Downloads.exe

General
Target

Downloads.exe

Size

163MB

Sample

201119-6zl3t9wvps

Score
10 /10
MD5

2e5f0d7f3b1505978fa81cf1e70d02d5

SHA1

99a6086d8a23ea12aba3a8ddd7f67c427981622f

SHA256

8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51

SHA512

9239b684c9d2a0583a01c7f27d9fa76a271bc729645e3b222f02d6dffdec347cfef706c5a79aafb97f251bb2c92fde25583f004dd583640e8d9eb8d1b2e7441f

Malware Config

Extracted

Family cobaltstrike
C2

http://47.91.237.42:8443/__utm.gif

Attributes
access_type
512
beacon_type
2048
host
47.91.237.42,/__utm.gif
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
8443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)

Extracted

Credentials

Protocol: ftp

Host: 45.141.184.35

Port: 21

Username: alex

Password: easypassword

Extracted

Family revengerat
Botnet YT
C2

yukselofficial.duckdns.org:5552

Extracted

Family revengerat
Botnet system
C2

yj233.e1.luyouxia.net:20645

Extracted

Family revengerat
Botnet samay
C2

shnf-47787.portmap.io:47787

Extracted

Family hawkeye_reborn
Version 10.1.2.2
Credentials

Protocol: smtp

Host: smtp.yandex.com

Port: 587

Username: mor440ney@yandex.com

Password: castor123@

Attributes
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:castor123@ _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:mor440ney@yandex.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:245f77ec-c812-48df-870b-886d22992db6 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null

Extracted

Family revengerat
Botnet XDSDDD
C2

84.91.119.105:333

Extracted

Family revengerat
Botnet Victime
C2

cocohack.dtdns.net:84

Extracted

Family zloader
Botnet main
Campaign 26.02.2020
C2

https://airnaa.org/sound.php

https://banog.org/sound.php

https://rayonch.org/sound.php

rc4.plain

Extracted

Family smokeloader
Version 2019
C2

http://advertserv25.world/logstatx77/

http://mailstatm74.club/logstatx77/

http://kxservx7zx.club/logstatx77/

http://dsmail977sx.xyz/logstatx77/

http://fdmail709.club/logstatx77/

http://servicestar751.club/logstatx77/

http://staradvert9075.club/logstatx77/

http://staradvert1883.club/logstatx77/

rc4.i32
rc4.i32

Extracted

Family revengerat
Botnet INSERT-COIN
C2

3.tcp.ngrok.io:24041

Extracted

Family zloader
Botnet 07/04
C2

https://xyajbocpggsr.site/wp-config.php

https://ooygvpxrb.pw/wp-config.php

rc4.plain

Extracted

Family zloader
Botnet 09/04
C2

https://eoieowo.casa/wp-config.php

https://dcgljuzrb.pw/wp-config.php

rc4.plain

Extracted

Family zloader
Botnet 25/03
C2

https://wgyvjbse.pw/milagrecf.php

https://botiq.xyz/milagrecf.php

rc4.plain

Extracted

Family formbook
Version 4.0
C2

http://www.worstig.com/w9z/

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

fisioservice.com

tesla-magnumopus.com

cocodrilodigital.com

pinegrovesg.com

traveladventureswithme.com

hebitaixin.com

golphysi.com

gayjeans.com

quickhire.expert

randomviews1.com

eatatnobu.com

topmabati.com

mediaupside.com

spillerakademi.com

thebowtie.store

sensomaticloadcell.com

turismodemadrid.net

yuhe89.com

wernerkrug.com

cdpogo.net

dannynhois.com

realestatestructureddata.com

matewhereareyou.net

laimeibei.ltd

sw328.com

lmwworks.net

xtremefish.com

tonerias.com

dsooneclinicianexpert.com

281clara.com

Extracted

Family gozi_rm3
Botnet 86920224
C2

https://sibelikinciel.xyz

Attributes
build
300869
exe_type
loader
server_id
12
url_path
index.htm
rsa_pubkey.plain
serpent.plain

Extracted

Family emotet
Botnet Epoch3
C2

71.57.180.213:80

185.86.148.68:443

168.235.82.183:8080

181.113.229.139:443

181.134.9.162:80

217.199.160.224:8080

105.209.235.113:8080

216.75.37.196:8080

97.104.107.190:80

203.153.216.182:7080

107.161.30.122:8080

41.106.96.12:80

202.5.47.71:80

201.235.10.215:80

105.213.67.88:80

115.79.195.246:80

179.5.118.12:80

212.112.113.235:80

139.59.12.63:8080

177.37.81.212:443

81.17.93.134:80

46.32.229.152:8080

66.61.94.36:80

172.96.190.154:8080

176.9.93.82:7080

5.79.70.250:8080

190.212.140.6:80

37.46.129.215:8080

115.165.3.213:80

201.213.177.139:80

187.64.128.197:80

92.24.51.238:80

185.208.226.142:8080

50.116.78.109:8080

46.105.131.68:8080

181.114.114.203:80

190.190.15.20:80

198.57.203.63:8080

188.251.213.180:443

185.142.236.163:443

182.176.95.147:80

143.95.101.72:8080

181.164.110.7:80

113.161.148.81:80

51.38.201.19:7080

31.146.61.34:80

75.139.38.211:80

157.7.164.178:8081

203.153.216.178:7080

212.156.133.218:80

rsa_pubkey.plain

Extracted

Family danabot
C2

92.204.160.54

2.56.213.179

45.153.186.47

93.115.21.29

185.45.193.50

193.34.166.247

rsa_pubkey.plain

Extracted

Family smokeloader
Version 2017
C2

http://92.53.105.14/

Extracted

Family qakbot
Botnet spx129
Campaign 1590734339
C2

94.10.81.239:443

94.52.160.116:443

67.0.74.119:443

175.137.136.79:443

73.232.165.200:995

79.119.67.149:443

62.38.111.70:2222

108.58.9.238:993

216.110.249.252:2222

67.209.195.198:3389

84.247.55.190:443

96.37.137.42:443

94.176.220.76:2222

173.245.152.231:443

96.227.122.123:443

188.192.75.8:995

24.229.245.124:995

71.163.225.75:443

75.71.77.59:443

104.36.135.227:443

173.173.77.164:443

207.255.161.8:2222

68.39.177.147:995

178.193.33.121:2222

72.209.191.27:443

67.165.206.193:995

64.19.74.29:995

117.199.195.112:443

75.87.161.32:995

188.173.214.88:443

173.22.120.11:2222

96.41.93.96:443

86.125.210.26:443

24.10.42.174:443

47.201.1.210:443

69.92.54.95:995

24.202.42.48:2222

47.205.231.60:443

66.26.160.37:443

65.131.44.40:995

24.110.96.149:443

108.58.9.238:443

77.159.149.74:443

74.56.167.31:443

75.137.239.211:443

47.153.115.154:995

173.172.205.216:443

184.98.104.7:995

24.46.40.189:2222

98.115.138.61:443

Extracted

Family formbook
Version 4.1
C2

http://www.joomlas123.com/i0qi/

http://www.norjax.com/app/

Decoy

mytakeawaybox.com

goutaihuo.com

kuzey.site

uppertenpiercings.amsterdam

honeygrandpa.com

jenniferabramslaw.com

ncarian.com

heavilymeditatedhouston.com

gsbjyzx.com

akisanblog.com

taoyuanreed.com

jasperrvservices.com

yabbanet.com

myhealthfuldiet.com

flipdigitalcoins.com

toes.photos

shoottillyoumiss.com

maserental.com

smarteacher.net

hamdimagdeco.com

wuxifanggang.com

alamediationtraining.com

vfoe.team

kms-sp.com

gfidevfight.net

anomadbackpacker.com

21oms.us

australianseniorpreneur.com

valuereceipt.com

superbetbahis.com

rsrgoup.com

hoidonghuongkimson.com

parmedpharma.com

discoveryoverload.com

livetv247.win

jepekha.com

6o5ttvst.biz

netcorrespondents.com

cscycorp.com

emonkeygraphics.com

tillyaeva-lola.news

dgx9.com

jiucai5.com

justwoodsouthern.com

dentalexpertstraining.com

amazoncarpet.com

xsxnet.net

androidaso.com

jinhucai.com

wellnessitaly.store

Extracted

Family raccoon
Botnet 5e4db353b88c002ba6466c06437973619aad03b3
Attributes
url4cnc
https://telete.in/brikitiki
rc4.plain
rc4.plain

Extracted

Family azorult
C2

http://195.245.112.115/index.php

Extracted

Family asyncrat
Version 0.5.7B
C2

agentttt.ac.ug:6970

agentpurple.ac.ug:6970

Attributes
aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
anti_detection
false
autorun
false
bdos
false
delay
Default
host
agentttt.ac.ug,agentpurple.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B
aes.plain

Extracted

Family zloader
Botnet CanadaLoads
Campaign Nerino
C2

https://monanuslanus.com/bFnF0y1r/7QKpXmV3Pz.php

https://lericastrongs.com/bFnF0y1r/7QKpXmV3Pz.php

https://hyllionsudks.com/bFnF0y1r/7QKpXmV3Pz.php

https://crimewasddef.com/bFnF0y1r/7QKpXmV3Pz.php

https://derekdsingel.com/bFnF0y1r/7QKpXmV3Pz.php

https://simplereffiret.com/bFnF0y1r/7QKpXmV3Pz.php

https://regeerscomba.com/bFnF0y1r/7QKpXmV3Pz.php

rc4.plain
rsa_pubkey.plain
Targets
Target

Downloads.exe

MD5

2e5f0d7f3b1505978fa81cf1e70d02d5

Filesize

163MB

Score
10 /10
SHA1

99a6086d8a23ea12aba3a8ddd7f67c427981622f

SHA256

8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51

SHA512

9239b684c9d2a0583a01c7f27d9fa76a271bc729645e3b222f02d6dffdec347cfef706c5a79aafb97f251bb2c92fde25583f004dd583640e8d9eb8d1b2e7441f

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • AsyncRat

    Description

    AsyncRAT is designed to remotely monitor and control other computers.

    Tags

  • Azorult

    Description

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    Tags

  • Cobaltstrike

    Description

    Detected malicious payload which is part of Cobaltstrike.

    Tags

  • Contains code to disable Windows Defender

    Description

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • CoreEntity .NET Packer

    Description

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    Tags

  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

    Tags

  • Danabot x86 payload

    Description

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    Tags

  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

    Tags

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • Gozi RM3

    Description

    A heavily modified version of Gozi using RM3 loader.

    Tags

  • HawkEye Reborn

    Description

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    Tags

  • M00nd3v_Logger

    Description

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    Tags

  • MassLogger

    Description

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    Tags

  • MassLogger Main Payload

  • ModiLoader, DBatLoader

    Description

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    Tags

  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    Tags

  • RMS

    Description

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    Tags

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • RevengeRAT

    Description

    Remote-access trojan with a wide range of capabilities.

    Tags

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • Zloader, Terdot, DELoader, ZeusSphinx

    Description

    Zloader is a malware strain that was initially discovered back in August 2015.

    Tags

  • ACProtect 1.3x - 1.4x DLL software

    Description

    Detects file using ACProtect software.

  • AgentTesla Payload

  • Async RAT payload

    Tags

  • CryptOne packer

    Description

    Detects CryptOne packer defined in NCC blogpost.

    Tags

  • Emotet Payload

    Description

    Detects Emotet payload in memory.

  • Formbook Payload

    Tags

  • M00nD3v Logger Payload

    Description

    Detects M00nD3v Logger payload in memory.

  • ModiLoader First Stage

  • Nirsoft

  • ReZer0 packer

    Description

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    Tags

  • RevengeRat Executable

    Tags

  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

  • Executes dropped EXE

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • VMProtect packed file

    Description

    Detects executables packed with VMProtect commercial packer.

    Tags

  • Drops startup file

  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Description

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    Tags

  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation