Overview

overview

10

Static

static

ฺฺฺK...ฺฺ

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Downloads.exe

  • Size

    124.3MB

  • Sample

    201118-39bpwbt7a2

  • MD5

    2cff55bcc8fb7625df5ba84a52916cbe

  • SHA1

    3190b1e8108aff05e92d39fd1bba4d8530e94172

  • SHA256

    5b1596929b6b32bc87f4ceca8ebe28540c04a884e8d5d98fbb46e37beeef00d6

  • SHA512

    86d9dc74404471871d13d0899fd792eb9851d0b03a6ef63e78bd7335e83481269f127ee9403cf5499d761c24a3f14e6c80f41168eb93b0cd8ebd0afa6a802481

Score
10/10
agentteslaazorultformbookponyredlinesmokeloaderagilenetaspackv2backdoorbootkitcoreentitycryptonediscoveryevasioninfostealerkeyloggermacropackerpersistenceratrezer0spywarestealertrojanupxvmprotect

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    109.248.203.81
  • Port:
    21
  • Username:
    alex
  • Password:
    easypassword

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

http://195.245.112.115/index.php

Extracted

Family

smokeloader

Version

2020

C2

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/

http://vintrsi.com/upload/

http://woatdert.com/upload/

http://waruse.com/upload/
rc4.i32
rc4.i32

Extracted

Family

smokeloader

Version

2019

C2

http://advertserv25.world/logstatx77/

http://mailstatm74.club/logstatx77/

http://kxservx7zx.club/logstatx77/

http://dsmail977sx.xyz/logstatx77/

http://fdmail709.club/logstatx77/

http://servicestar751.club/logstatx77/

http://staradvert9075.club/logstatx77/

http://staradvert1883.club/logstatx77/

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/
rc4.i32
rc4.i32

Extracted

Family

formbook

C2

http://www.worstig.com/w9z/

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

Extracted

Family

smokeloader

Version

2017

C2

http://92.53.105.14/

Targets

    • Target

      Downloads.exe

    • Size

      124.3MB

    • MD5

      2cff55bcc8fb7625df5ba84a52916cbe

    • SHA1

      3190b1e8108aff05e92d39fd1bba4d8530e94172

    • SHA256

      5b1596929b6b32bc87f4ceca8ebe28540c04a884e8d5d98fbb46e37beeef00d6

    • SHA512

      86d9dc74404471871d13d0899fd792eb9851d0b03a6ef63e78bd7335e83481269f127ee9403cf5499d761c24a3f14e6c80f41168eb93b0cd8ebd0afa6a802481

    Score
    10/10
    agentteslaazorultformbookponyredlinesmokeloaderagilenetaspackv2backdoorbootkitcoreentitycryptonediscoveryevasioninfostealerkeyloggermacropackerpersistenceratrezer0spywarestealertrojanupxvmprotect

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • AgentTesla Payload

      keyloggerstealer

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

      cryptonepacker

    • Formbook Payload

      rat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • ServiceHost packer

      Detects ServiceHost packer used for .NET malware

    • rezer0

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

      macro

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spyware

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spyware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • JavaScript code in executable

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

8
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

6
T1082

Peripheral Device Discovery

2
T1120

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks