extracted
formbook
http://www.worstig.com/w9z/
crazzysex.com
hanferd.com
gteesrd.com
bayfrontbabyplace.com
jicuiquan.net
relationshiplink.net
ohchacyberphoto.com
kauegimenes.com
powerful-seldom.com
ketotoken.com
make-money-online-success.com
redgoldcollection.com
hannan-football.com
hamptondc.com
vllii.com
aa8520.com
platform35markethall.com
larozeimmo.com
oligopoly.net
llhak.info
Extracted
smokeloader
2017
http://92.53.105.14/
Targets
-
-
Target
Downloads.exe
-
Size
124.3MB
-
MD5
2cff55bcc8fb7625df5ba84a52916cbe
-
SHA1
3190b1e8108aff05e92d39fd1bba4d8530e94172
-
SHA256
5b1596929b6b32bc87f4ceca8ebe28540c04a884e8d5d98fbb46e37beeef00d6
-
SHA512
86d9dc74404471871d13d0899fd792eb9851d0b03a6ef63e78bd7335e83481269f127ee9403cf5499d761c24a3f14e6c80f41168eb93b0cd8ebd0afa6a802481
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
AgentTesla Payload
-
CryptOne packer
Detects CryptOne packer defined in NCC blogpost.
-
Formbook Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
ServiceHost packer
Detects ServiceHost packer used for .NET malware
-
rezer0
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Blacklisted process makes network request
-
Executes dropped EXE
-
Suspicious Office macro
Office document equipped with 4.0 macros.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
JavaScript code in executable
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-