General
-
Target
Downloads.exe
-
Size
163MB
-
Sample
201119-6zl3t9wvps
-
MD5
2e5f0d7f3b1505978fa81cf1e70d02d5
-
SHA1
99a6086d8a23ea12aba3a8ddd7f67c427981622f
-
SHA256
8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51
-
SHA512
9239b684c9d2a0583a01c7f27d9fa76a271bc729645e3b222f02d6dffdec347cfef706c5a79aafb97f251bb2c92fde25583f004dd583640e8d9eb8d1b2e7441f
Static task
static1
Behavioral task
behavioral1
Sample
Downloads.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Downloads.exe
Resource
win7v20201028
Malware Config
Extracted
cobaltstrike
http://47.91.237.42:8443/__utm.gif
-
access_type
512
-
beacon_type
2048
-
host
47.91.237.42,/__utm.gif
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
60000
-
port_number
8443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)
Extracted
Protocol: ftp- Host:
45.141.184.35 - Port:
21 - Username:
alex - Password:
easypassword
Extracted
revengerat
YT
yukselofficial.duckdns.org:5552
Extracted
revengerat
system
yj233.e1.luyouxia.net:20645
Extracted
revengerat
samay
shnf-47787.portmap.io:47787
Extracted
hawkeye_reborn
10.1.2.2
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
mor440ney@yandex.com - Password:
castor123@
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:castor123@ _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:mor440ney@yandex.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:245f77ec-c812-48df-870b-886d22992db6 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null
Extracted
revengerat
XDSDDD
84.91.119.105:333
Extracted
revengerat
Victime
cocohack.dtdns.net:84
Extracted
zloader
main
26.02.2020
https://airnaa.org/sound.php
https://banog.org/sound.php
https://rayonch.org/sound.php
Extracted
smokeloader
2019
http://advertserv25.world/logstatx77/
http://mailstatm74.club/logstatx77/
http://kxservx7zx.club/logstatx77/
http://dsmail977sx.xyz/logstatx77/
http://fdmail709.club/logstatx77/
http://servicestar751.club/logstatx77/
http://staradvert9075.club/logstatx77/
http://staradvert1883.club/logstatx77/
Extracted
revengerat
INSERT-COIN
3.tcp.ngrok.io:24041
Extracted
zloader
07/04
https://xyajbocpggsr.site/wp-config.php
https://ooygvpxrb.pw/wp-config.php
Extracted
zloader
09/04
https://eoieowo.casa/wp-config.php
https://dcgljuzrb.pw/wp-config.php
Extracted
zloader
25/03
https://wgyvjbse.pw/milagrecf.php
https://botiq.xyz/milagrecf.php
Extracted
formbook
4.0
http://www.worstig.com/w9z/
crazzysex.com
hanferd.com
gteesrd.com
bayfrontbabyplace.com
jicuiquan.net
relationshiplink.net
ohchacyberphoto.com
kauegimenes.com
powerful-seldom.com
ketotoken.com
make-money-online-success.com
redgoldcollection.com
hannan-football.com
hamptondc.com
vllii.com
aa8520.com
platform35markethall.com
larozeimmo.com
oligopoly.net
llhak.info
fisioservice.com
tesla-magnumopus.com
cocodrilodigital.com
pinegrovesg.com
traveladventureswithme.com
hebitaixin.com
golphysi.com
gayjeans.com
quickhire.expert
randomviews1.com
eatatnobu.com
topmabati.com
mediaupside.com
spillerakademi.com
thebowtie.store
sensomaticloadcell.com
turismodemadrid.net
yuhe89.com
wernerkrug.com
cdpogo.net
dannynhois.com
realestatestructureddata.com
matewhereareyou.net
laimeibei.ltd
sw328.com
lmwworks.net
xtremefish.com
tonerias.com
dsooneclinicianexpert.com
281clara.com
smmcommunity.net
dreamneeds.info
twocraft.com
yasasiite.salon
advk8qi.top
drabist.com
europartnersplus.com
saltbgone.com
teslaoceanic.info
bestmedicationstore.com
buynewcartab.live
prospect.money
viebrocks.com
transportationhappy.com
Extracted
gozi_rm3
86920224
https://sibelikinciel.xyz
-
build
300869
-
exe_type
loader
-
server_id
12
-
url_path
index.htm
Extracted
emotet
Epoch3
71.57.180.213:80
185.86.148.68:443
168.235.82.183:8080
181.113.229.139:443
181.134.9.162:80
217.199.160.224:8080
105.209.235.113:8080
216.75.37.196:8080
97.104.107.190:80
203.153.216.182:7080
107.161.30.122:8080
41.106.96.12:80
202.5.47.71:80
201.235.10.215:80
105.213.67.88:80
115.79.195.246:80
179.5.118.12:80
212.112.113.235:80
139.59.12.63:8080
177.37.81.212:443
81.17.93.134:80
46.32.229.152:8080
66.61.94.36:80
172.96.190.154:8080
176.9.93.82:7080
5.79.70.250:8080
190.212.140.6:80
37.46.129.215:8080
115.165.3.213:80
201.213.177.139:80
187.64.128.197:80
92.24.51.238:80
185.208.226.142:8080
50.116.78.109:8080
46.105.131.68:8080
181.114.114.203:80
190.190.15.20:80
198.57.203.63:8080
188.251.213.180:443
185.142.236.163:443
182.176.95.147:80
143.95.101.72:8080
181.164.110.7:80
113.161.148.81:80
51.38.201.19:7080
31.146.61.34:80
75.139.38.211:80
157.7.164.178:8081
203.153.216.178:7080
212.156.133.218:80
81.214.253.80:443
87.106.231.60:8080
190.164.75.175:80
77.74.78.80:443
179.62.238.49:80
78.189.60.109:443
177.32.8.85:80
195.201.56.70:8080
190.53.144.120:80
75.127.14.170:8080
177.144.130.105:443
178.33.167.120:8080
192.210.217.94:8080
192.241.220.183:8080
188.0.135.237:80
74.208.173.91:8080
182.187.139.200:8080
172.105.78.244:8080
41.185.29.128:8080
197.83.232.19:80
87.252.100.28:80
115.78.11.155:80
192.163.221.191:8080
91.83.93.103:443
139.99.157.213:8080
Extracted
danabot
92.204.160.54
2.56.213.179
45.153.186.47
93.115.21.29
185.45.193.50
193.34.166.247
Extracted
smokeloader
2017
http://92.53.105.14/
Extracted
qakbot
spx129
1590734339
94.10.81.239:443
94.52.160.116:443
67.0.74.119:443
175.137.136.79:443
73.232.165.200:995
79.119.67.149:443
62.38.111.70:2222
108.58.9.238:993
216.110.249.252:2222
67.209.195.198:3389
84.247.55.190:443
96.37.137.42:443
94.176.220.76:2222
173.245.152.231:443
96.227.122.123:443
188.192.75.8:995
24.229.245.124:995
71.163.225.75:443
75.71.77.59:443
104.36.135.227:443
173.173.77.164:443
207.255.161.8:2222
68.39.177.147:995
178.193.33.121:2222
72.209.191.27:443
67.165.206.193:995
64.19.74.29:995
117.199.195.112:443
75.87.161.32:995
188.173.214.88:443
173.22.120.11:2222
96.41.93.96:443
86.125.210.26:443
24.10.42.174:443
47.201.1.210:443
69.92.54.95:995
24.202.42.48:2222
47.205.231.60:443
66.26.160.37:443
65.131.44.40:995
24.110.96.149:443
108.58.9.238:443
77.159.149.74:443
74.56.167.31:443
75.137.239.211:443
47.153.115.154:995
173.172.205.216:443
184.98.104.7:995
24.46.40.189:2222
98.115.138.61:443
35.142.12.163:2222
189.231.198.212:443
47.146.169.85:443
173.21.10.71:2222
24.42.14.241:443
188.27.6.170:443
89.137.77.237:443
5.13.99.38:995
93.113.90.128:443
72.179.242.236:0
73.210.114.187:443
80.240.26.178:443
85.186.141.62:995
81.103.144.77:443
98.4.227.199:443
24.122.228.88:443
150.143.128.70:2222
47.153.115.154:443
65.116.179.83:443
50.29.181.193:995
189.140.112.184:443
142.129.227.86:443
74.134.46.7:443
220.135.31.140:2222
172.78.87.180:443
24.201.79.208:2078
97.127.144.203:2222
100.4.173.223:443
59.124.10.133:443
89.43.108.19:443
216.163.4.91:443
67.83.54.76:2222
72.204.242.138:443
24.43.22.220:995
67.250.184.157:443
78.97.145.242:443
203.198.96.239:443
104.174.71.153:2222
24.28.183.107:995
197.160.20.211:443
79.117.161.67:21
82.76.239.193:443
69.246.151.5:443
78.96.192.26:443
216.201.162.158:995
108.21.107.203:443
107.2.148.99:443
189.236.218.181:443
75.110.250.89:443
211.24.72.253:443
207.255.161.8:443
162.154.223.73:443
50.104.186.71:443
100.38.123.22:443
96.18.240.158:443
108.183.200.239:443
173.187.170.190:443
100.40.48.96:443
71.80.66.107:443
67.197.97.144:443
69.28.222.54:443
47.136.224.60:443
47.202.98.230:443
184.180.157.203:2222
104.221.4.11:2222
70.173.46.139:443
213.67.45.195:2222
71.31.160.43:22
189.159.113.190:995
98.148.177.77:443
98.116.62.242:443
68.4.137.211:443
108.227.161.27:995
173.187.103.35:443
117.216.185.86:443
75.132.35.60:443
98.219.77.197:443
24.43.22.220:443
207.255.161.8:2087
72.190.101.70:443
189.160.217.221:443
207.255.161.8:32102
24.226.137.154:443
66.222.88.126:995
108.58.9.238:995
1.40.42.4:443
47.152.210.233:443
72.45.14.185:443
82.127.193.151:2222
101.108.113.6:443
98.13.0.128:443
175.111.128.234:995
175.111.128.234:443
216.137.140.236:2222
24.191.214.43:2083
72.177.157.217:443
72.29.181.77:2078
203.106.195.139:443
98.114.185.3:443
Extracted
formbook
4.1
http://www.joomlas123.com/i0qi/
http://www.norjax.com/app/
mytakeawaybox.com
goutaihuo.com
kuzey.site
uppertenpiercings.amsterdam
honeygrandpa.com
jenniferabramslaw.com
ncarian.com
heavilymeditatedhouston.com
gsbjyzx.com
akisanblog.com
taoyuanreed.com
jasperrvservices.com
yabbanet.com
myhealthfuldiet.com
flipdigitalcoins.com
toes.photos
shoottillyoumiss.com
maserental.com
smarteacher.net
hamdimagdeco.com
wuxifanggang.com
alamediationtraining.com
vfoe.team
kms-sp.com
gfidevfight.net
anomadbackpacker.com
21oms.us
australianseniorpreneur.com
valuereceipt.com
superbetbahis.com
rsrgoup.com
hoidonghuongkimson.com
parmedpharma.com
discoveryoverload.com
livetv247.win
jepekha.com
6o5ttvst.biz
netcorrespondents.com
cscycorp.com
emonkeygraphics.com
tillyaeva-lola.news
dgx9.com
jiucai5.com
justwoodsouthern.com
dentalexpertstraining.com
amazoncarpet.com
xsxnet.net
androidaso.com
jinhucai.com
wellnessitaly.store
clashrayalefreebies.com
wxvbill.com
quantun.network
allnaturalcbdshampton.com
mobo.technology
livinglifeawakened.com
canliarkadas.net
littlealohadaycare.com
wendyoei.com
kaz.site
puremind.info
queenscrossingneurosurgery.com
theworldexams.com
taptrips.com
Extracted
raccoon
5e4db353b88c002ba6466c06437973619aad03b3
-
url4cnc
https://telete.in/brikitiki
Extracted
azorult
http://195.245.112.115/index.php
Extracted
asyncrat
0.5.7B
agentttt.ac.ug:6970
agentpurple.ac.ug:6970
-
aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
agentttt.ac.ug,agentpurple.ac.ug
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6970
-
version
0.5.7B
Extracted
zloader
CanadaLoads
Nerino
https://monanuslanus.com/bFnF0y1r/7QKpXmV3Pz.php
https://lericastrongs.com/bFnF0y1r/7QKpXmV3Pz.php
https://hyllionsudks.com/bFnF0y1r/7QKpXmV3Pz.php
https://crimewasddef.com/bFnF0y1r/7QKpXmV3Pz.php
https://derekdsingel.com/bFnF0y1r/7QKpXmV3Pz.php
https://simplereffiret.com/bFnF0y1r/7QKpXmV3Pz.php
https://regeerscomba.com/bFnF0y1r/7QKpXmV3Pz.php
Targets
-
-
Target
Downloads.exe
-
Size
163MB
-
MD5
2e5f0d7f3b1505978fa81cf1e70d02d5
-
SHA1
99a6086d8a23ea12aba3a8ddd7f67c427981622f
-
SHA256
8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51
-
SHA512
9239b684c9d2a0583a01c7f27d9fa76a271bc729645e3b222f02d6dffdec347cfef706c5a79aafb97f251bb2c92fde25583f004dd583640e8d9eb8d1b2e7441f
Score10/10agentteslaasyncratazorultcobaltstrikedanabotemotetformbookgozi_rm3hawkeye_rebornm00nd3v_loggermassloggermodiloaderqakbotraccoonredlinerevengeratrmssmokeloadervidarzloader07/0409/0425/035e4db353b88c002ba6466c06437973619aad03b386920224canadaloadsepoch3insert-coinmainsamayspx129systemvictimexdsdddyt159073433926.02.2020nerinoagilenetaspackv2backdoorbankerbotnetcoreentitycryptoneinfostealerkeyloggerpackerratrezer0spywarestealertrojanupxvmprotect-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Danabot x86 payload
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
AgentTesla Payload
-
Async RAT payload
-
Emotet Payload
Detects Emotet payload in memory.
-
Formbook Payload
-
M00nD3v Logger Payload
Detects M00nD3v Logger payload in memory.
-
ModiLoader First Stage
-
Nirsoft
-
RevengeRat Executable
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Discovery
Query Registry
3System Information Discovery
4Peripheral Device Discovery
2Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Scheduled Task
1Privilege Escalation