1.bin.zip

General
Target

1.bin.zip

Size

12MB

Sample

201118-kp3zay4l8x

Score
10 /10
MD5

5b872c529a9be9f8eb81411c9f639ec7

SHA1

20fb81d7c046952e092267b8f88d1d85d2d1299f

SHA256

e926d3ee85fd63c937375ed6e117264dd30c785f6b642104c086a7be3a168243

SHA512

16b25e9ac50451946e27c6347799ec2760378fe7984308dd4fa00c78986df5ea1d77177daef4ad28b7b591544d9e9d646e402f089fa924c4f485a7202f3d3b97

Malware Config

Extracted

Family formbook
Version 4.0
C2

http://www.worstig.com/w9z/

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

fisioservice.com

tesla-magnumopus.com

cocodrilodigital.com

pinegrovesg.com

traveladventureswithme.com

hebitaixin.com

golphysi.com

gayjeans.com

quickhire.expert

randomviews1.com

eatatnobu.com

topmabati.com

mediaupside.com

spillerakademi.com

thebowtie.store

sensomaticloadcell.com

turismodemadrid.net

yuhe89.com

wernerkrug.com

cdpogo.net

dannynhois.com

realestatestructureddata.com

matewhereareyou.net

laimeibei.ltd

sw328.com

lmwworks.net

xtremefish.com

tonerias.com

dsooneclinicianexpert.com

281clara.com

Extracted

Family gozi_rm3
Botnet 86920224
C2

https://sibelikinciel.xyz

Attributes
build
300869
exe_type
loader
server_id
12
url_path
index.htm
rsa_pubkey.plain
serpent.plain

Extracted

Family danabot
C2

92.204.160.54

2.56.213.179

45.153.186.47

93.115.21.29

185.45.193.50

193.34.166.247

rsa_pubkey.plain

Extracted

Family formbook
Version 4.1
C2

http://www.norjax.com/app/

http://www.joomlas123.com/i0qi/

Decoy

niresandcard.com

bonusscommesseonline.com

mezhyhirya.com

paklfz.com

bespokewomensuits.com

smarteralarm.info

munespansiyon.com

pmtradehouse.com

hotmobile-uk.com

ntdao.com

zohariaz.com

www145123.com

oceanstateofstyle.com

palermofelicissima.info

yourkinas.com

pthwheel.net

vfmagent.com

xn--3v0bw66b.com

comsystematrisk.win

on9.party

isnxwa.info

my-smarfreen3.com

eareddoor.com

kfo-sonnenberg.com

conceptweaversindia.online

ledgermapping.com

fashionartandmore.com

broemail.com

bs3399.com

minds4rent.com

182man.com

dionclarke.com

naakwaley.com

huoerguosicaiwu.net

langongzi.net

haz-rnatresponse.com

confidentcharm.com

yshtjs.com

phiscalp.com

walletcasebuy.com

history.fail

al208.com

kitkatwaitressing.com

fxmetrix.com

riyacan.com

garrettfitz.com

worldaspect.win

serviciodomicilio.com

yngny.com

acaes.info

Extracted

Family warzonerat
C2

shawcn1.sytes.net:4825

Extracted

Path C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email Bit_decrypt@protonmail.com YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: Bit_decrypt@protonmail.com Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

Bit_decrypt@protonmail.com

Extracted

Family qakbot
Botnet spx129
Campaign 1590734339
C2

94.10.81.239:443

94.52.160.116:443

67.0.74.119:443

175.137.136.79:443

73.232.165.200:995

79.119.67.149:443

62.38.111.70:2222

108.58.9.238:993

216.110.249.252:2222

67.209.195.198:3389

84.247.55.190:443

96.37.137.42:443

94.176.220.76:2222

173.245.152.231:443

96.227.122.123:443

188.192.75.8:995

24.229.245.124:995

71.163.225.75:443

75.71.77.59:443

104.36.135.227:443

173.173.77.164:443

207.255.161.8:2222

68.39.177.147:995

178.193.33.121:2222

72.209.191.27:443

67.165.206.193:995

64.19.74.29:995

117.199.195.112:443

75.87.161.32:995

188.173.214.88:443

173.22.120.11:2222

96.41.93.96:443

86.125.210.26:443

24.10.42.174:443

47.201.1.210:443

69.92.54.95:995

24.202.42.48:2222

47.205.231.60:443

66.26.160.37:443

65.131.44.40:995

24.110.96.149:443

108.58.9.238:443

77.159.149.74:443

74.56.167.31:443

75.137.239.211:443

47.153.115.154:995

173.172.205.216:443

184.98.104.7:995

24.46.40.189:2222

98.115.138.61:443

Extracted

Credentials

Protocol: smtp

Host: mail.pro-powersourcing.com

Port: 587

Username: vivi@pro-powersourcing.com

Password: china1977

Targets
Target

1.bin

MD5

af8e86c5d4198549f6375df9378f983c

Filesize

12MB

Score
10 /10
SHA1

7ab5ed449b891bd4899fba62d027a2cc26a05e6f

SHA256

7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

SHA512

137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • CoreEntity .NET Packer

    Description

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    Tags

  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

    Tags

  • Danabot x86 payload

    Description

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    Tags

  • Dharma

    Description

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    Tags

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • Gozi RM3

    Description

    A heavily modified version of Gozi using RM3 loader.

    Tags

  • Guloader,Cloudeye

    Description

    A shellcode based downloader first seen in 2020.

    Tags

  • NanoCore

    Description

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    Tags

  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    Tags

  • WarzoneRat, AveMaria

    Description

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    Tags

  • AgentTesla Payload

  • CryptOne packer

    Description

    Detects CryptOne packer defined in NCC blogpost.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Formbook Payload

    Tags

  • Guloader Payload

    Tags

  • Looks for VirtualBox Guest Additions in registry

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • ReZer0 packer

    Description

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    Tags

  • Warzone RAT Payload

    Tags

  • Blocklisted process makes network request

  • Executes dropped EXE

  • Looks for VMWare Tools registry key

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery
  • Checks QEMU agent file

    Description

    Checks presence of QEMU agent, possibly to detect virtualization.

    TTPs

    Query Registry System Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Description

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    Tags

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Drops desktop.ini file(s)

  • Maps connected drives based on registry

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix