General
-
Target
Downloads.exe
-
Size
163MB
-
Sample
201119-6zl3t9wvps
-
MD5
2e5f0d7f3b1505978fa81cf1e70d02d5
-
SHA1
99a6086d8a23ea12aba3a8ddd7f67c427981622f
-
SHA256
8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51
-
SHA512
9239b684c9d2a0583a01c7f27d9fa76a271bc729645e3b222f02d6dffdec347cfef706c5a79aafb97f251bb2c92fde25583f004dd583640e8d9eb8d1b2e7441f
Static task
static1
Behavioral task
behavioral1
Sample
Downloads.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Downloads.exe
Resource
win7v20201028
Malware Config
Extracted
Family |
cobaltstrike |
C2 |
http://47.91.237.42:8443/__utm.gif |
Attributes |
access_type 512
beacon_type 2048
host 47.91.237.42,/__utm.gif
http_header1 AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2 AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1 GET
http_method2 POST
maxdns 255
polling_time 60000
port_number 8443
sc_process32 %windir%\syswow64\rundll32.exe
sc_process64 %windir%\sysnative\rundll32.exe
state_machine MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1 4096
unknown2 AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri /submit.php
user_agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0) |
Extracted
Credentials |
Protocol: ftp Host: 45.141.184.35 Port: 21 Username: alex Password: easypassword |
Extracted
Family |
revengerat |
Botnet |
YT |
C2 |
yukselofficial.duckdns.org:5552 |
Extracted
Family |
revengerat |
Botnet |
system |
C2 |
yj233.e1.luyouxia.net:20645 |
Extracted
Family |
revengerat |
Botnet |
samay |
C2 |
shnf-47787.portmap.io:47787 |
Extracted
Family |
hawkeye_reborn |
Version |
10.1.2.2 |
Credentials | Protocol: smtp Host: smtp.yandex.com Port: 587 Username: mor440ney@yandex.com Password: castor123@ |
Attributes |
fields map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:castor123@ _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:mor440ney@yandex.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:245f77ec-c812-48df-870b-886d22992db6 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null |
Extracted
Family |
revengerat |
Botnet |
XDSDDD |
C2 |
84.91.119.105:333 |
Extracted
Family |
revengerat |
Botnet |
Victime |
C2 |
cocohack.dtdns.net:84 |
Extracted
Family |
zloader |
Botnet |
main |
Campaign |
26.02.2020 |
C2 |
https://airnaa.org/sound.php https://banog.org/sound.php https://rayonch.org/sound.php |
rc4.plain |
|
Extracted
Family |
smokeloader |
Version |
2019 |
C2 |
http://advertserv25.world/logstatx77/ http://mailstatm74.club/logstatx77/ http://kxservx7zx.club/logstatx77/ http://dsmail977sx.xyz/logstatx77/ http://fdmail709.club/logstatx77/ http://servicestar751.club/logstatx77/ http://staradvert9075.club/logstatx77/ http://staradvert1883.club/logstatx77/ |
rc4.i32 |
|
rc4.i32 |
|
Extracted
Family |
revengerat |
Botnet |
INSERT-COIN |
C2 |
3.tcp.ngrok.io:24041 |
Extracted
Family |
zloader |
Botnet |
07/04 |
C2 |
https://xyajbocpggsr.site/wp-config.php https://ooygvpxrb.pw/wp-config.php |
rc4.plain |
|
Extracted
Family |
zloader |
Botnet |
09/04 |
C2 |
https://eoieowo.casa/wp-config.php https://dcgljuzrb.pw/wp-config.php |
rc4.plain |
|
Extracted
Family |
zloader |
Botnet |
25/03 |
C2 |
https://wgyvjbse.pw/milagrecf.php https://botiq.xyz/milagrecf.php |
rc4.plain |
|
Extracted
Family |
formbook |
Version |
4.0 |
C2 |
http://www.worstig.com/w9z/ |
Decoy |
crazzysex.com hanferd.com gteesrd.com bayfrontbabyplace.com jicuiquan.net relationshiplink.net ohchacyberphoto.com kauegimenes.com powerful-seldom.com ketotoken.com make-money-online-success.com redgoldcollection.com hannan-football.com hamptondc.com vllii.com aa8520.com platform35markethall.com larozeimmo.com oligopoly.net llhak.info fisioservice.com tesla-magnumopus.com cocodrilodigital.com pinegrovesg.com traveladventureswithme.com hebitaixin.com golphysi.com gayjeans.com quickhire.expert randomviews1.com eatatnobu.com topmabati.com mediaupside.com spillerakademi.com thebowtie.store sensomaticloadcell.com turismodemadrid.net yuhe89.com wernerkrug.com cdpogo.net dannynhois.com realestatestructureddata.com matewhereareyou.net laimeibei.ltd sw328.com lmwworks.net xtremefish.com tonerias.com dsooneclinicianexpert.com 281clara.com smmcommunity.net dreamneeds.info twocraft.com yasasiite.salon advk8qi.top drabist.com europartnersplus.com saltbgone.com teslaoceanic.info bestmedicationstore.com buynewcartab.live prospect.money viebrocks.com transportationhappy.com |
Extracted
Family |
gozi_rm3 |
Botnet |
86920224 |
C2 |
https://sibelikinciel.xyz |
Attributes |
build 300869
exe_type loader
server_id 12
url_path index.htm |
rsa_pubkey.plain |
|
serpent.plain |
|
Extracted
Family |
emotet |
Botnet |
Epoch3 |
C2 |
71.57.180.213:80 185.86.148.68:443 168.235.82.183:8080 181.113.229.139:443 181.134.9.162:80 217.199.160.224:8080 105.209.235.113:8080 216.75.37.196:8080 97.104.107.190:80 203.153.216.182:7080 107.161.30.122:8080 41.106.96.12:80 202.5.47.71:80 201.235.10.215:80 105.213.67.88:80 115.79.195.246:80 179.5.118.12:80 212.112.113.235:80 139.59.12.63:8080 177.37.81.212:443 81.17.93.134:80 46.32.229.152:8080 66.61.94.36:80 172.96.190.154:8080 176.9.93.82:7080 5.79.70.250:8080 190.212.140.6:80 37.46.129.215:8080 115.165.3.213:80 201.213.177.139:80 187.64.128.197:80 92.24.51.238:80 185.208.226.142:8080 50.116.78.109:8080 46.105.131.68:8080 181.114.114.203:80 190.190.15.20:80 198.57.203.63:8080 188.251.213.180:443 185.142.236.163:443 182.176.95.147:80 143.95.101.72:8080 181.164.110.7:80 113.161.148.81:80 51.38.201.19:7080 31.146.61.34:80 75.139.38.211:80 157.7.164.178:8081 203.153.216.178:7080 212.156.133.218:80 81.214.253.80:443 87.106.231.60:8080 190.164.75.175:80 77.74.78.80:443 179.62.238.49:80 78.189.60.109:443 177.32.8.85:80 195.201.56.70:8080 190.53.144.120:80 75.127.14.170:8080 177.144.130.105:443 178.33.167.120:8080 192.210.217.94:8080 192.241.220.183:8080 188.0.135.237:80 74.208.173.91:8080 182.187.139.200:8080 172.105.78.244:8080 41.185.29.128:8080 197.83.232.19:80 87.252.100.28:80 115.78.11.155:80 192.163.221.191:8080 91.83.93.103:443 139.99.157.213:8080 |
rsa_pubkey.plain |
|
Extracted
Family |
danabot |
C2 |
92.204.160.54 2.56.213.179 45.153.186.47 93.115.21.29 185.45.193.50 193.34.166.247 |
rsa_pubkey.plain |
|
Extracted
Family |
smokeloader |
Version |
2017 |
C2 |
http://92.53.105.14/ |
Extracted
Family |
qakbot |
Botnet |
spx129 |
Campaign |
1590734339 |
C2 |
94.10.81.239:443 94.52.160.116:443 67.0.74.119:443 175.137.136.79:443 73.232.165.200:995 79.119.67.149:443 62.38.111.70:2222 108.58.9.238:993 216.110.249.252:2222 67.209.195.198:3389 84.247.55.190:443 96.37.137.42:443 94.176.220.76:2222 173.245.152.231:443 96.227.122.123:443 188.192.75.8:995 24.229.245.124:995 71.163.225.75:443 75.71.77.59:443 104.36.135.227:443 173.173.77.164:443 207.255.161.8:2222 68.39.177.147:995 178.193.33.121:2222 72.209.191.27:443 67.165.206.193:995 64.19.74.29:995 117.199.195.112:443 75.87.161.32:995 188.173.214.88:443 173.22.120.11:2222 96.41.93.96:443 86.125.210.26:443 24.10.42.174:443 47.201.1.210:443 69.92.54.95:995 24.202.42.48:2222 47.205.231.60:443 66.26.160.37:443 65.131.44.40:995 24.110.96.149:443 108.58.9.238:443 77.159.149.74:443 74.56.167.31:443 75.137.239.211:443 47.153.115.154:995 173.172.205.216:443 184.98.104.7:995 24.46.40.189:2222 98.115.138.61:443 35.142.12.163:2222 189.231.198.212:443 47.146.169.85:443 173.21.10.71:2222 24.42.14.241:443 188.27.6.170:443 89.137.77.237:443 5.13.99.38:995 93.113.90.128:443 72.179.242.236:0 73.210.114.187:443 80.240.26.178:443 85.186.141.62:995 81.103.144.77:443 98.4.227.199:443 24.122.228.88:443 150.143.128.70:2222 47.153.115.154:443 65.116.179.83:443 50.29.181.193:995 189.140.112.184:443 142.129.227.86:443 74.134.46.7:443 220.135.31.140:2222 172.78.87.180:443 24.201.79.208:2078 97.127.144.203:2222 100.4.173.223:443 59.124.10.133:443 89.43.108.19:443 216.163.4.91:443 67.83.54.76:2222 72.204.242.138:443 24.43.22.220:995 67.250.184.157:443 78.97.145.242:443 203.198.96.239:443 104.174.71.153:2222 24.28.183.107:995 197.160.20.211:443 79.117.161.67:21 82.76.239.193:443 69.246.151.5:443 78.96.192.26:443 216.201.162.158:995 108.21.107.203:443 107.2.148.99:443 189.236.218.181:443 75.110.250.89:443 211.24.72.253:443 207.255.161.8:443 162.154.223.73:443 50.104.186.71:443 100.38.123.22:443 96.18.240.158:443 108.183.200.239:443 173.187.170.190:443 100.40.48.96:443 71.80.66.107:443 67.197.97.144:443 69.28.222.54:443 47.136.224.60:443 47.202.98.230:443 184.180.157.203:2222 104.221.4.11:2222 70.173.46.139:443 213.67.45.195:2222 71.31.160.43:22 189.159.113.190:995 98.148.177.77:443 98.116.62.242:443 68.4.137.211:443 108.227.161.27:995 173.187.103.35:443 117.216.185.86:443 75.132.35.60:443 98.219.77.197:443 24.43.22.220:443 207.255.161.8:2087 72.190.101.70:443 189.160.217.221:443 207.255.161.8:32102 24.226.137.154:443 66.222.88.126:995 108.58.9.238:995 1.40.42.4:443 47.152.210.233:443 72.45.14.185:443 82.127.193.151:2222 101.108.113.6:443 98.13.0.128:443 175.111.128.234:995 175.111.128.234:443 216.137.140.236:2222 24.191.214.43:2083 72.177.157.217:443 72.29.181.77:2078 203.106.195.139:443 98.114.185.3:443 |
Extracted
Family |
formbook |
Version |
4.1 |
C2 |
http://www.joomlas123.com/i0qi/ http://www.norjax.com/app/ |
Decoy |
mytakeawaybox.com goutaihuo.com kuzey.site uppertenpiercings.amsterdam honeygrandpa.com jenniferabramslaw.com ncarian.com heavilymeditatedhouston.com gsbjyzx.com akisanblog.com taoyuanreed.com jasperrvservices.com yabbanet.com myhealthfuldiet.com flipdigitalcoins.com toes.photos shoottillyoumiss.com maserental.com smarteacher.net hamdimagdeco.com wuxifanggang.com alamediationtraining.com vfoe.team kms-sp.com gfidevfight.net anomadbackpacker.com 21oms.us australianseniorpreneur.com valuereceipt.com superbetbahis.com rsrgoup.com hoidonghuongkimson.com parmedpharma.com discoveryoverload.com livetv247.win jepekha.com 6o5ttvst.biz netcorrespondents.com cscycorp.com emonkeygraphics.com tillyaeva-lola.news dgx9.com jiucai5.com justwoodsouthern.com dentalexpertstraining.com amazoncarpet.com xsxnet.net androidaso.com jinhucai.com wellnessitaly.store clashrayalefreebies.com wxvbill.com quantun.network allnaturalcbdshampton.com mobo.technology livinglifeawakened.com canliarkadas.net littlealohadaycare.com wendyoei.com kaz.site puremind.info queenscrossingneurosurgery.com theworldexams.com taptrips.com |
Extracted
Family |
raccoon |
Botnet |
5e4db353b88c002ba6466c06437973619aad03b3 |
Attributes |
url4cnc https://telete.in/brikitiki |
rc4.plain |
|
rc4.plain |
|
Extracted
Family |
azorult |
C2 |
http://195.245.112.115/index.php |
Extracted
Family |
asyncrat |
Version |
0.5.7B |
C2 |
agentttt.ac.ug:6970 agentpurple.ac.ug:6970 |
Attributes |
aes_key 16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
anti_detection false
autorun false
bdos false
delay Default
host agentttt.ac.ug,agentpurple.ac.ug
hwid 3
install_file
install_folder %AppData%
mutex AsyncMutex_6SI8OkPnk
pastebin_config null
port 6970
version 0.5.7B |
aes.plain |
|
Extracted
Family |
zloader |
Botnet |
CanadaLoads |
Campaign |
Nerino |
C2 |
https://monanuslanus.com/bFnF0y1r/7QKpXmV3Pz.php https://lericastrongs.com/bFnF0y1r/7QKpXmV3Pz.php https://hyllionsudks.com/bFnF0y1r/7QKpXmV3Pz.php https://crimewasddef.com/bFnF0y1r/7QKpXmV3Pz.php https://derekdsingel.com/bFnF0y1r/7QKpXmV3Pz.php https://simplereffiret.com/bFnF0y1r/7QKpXmV3Pz.php https://regeerscomba.com/bFnF0y1r/7QKpXmV3Pz.php |
rc4.plain |
|
rsa_pubkey.plain |
|
Targets
-
-
Target
Downloads.exe
-
Size
163MB
-
MD5
2e5f0d7f3b1505978fa81cf1e70d02d5
-
SHA1
99a6086d8a23ea12aba3a8ddd7f67c427981622f
-
SHA256
8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51
-
SHA512
9239b684c9d2a0583a01c7f27d9fa76a271bc729645e3b222f02d6dffdec347cfef706c5a79aafb97f251bb2c92fde25583f004dd583640e8d9eb8d1b2e7441f
Score10/10agentteslaasyncratazorultcobaltstrikedanabotemotetformbookgozi_rm3hawkeye_rebornm00nd3v_loggermassloggermodiloaderqakbotraccoonredlinerevengeratrmssmokeloadervidarzloader07/0409/0425/035e4db353b88c002ba6466c06437973619aad03b386920224canadaloadsepoch3insert-coinmainsamayspx129systemvictimexdsdddyt159073433926.02.2020nerinoagilenetaspackv2backdoorbankerbotnetcoreentitycryptoneinfostealerkeyloggerpackerratrezer0spywarestealertrojanupxvmprotect-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Danabot x86 payload
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
AgentTesla Payload
-
Async RAT payload
-
Emotet Payload
Detects Emotet payload in memory.
-
Formbook Payload
-
M00nD3v Logger Payload
Detects M00nD3v Logger payload in memory.
-
ModiLoader First Stage
-
Nirsoft
-
RevengeRat Executable
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation