Resubmissions

18-11-2020 14:18

201118-dj27sn3f52 10

18-11-2020 13:42

201118-1arz86e7w6 10

18-11-2020 13:38

201118-n8jh228ctn 10

General

  • Target

    Downloads.rar

  • Size

    125.6MB

  • Sample

    201118-n8jh228ctn

  • MD5

    4f662505b8b99848b4a76d8370f54b85

  • SHA1

    855c7461bbc84a54a30ec63be4b8343fca64b20b

  • SHA256

    a2d3d6430f6775951cf988d960cfae4093d7a1e4d0f684ddfffaf4599ace9a71

  • SHA512

    1a5310b7c0b4a946c3f00b09eb2a822b4d0261dce0939b645ac494b32e59fe601eb9305a392a6243be840af7b576dcac4386c95213bfa610d93b4a83abe22fc2

Malware Config

Extracted

Family

smokeloader

Version

2019

C2

http://advertserv25.world/logstatx77/

http://mailstatm74.club/logstatx77/

http://kxservx7zx.club/logstatx77/

http://dsmail977sx.xyz/logstatx77/

http://fdmail709.club/logstatx77/

http://servicestar751.club/logstatx77/

http://staradvert9075.club/logstatx77/

http://staradvert1883.club/logstatx77/

rc4.i32
rc4.i32

Extracted

Family

formbook

Version

4.0

C2

http://www.worstig.com/w9z/

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

Extracted

Family

smokeloader

Version

2017

C2

http://92.53.105.14/

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://pdshcjvnv.ug/zxcvb.exe

exe.dropper

http://pdshcjvnv.ug/zxcvb.exe

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://bit.do/fqhJv

exe.dropper

http://bit.do/fqhJv

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://rbcxvnb.ug/zxcvb.exe

exe.dropper

http://rbcxvnb.ug/zxcvb.exe

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://bit.do/fqhHT

exe.dropper

http://bit.do/fqhHT

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://bit.do/fqhJD

exe.dropper

http://bit.do/fqhJD

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://zxvbcrt.ug/zxcvb.exe

exe.dropper

http://zxvbcrt.ug/zxcvb.exe

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

asyncrat

Version

0.5.7B

C2

agentttt.ac.ug:6970

agentpurple.ac.ug:6970

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    Default

  • host

    agentttt.ac.ug,agentpurple.ac.ug

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    6970

  • version

    0.5.7B

aes.plain

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    109.248.203.81
  • Port:
    21
  • Username:
    alex
  • Password:
    easypassword

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    45.141.184.35
  • Port:
    21
  • Username:
    alex
  • Password:
    easypassword

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    109.248.203.91
  • Port:
    21
  • Username:
    alex
  • Password:
    easypassword

Extracted

Family

formbook

Version

4.1

C2

http://www.joomlas123.com/i0qi/

Decoy

mytakeawaybox.com

goutaihuo.com

kuzey.site

uppertenpiercings.amsterdam

honeygrandpa.com

jenniferabramslaw.com

ncarian.com

heavilymeditatedhouston.com

gsbjyzx.com

akisanblog.com

taoyuanreed.com

jasperrvservices.com

yabbanet.com

myhealthfuldiet.com

flipdigitalcoins.com

toes.photos

shoottillyoumiss.com

maserental.com

smarteacher.net

hamdimagdeco.com

Targets

    • Target

      1.bin

    • Size

      12.5MB

    • MD5

      af8e86c5d4198549f6375df9378f983c

    • SHA1

      7ab5ed449b891bd4899fba62d027a2cc26a05e6f

    • SHA256

      7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

    • SHA512

      137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • Target

      VPN/VyprVPN.exe

    • Size

      1.6MB

    • MD5

      f1d5f022e71b8bc9e3241fbb72e87be2

    • SHA1

      1b8abac6f9ffc3571b14c68ae1bc5e7568b4106c

    • SHA256

      08fb58bfaee81d99cbb71bf71ba8f2ab4f107563c5b0c3f20484d096b337e50d

    • SHA512

      f16130958a3ff33b21623881cbdeec018dd031b4aeb01bbb676c4bdeb1ec1d4f7d312efab48b4125eaaf6ea1c8b0aa4e037b1959af1f10c2a55fbc2da9f3924f

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • AgentTesla Payload

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

    • Formbook Payload

    • Looks for VirtualBox Guest Additions in registry

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Drops startup file

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      VPN/xNet.dll

    • Size

      99KB

    • MD5

      bf1f76644bddd20339548ebacf7a48eb

    • SHA1

      38114702114105eb3df3f74bf4c68ef7db436f47

    • SHA256

      5d9c2b1822bcaa71ddeaa5426d4312d8e174766ae8864c7add29d7f44cea87f2

    • SHA512

      76132c9e29a0a3054cd41c56d5184951d392a2abd1995e14b34c40f14b154914a6990c107e7fcf4139344759ae6048e9ecf0bdaf0447c1cd589dfacbf901b7c5

    Score
    1/10
    • Target

      2019-09-02_22-41-10.bin

    • Size

      251KB

    • MD5

      924aa6c26f6f43e0893a40728eac3b32

    • SHA1

      baa9b4c895b09d315ed747b3bd087f4583aa84fc

    • SHA256

      30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95

    • SHA512

      3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a

    • Creates new service(s)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      31.bin

    • Size

      12.5MB

    • MD5

      af8e86c5d4198549f6375df9378f983c

    • SHA1

      7ab5ed449b891bd4899fba62d027a2cc26a05e6f

    • SHA256

      7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

    • SHA512

      137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1

    Score
    3/10
    • Target

      3DMark 11 Advanced Edition.bin

    • Size

      11.6MB

    • MD5

      236d7524027dbce337c671906c9fe10b

    • SHA1

      7d345aa201b50273176ae0ec7324739d882da32e

    • SHA256

      400b64f8c61623ead9f579b99735b1b0d9febe7c829e8bdafc9b3a3269bbe21c

    • SHA512

      e5c2f87923b3331719261101b2f606298fb66442e56a49708199d8472c1ac4a72130612d3a9c344310f36fcb3cf39e4637f7dd8fb3841c61b01b95bb3794610a

    Score
    1/10
    • Target

      Archive.zip__ccacaxs2tbz2t6ob3e.bin

    • Size

      430KB

    • MD5

      a3cab1a43ff58b41f61f8ea32319386b

    • SHA1

      94689e1a9e1503f1082b23e6d5984d4587f3b9ec

    • SHA256

      005d3b2b78fa134092a43e53112e5c8518f14cf66e57e6a3cc723219120baba6

    • SHA512

      8f084a866c608833c3bf95b528927d9c05e8d4afcd8a52c3434d45c8ba8220c25d2f09e00aade708bbbc83b4edea60baf826750c529e8e9e05b1242c56d0198d

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Executes dropped EXE

    • Target

      CVE-2018-15982_PoC.swf

    • Size

      12KB

    • MD5

      82fe94beb621a4368e76aa4a51998c00

    • SHA1

      b7c79b8f05c3d998e21d01b07b9ba157160581a9

    • SHA256

      c61dd1b37cbf2d72e3670e3c8dff28959683e6d85b8507cda25efe1dffc04bdb

    • SHA512

      055677c2194ff132dc3c50ef900a36a0e4b8e5b85d176047fdefdec049aff4d5e2db1ccffefaf65575b4ca41e81fd24beb3c7cfd2fce6275642638d0cf624d27

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Drops startup file

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Target

      WSHSetup[1].bin

    • Size

      898KB

    • MD5

      cb2b4cd74c7b57a12bd822a168e4e608

    • SHA1

      f2182062719f0537071545b77ca75f39c2922bf5

    • SHA256

      5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed

    • SHA512

      7a38be8c1270b1224be4975ad442a964b2523c849f748e5356156cdce39e494c64ca80b0d99c1d989d77f072902de8972e0b113894c9791fb0cabf856dbba348

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • Async RAT payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    • Target

      DiskInternals_Uneraser_v5_keygen.bin

    • Size

      12.9MB

    • MD5

      17c4b227deaa34d22dd0addfb0034e04

    • SHA1

      0cf926384df162bc88ae7c97d1b1b9523ac6b88c

    • SHA256

      a64f6d4168bbb66930b32482a88193c45d8aae6af883714d6688ed407e176a6e

    • SHA512

      691751cf5930563fc33aa269df87284ef5d69ae332faed3a142529babd988c54ec86a3517ea2e71373491bbb39962e801feb731e1d564c7294ae517b754ffc0c

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Modifies Windows Defender Real-time Protection settings

    • Modifies visiblity of hidden/system files in Explorer

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    • UAC bypass

    • Windows security bypass

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets DLL path for service in the registry

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Stops running service(s)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Modifies file permissions

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

    • Target

      ForceOp 2.8.7 - By RaiSence.bin

    • Size

      1.0MB

    • MD5

      0a88ebdd3ae5ab0b006d4eaa2f5bc4b2

    • SHA1

      6bf1215ac7b1fde54442a9d075c84544b6e80d50

    • SHA256

      26509645fe956ff1b7c540b935f88817281b65413c62da67e597eaefb2406680

    • SHA512

      54c8cde607bd33264c61dbe750a34f8dd190dfa400fc063b61efcd4426f0635c8de42bc3daf8befb14835856b4477fec3bdc8806c555e49684528ff67dd45f37

    Score
    8/10
    • Drops file in Drivers directory

    • Executes dropped EXE

    • Checks for any installed AV software in registry

    • Drops file in System32 directory

    • Target

      HYDRA.bin

    • Size

      2.6MB

    • MD5

      c52bc39684c52886712971a92f339b23

    • SHA1

      c5cb39850affb7ed322bfb0a4900e17c54f95a11

    • SHA256

      f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d

    • SHA512

      2d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b

    Score
    1/10
    • Target

      Keygen.bin

    • Size

      849KB

    • MD5

      dbde61502c5c0e17ebc6919f361c32b9

    • SHA1

      189749cf0b66a9f560b68861f98c22cdbcafc566

    • SHA256

      88cad5f9433e50af09ac9cad9db06e9003e85be739060b88b64186c05c0d636b

    • SHA512

      d9b8537f05844ec2f2549e2049e967a8023bfe432e3a9cf25fc0f7ad720e57a5830be733e1812cc806c5b68cd9586a031e394f67fc7e3f7fe390625fd5dedfbb

    Score
    1/10
    • Target

      LtHv0O2KZDK4M637.bin

    • Size

      10.6MB

    • MD5

      5e25abc3a3ad181d2213e47fa36c4a37

    • SHA1

      ba365097003860c8fb9d332f377e2f8103d220e0

    • SHA256

      3e385633fc19035dadecf79176a763fe675429b611dac5af2775dd3edca23ab9

    • SHA512

      676596d21cab10389f47a3153d53bbd36b161c77875a4e4aa976032770cb4ec7653c521aaeda98ab4da7777e49f426f4019298d5fc4ed8be2f257e9d0868d681

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      OnlineInstaller.bin

    • Size

      3.6MB

    • MD5

      4b042bfd9c11ab6a3fb78fa5c34f55d0

    • SHA1

      b0f506640c205d3fbcfe90bde81e49934b870eab

    • SHA256

      59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834

    • SHA512

      dae5957c8eee5ae7dd106346f7ea349771b693598f3d4d54abb39940c3d1a0b5731c8d4e07c29377838988a1e93dcd8c2946ce0515af87de61bca6de450409d3

    Score
    3/10
    • Target

      Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.bin

    • Size

      9.5MB

    • MD5

      edcc1a529ea8d2c51592d412d23c057e

    • SHA1

      1d62d278fe69be7e3dde9ae96cc7e6a0fa960331

    • SHA256

      970645912c0c0b6eb857236e6bcbfcafcb0eaf0f19d2b278c5b180ee31bb8a5d

    • SHA512

      c8d9fc14c74c87284ed92d7879e5968129572b8fc4e921f48a14b82b98f26737f89daa87213cd9068fa53a8ef84b8e07f1ce053f06790d417ff8dc621b346cab

    Score
    1/10
    • Target

      Treasure.Vault.3D.Screensaver.keygen.by.Paradox.bin

    • Size

      10.5MB

    • MD5

      8103aad9a6f5ee1fb4f764fc5782822a

    • SHA1

      4fb4f963243d7cb65394e59de787aebe020b654c

    • SHA256

      4a5da8ebf650091c99c7a9d329ecb87533c337ab9e5642ff0355485ed419ec40

    • SHA512

      e65b7d2bdfda07a2ca22d109d39d98395915ee9ec486c44f358885e03bc3e9f9be0ce81706accbe412243ef8d62b9e364f6b1961cfe4469f3c3892821fccfae8

    Score
    3/10
    • Target

      VyprVPN.exe

    • Size

      1.6MB

    • MD5

      f1d5f022e71b8bc9e3241fbb72e87be2

    • SHA1

      1b8abac6f9ffc3571b14c68ae1bc5e7568b4106c

    • SHA256

      08fb58bfaee81d99cbb71bf71ba8f2ab4f107563c5b0c3f20484d096b337e50d

    • SHA512

      f16130958a3ff33b21623881cbdeec018dd031b4aeb01bbb676c4bdeb1ec1d4f7d312efab48b4125eaaf6ea1c8b0aa4e037b1959af1f10c2a55fbc2da9f3924f

    • Phorphiex Worm

      Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    • Windows security bypass

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Target

      WSHSetup[1].bin

    • Size

      898KB

    • MD5

      cb2b4cd74c7b57a12bd822a168e4e608

    • SHA1

      f2182062719f0537071545b77ca75f39c2922bf5

    • SHA256

      5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed

    • SHA512

      7a38be8c1270b1224be4975ad442a964b2523c849f748e5356156cdce39e494c64ca80b0d99c1d989d77f072902de8972e0b113894c9791fb0cabf856dbba348

    Score
    8/10
    • Executes dropped EXE

    • Suspicious Office macro

      Office document equipped with macros.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      api

    • Size

      22.9MB

    • MD5

      3561a1c35184a0b60b89f4b560a9660d

    • SHA1

      e39442388db90a088a8eb8ce46d4f61182334a1b

    • SHA256

      3f1e28e961239c01602b1ce7555f51778c9f369b059ef07b75a7d9dee70ff8b1

    • SHA512

      7a83a669e8a72d6ec83952c9d57cc8059a6fff6f3564dab69ad50ca939a7d8e3f3d7d9ed74f8d06d060a39f8c4525fcfdcdecf2550c6fe57da0bef3df1f5ee75

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Modifies Windows Defender Real-time Protection settings

    • Modifies visiblity of hidden/system files in Explorer

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Detected Stratum cryptominer command

      Looks to be attempting to contact Stratum mining pool.

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • XMRig Miner Payload

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets DLL path for service in the registry

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Stops running service(s)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Modifies file permissions

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

    • Drops file in System32 directory

    • Target

      efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js

    • Size

      920KB

    • MD5

      4339e3b6d6cf2603cc780e8e032e82f6

    • SHA1

      195c244a037815ec13d469e3b28e62a0e10bed56

    • SHA256

      efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4

    • SHA512

      a87c47c998f667eb8ac280f4e6dc3df182d721c44267c68ee042c17e8168115e38f2e1d59c6928ca595bb93b3bfd112cbd7bffb0ee6ff8ca81f469056f26ff87

    Score
    1/10
    • Target

      good.bin

    • Size

      143KB

    • MD5

      b034e2a7cd76b757b7c62ce514b378b4

    • SHA1

      27d15f36cb5e3338a19a7f6441ece58439f830f2

    • SHA256

      90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac

    • SHA512

      1cea6503cf244e1efb6ef68994a723f549126fc89ef8a38c76cdcc050d2a4524e96402591d1d150d927a12dcac81084a8275a929cf6e5933fdf62502c9c84385

    Score
    1/10
    • Target

      infected dot net installer.bin

    • Size

      1.7MB

    • MD5

      6eb2b081d12ad12c2ce50da34438651d

    • SHA1

      2092c0733ec3a3c514568b6009ee53b9d2ad8dc4

    • SHA256

      1371b24900cbd474a6bc2804f0e79dbd7b0429368be6190f276db912d73eb104

    • SHA512

      881d14d87a7f254292f962181eee79137f612d13994ff4da0eb3d86b0217bcbac39e04778c66d1e4c3df8a5b934cbb6130b43c0d4f3915d5e8471e9314d82c1b

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • AgentTesla Payload

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

    • Formbook Payload

    • Looks for VirtualBox Guest Additions in registry

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      update.bin

    • Size

      12.0MB

    • MD5

      c5c8d4f5d9f26bac32d43854af721fb3

    • SHA1

      e4119a28baa102a28ff9b681f6bbb0275c9627c7

    • SHA256

      3e32145dca0843c6d5258129821afaaeb653ddef7982912fe85ad4b326807402

    • SHA512

      09f39bccb210f96788193d597463c75d3213afd21ed93ac8c843f150d7cb8630f941f54cd8737cc88177dadeb479e8181b40a7f5219e40c948ff18d1955b4828

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      vir1.xls

    • Size

      303KB

    • MD5

      f5ec41ec42ebdec9404692dde8fb9d15

    • SHA1

      39f10e1ea5153fa70be025a2d392dcf62966412e

    • SHA256

      7a5d5f4ceb3c815d6fb882777d0859b9757e27edd5a95eb1c2b88dc438d09c92

    • SHA512

      359fddc66f069137e030d2a039ddcfc76ab0e22769ff58f3a0571bae81fb94f87aed23c995eeab545c578e065339f3c1ea2b0623d33835f44054672f717f9952

    Score
    1/10
    • Target

      xNet.dll

    • Size

      99KB

    • MD5

      bf1f76644bddd20339548ebacf7a48eb

    • SHA1

      38114702114105eb3df3f74bf4c68ef7db436f47

    • SHA256

      5d9c2b1822bcaa71ddeaa5426d4312d8e174766ae8864c7add29d7f44cea87f2

    • SHA512

      76132c9e29a0a3054cd41c56d5184951d392a2abd1995e14b34c40f14b154914a6990c107e7fcf4139344759ae6048e9ecf0bdaf0447c1cd589dfacbf901b7c5

    Score
    3/10

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

5
T1053

Command-Line Interface

2
T1059

Persistence

Registry Run Keys / Startup Folder

10
T1060

New Service

1
T1050

Scheduled Task

5
T1053

Modify Existing Service

6
T1031

Hidden Files and Directories

6
T1158

Account Manipulation

2
T1098

Winlogon Helper DLL

4
T1004

Privilege Escalation

New Service

1
T1050

Scheduled Task

5
T1053

Bypass User Account Control

1
T1088

Defense Evasion

Virtualization/Sandbox Evasion

4
T1497

Modify Registry

25
T1112

Install Root Certificate

1
T1130

Disabling Security Tools

7
T1089

Hidden Files and Directories

6
T1158

Bypass User Account Control

1
T1088

Impair Defenses

2
T1562

File Permissions Modification

2
T1222

Credential Access

Credentials in Files

16
T1081

Discovery

Query Registry

25
T1012

Peripheral Device Discovery

4
T1120

System Information Discovery

33
T1082

Virtualization/Sandbox Evasion

4
T1497

Security Software Discovery

1
T1063

Remote System Discovery

2
T1018

Collection

Data from Local System

16
T1005

Command and Control

Web Service

3
T1102

Impact

Service Stop

2
T1489

Tasks

static1

upx
Score
8/10

behavioral1

smokeloaderbackdoortrojan
Score
10/10

behavioral2

agenttesladharmaformbookagilenetcoreentitycryptoneevasionkeyloggerpackerpersistenceransomwareratrezer0spywarestealertrojan
Score
10/10

behavioral3

Score
1/10

behavioral4

discoverypersistencespywarestealer
Score
8/10

behavioral5

Score
3/10

behavioral6

Score
1/10

behavioral7

dcratinfostealerrat
Score
10/10

behavioral8

smokeloaderbackdoorpersistencetrojan
Score
10/10

behavioral9

asyncratazorultoskiraccoondiscoveryinfostealerratspywarestealertrojan
Score
10/10

behavioral10

azorultrmsaspackv2discoveryevasioninfostealerpersistenceratspywarestealertrojanupx
Score
10/10

behavioral11

Score
8/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

persistencespywarestealer
Score
10/10

behavioral15

Score
3/10

behavioral16

Score
1/10

behavioral17

Score
3/10

behavioral18

phorphiexevasionloaderpersistencetrojanupxworm
Score
10/10

behavioral19

macropersistence
Score
8/10

behavioral20

azorultredlinermsxmrigaspackv2discoveryevasioninfostealerminerpersistenceratspywarestealertrojanupx
Score
10/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

agenttesladharmaformbookagilenetcoreentitycryptoneevasionkeyloggerpackerpersistenceransomwareratrezer0spywarestealertrojan
Score
10/10

behavioral24

persistencespywarestealer
Score
10/10

behavioral25

Score
1/10

behavioral26

Score
3/10