Downloads.exe

General
Target

Downloads.exe

Size

163MB

Sample

201119-6zl3t9wvps

Score
10 /10
MD5

2e5f0d7f3b1505978fa81cf1e70d02d5

SHA1

99a6086d8a23ea12aba3a8ddd7f67c427981622f

SHA256

8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51

SHA512

9239b684c9d2a0583a01c7f27d9fa76a271bc729645e3b222f02d6dffdec347cfef706c5a79aafb97f251bb2c92fde25583f004dd583640e8d9eb8d1b2e7441f

Malware Config

Extracted

Protocol ftp
Host 45.141.184.35
Port 21
Username alex
Password easypassword

Extracted

Family revengerat
Botnet YT
C2

yukselofficial.duckdns.org:5552

Extracted

Family revengerat
Botnet system
C2

yj233.e1.luyouxia.net:20645

Extracted

Family revengerat
Botnet samay
C2

shnf-47787.portmap.io:47787

Extracted

Family hawkeye_reborn
Version 10.1.2.2
Attributes
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:castor123@ _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:mor440ney@yandex.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:245f77ec-c812-48df-870b-886d22992db6 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null

Extracted

Family revengerat
Botnet XDSDDD
C2

84.91.119.105:333

Extracted

Family revengerat
Botnet Victime
C2

cocohack.dtdns.net:84

Extracted

Family zloader
Botnet main
Campaign 26.02.2020
C2

https://airnaa.org/sound.php

https://banog.org/sound.php

https://rayonch.org/sound.php

rc4.plain

Extracted

Family smokeloader
Version 2019
C2

http://advertserv25.world/logstatx77/

http://mailstatm74.club/logstatx77/

http://kxservx7zx.club/logstatx77/

http://dsmail977sx.xyz/logstatx77/

http://fdmail709.club/logstatx77/

http://servicestar751.club/logstatx77/

http://staradvert9075.club/logstatx77/

http://staradvert1883.club/logstatx77/

rc4.i32
rc4.i32

Extracted

Family revengerat
Botnet INSERT-COIN
C2

3.tcp.ngrok.io:24041

Extracted

Family zloader
Botnet 07/04
C2

https://xyajbocpggsr.site/wp-config.php

https://ooygvpxrb.pw/wp-config.php

rc4.plain

Extracted

Family zloader
Botnet 09/04
C2

https://eoieowo.casa/wp-config.php

https://dcgljuzrb.pw/wp-config.php

rc4.plain

Extracted

Family zloader
Botnet 25/03
C2

https://wgyvjbse.pw/milagrecf.php

https://botiq.xyz/milagrecf.php

rc4.plain

Extracted

Family formbook
C2

http://www.worstig.com/w9z/

http://www.joomlas123.com/i0qi/

http://www.norjax.com/app/

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

fisioservice.com

tesla-magnumopus.com

cocodrilodigital.com

pinegrovesg.com

traveladventureswithme.com

hebitaixin.com

golphysi.com

gayjeans.com

quickhire.expert

randomviews1.com

eatatnobu.com

topmabati.com

mediaupside.com

spillerakademi.com

thebowtie.store

sensomaticloadcell.com

turismodemadrid.net

yuhe89.com

wernerkrug.com

cdpogo.net

dannynhois.com

realestatestructureddata.com

matewhereareyou.net

laimeibei.ltd

sw328.com

lmwworks.net

xtremefish.com

tonerias.com

dsooneclinicianexpert.com

281clara.com

Extracted

Family emotet
Botnet Epoch3
C2

71.57.180.213:80

185.86.148.68:443

168.235.82.183:8080

181.113.229.139:443

181.134.9.162:80

217.199.160.224:8080

105.209.235.113:8080

216.75.37.196:8080

97.104.107.190:80

203.153.216.182:7080

107.161.30.122:8080

41.106.96.12:80

202.5.47.71:80

201.235.10.215:80

105.213.67.88:80

115.79.195.246:80

179.5.118.12:80

212.112.113.235:80

139.59.12.63:8080

177.37.81.212:443

81.17.93.134:80

46.32.229.152:8080

66.61.94.36:80

172.96.190.154:8080

176.9.93.82:7080

5.79.70.250:8080

190.212.140.6:80

37.46.129.215:8080

115.165.3.213:80

201.213.177.139:80

187.64.128.197:80

92.24.51.238:80

185.208.226.142:8080

50.116.78.109:8080

46.105.131.68:8080

181.114.114.203:80

190.190.15.20:80

198.57.203.63:8080

188.251.213.180:443

185.142.236.163:443

182.176.95.147:80

143.95.101.72:8080

181.164.110.7:80

113.161.148.81:80

51.38.201.19:7080

31.146.61.34:80

75.139.38.211:80

157.7.164.178:8081

203.153.216.178:7080

212.156.133.218:80

rsa_pubkey.plain

Extracted

Family danabot
C2

92.204.160.54

2.56.213.179

45.153.186.47

93.115.21.29

185.45.193.50

193.34.166.247

rsa_pubkey.plain

Extracted

Path C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email Bit_decrypt@protonmail.com YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: Bit_decrypt@protonmail.com Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

Bit_decrypt@protonmail.com

Extracted

Family smokeloader
Version 2017
C2

http://92.53.105.14/

Extracted

Family qakbot
Botnet spx129
Campaign 1590734339
C2

94.10.81.239:443

94.52.160.116:443

67.0.74.119:443

175.137.136.79:443

73.232.165.200:995

79.119.67.149:443

62.38.111.70:2222

108.58.9.238:993

216.110.249.252:2222

67.209.195.198:3389

84.247.55.190:443

96.37.137.42:443

94.176.220.76:2222

173.245.152.231:443

96.227.122.123:443

188.192.75.8:995

24.229.245.124:995

71.163.225.75:443

75.71.77.59:443

104.36.135.227:443

173.173.77.164:443

207.255.161.8:2222

68.39.177.147:995

178.193.33.121:2222

72.209.191.27:443

67.165.206.193:995

64.19.74.29:995

117.199.195.112:443

75.87.161.32:995

188.173.214.88:443

173.22.120.11:2222

96.41.93.96:443

86.125.210.26:443

24.10.42.174:443

47.201.1.210:443

69.92.54.95:995

24.202.42.48:2222

47.205.231.60:443

66.26.160.37:443

65.131.44.40:995

24.110.96.149:443

108.58.9.238:443

77.159.149.74:443

74.56.167.31:443

75.137.239.211:443

47.153.115.154:995

173.172.205.216:443

184.98.104.7:995

24.46.40.189:2222

98.115.138.61:443

Extracted

Path C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
Family hakbit
Ransom Note
To recover your data contact the email below potentialenergy@mail.ru Key Identifier: m2+qbmmit2gzlBWked07GUMNyQb4IWjB8ob54TDT0j1bpIfCHkKjTTk4SVeqaLJ3LTfRzQJz6HdZ6XyLgzNMyIEkIma23+3xLrl4zFI50EO+RuB9Ame/JRs7wlc0jxe8FvCaAa6OvS9mrbX04cV0rYSoOWgdYe2Jrxc0ZLyL9ZC5ei1i4Vx+IzQk4SWsUbSIh7iCj9VjyiPcgrVAs/8UWDBiQX0Zzfk3Caocpaphm10iFDcbVGT2MC1zydDiIa70fZEX+OWQIb6t0tCM1NwRi8UXz2RxU2QUnqqPn/lHVmPQkD8MGmEPUogj61DwaeueG33rxa3Lz0gGlEwZ3rXiAGMVxcQWZW4mu7JfhjEr4MLZb1QYd/i6GKyvv23KNeUEpc5CWjHoENkUD2AmpM55BpBE1PGxVaK1QRFVTw32VpR3d3YHXTuPayEY8n7wY+l6bb6CticRCgChEhu3LwBrM3dfZcOOgsgb2YVPog2b3FHDMqNNV0CMBP4exnpSvRx5Zp8cRNGMaU0ITinIjkZ0efyAU6QhF41upDP/THIohfE7K2C+EbeghW+P3xqL7aOC3G4pZUCVXNTU4PRDBnuf6viJweV5rTM3jeyzNz437yHQ8+e0bPxc7Uec7ernJBXGvTzYqL1T8+Zs/wqz4SZCJ7Q77Yy+TCI0frbXf8CxTak= Number of files that were processed is: 712
Emails

potentialenergy@mail.ru

Extracted

Family azorult
C2

http://195.245.112.115/index.php

Extracted

Family asyncrat
Version 0.5.7B
C2

agentttt.ac.ug:6970

agentpurple.ac.ug:6970

Attributes
aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
anti_detection
false
autorun
false
bdos
false
delay
Default
host
agentttt.ac.ug,agentpurple.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B
aes.plain

Extracted

Family zloader
Botnet CanadaLoads
Campaign Nerino
C2

https://monanuslanus.com/bFnF0y1r/7QKpXmV3Pz.php

https://lericastrongs.com/bFnF0y1r/7QKpXmV3Pz.php

https://hyllionsudks.com/bFnF0y1r/7QKpXmV3Pz.php

https://crimewasddef.com/bFnF0y1r/7QKpXmV3Pz.php

https://derekdsingel.com/bFnF0y1r/7QKpXmV3Pz.php

https://simplereffiret.com/bFnF0y1r/7QKpXmV3Pz.php

https://regeerscomba.com/bFnF0y1r/7QKpXmV3Pz.php

rc4.plain
rsa_pubkey.plain
Targets
Target

Downloads.exe

MD5

2e5f0d7f3b1505978fa81cf1e70d02d5

Filesize

163MB

Score
10 /10
SHA1

99a6086d8a23ea12aba3a8ddd7f67c427981622f

SHA256

8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51

SHA512

9239b684c9d2a0583a01c7f27d9fa76a271bc729645e3b222f02d6dffdec347cfef706c5a79aafb97f251bb2c92fde25583f004dd583640e8d9eb8d1b2e7441f

Tags

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation