Errors

Reason config extraction: CfgExtr crashed: runtime error: slice bounds out of range [:-1]
Reason office: invalid password

General

  • Target

    Downloads.rar

  • Size

    143MB

  • MD5

    c572596b2caadbc11672ff12af226635

  • SHA1

    57a176459d3f24cf94810efbb6511abca2e7dce2

  • SHA256

    d91912b4b945e88e881e54573390e6723cfc41916b6546453b59e60f9beee337

  • SHA512

    d112c32cab043308c8707350679af122a3af504386e3f7ee846c72edbc2e2fd2e825023d5bc0e793853a065df159dfd35c8e32e5370b03cdfa59ab7aa05cd5c6

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://47.91.237.42:8443/__utm.gif

Attributes
access_type
512
beacon_type
2048
host
47.91.237.42,/__utm.gif
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
8443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)
watermark
305419896

Extracted

Family

zloader

Botnet

main

Campaign

26.02.2020

C2

https://airnaa.org/sound.php

https://banog.org/sound.php

https://rayonch.org/sound.php

rc4.plain

Extracted

Family

revengerat

Botnet

XDSDDD

C2

84.91.119.105:333

Extracted

Family

revengerat

Botnet

Victime

C2

cocohack.dtdns.net:84

Extracted

Family

zloader

Botnet

25/03

C2

https://wgyvjbse.pw/milagrecf.php

https://botiq.xyz/milagrecf.php

rc4.plain

Extracted

Family

revengerat

Botnet

samay

C2

shnf-47787.portmap.io:47787

Extracted

Family

zloader

Botnet

09/04

C2

https://eoieowo.casa/wp-config.php

https://dcgljuzrb.pw/wp-config.php

rc4.plain

Extracted

Family

zloader

Botnet

07/04

C2

https://xyajbocpggsr.site/wp-config.php

https://ooygvpxrb.pw/wp-config.php

rc4.plain

Extracted

Family

revengerat

Botnet

INSERT-COIN

C2

3.tcp.ngrok.io:24041

Extracted

Family

revengerat

Botnet

YT

C2

yukselofficial.duckdns.org:5552

Extracted

Family

revengerat

Botnet

system

C2

yj233.e1.luyouxia.net:20645

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

srpmx.ddns.net:5552

Attributes
reg_key
c6c84eeabbf10b049aa4efdb90558a88
splitter
|'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

HACK

C2

43.229.151.64:5552

Attributes
reg_key
6825da1e045502b22d4b02d4028214ab
splitter
Y262SUCZ4UJJ

Signatures

  • Cobaltstrike family
  • Njrat family
  • RevengeRat Executable ⋅ 7 IoCs
  • Revengerat family
  • Zloader family
  • CryptOne packer ⋅ 2 IoCs

    Detects CryptOne packer defined in NCC blogpost.

  • UPX packed file ⋅ 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • autoit_exe ⋅ 4 IoCs

    AutoIT scripts compiled to PE executables.

  • NSIS installer ⋅ 5 IoCs

Files

  • Downloads.rar
    .rar
  • 08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.exe
    .dll windows x86 regsvr32
  • 0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
    .exe windows x86
  • 0di3x.exe
    .exe windows x86
  • 201106-9sxjh7tvxj_pw_infected.zip
    .zip
  • 4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab
    .dll windows x86
  • 2019-09-02_22-41-10.exe
    .exe windows x86
  • 2c01b007729230c415420ad641ad92eb.exe
    .exe windows x86
  • 31.exe
    .exe windows x86
  • 3DMark 11 Advanced Edition.exe
    .exe windows x86
  • 42f972925508a82236e8533567487761.exe
    .exe windows x86
  • 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    .exe windows x86
  • 6306868794.bin.zip
    .zip
  • c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286
    .exe windows x86
  • 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
    .exe windows x86
  • 905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
    .exe windows x86
  • 948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
    .exe windows x86
  • 95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.exe
    .dll windows x86 regsvr32
  • Archive.zip__ccacaxs2tbz2t6ob3e.exe
    .exe windows x86
  • CVE-2018-15982_PoC.swf
  • DiskInternals_Uneraser_v5_keygen.exe
    .exe windows x86
  • E2-20201118_141759.zip
    .zip
  • f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
    .exe windows x86
  • ForceOp 2.8.7 - By RaiSence.exe
    .exe windows x86
  • HYDRA.exe
    .exe windows x86
  • KLwC6vii.exe
    .exe windows x86
  • Keygen.exe
    .exe windows x86
  • Lonelyscreen.1.2.9.keygen.by.Paradox.exe
    .exe windows x86
  • LtHv0O2KZDK4M637.exe
    .exe windows x86
  • Magic_File_v3_keygen_by_KeygenNinja.exe
    .exe windows x86
  • Malware
  • OnlineInstaller.exe
    .exe windows x86
  • REVENGE-RAT.js.zip
    .zip
  • REVENGE-RAT.js
    .js
  • Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
    .exe windows x86
  • SecuriteInfo.com.Gen.NN.ZexaF.34108.xy1@amqiedE.17985
    .exe windows x86
  • SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869
    .dll windows x86
  • SecurityTaskManager_Setup.exe
    .exe windows x86
  • Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
    .exe windows x86
  • VyprVPN.exe
    .exe windows x86
  • WSHSetup[1].exe
    .exe windows x86
  • Yard.dll
    .dll windows x86
  • ___ _ _____ __ ___/전산 및 비전산자료 보존 요청서.tgz
    .gz
  • 전산 및 비전산자료 보존 요청서.tgz
    .tar
  • b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (2).exe
    .exe windows x86
  • b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (3).exe
    .dll windows x86 regsvr32
  • b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (4).exe
    .dll windows x86 regsvr32
  • b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb.exe
    .exe windows x86
  • b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb.zip
    .zip
  • cobaltstrike_shellcode.bin
    .exe windows x86
  • cd9ccf8681ed1a5380f8a27cd6dc927ab719b04baa6c6583a0c793a6dc00d5f7.exe
    .exe windows x86
  • cobaltstrike_shellcode.exe
    .exe windows x86
  • default.exe
    .exe windows x86
  • ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3
    .exe windows x86
  • efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
    .js
  • emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504._exe
    .exe windows x86
  • emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe
    .exe windows x86
  • eupdate.exe
    .exe windows x86
  • f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
    .exe windows x64
  • fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe
    .exe windows x86
  • fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe
    .exe windows x86
  • file(1).exe
    .exe windows x86
  • file.exe
    .exe windows x86
  • gjMEi6eG.exe
    .exe windows x86
  • good.exe
    .exe windows x86
  • hyundai steel-pipe- job 8010(1).exe
    .exe windows x86
  • hyundai steel-pipe- job 8010.exe
    .exe windows x86
  • infected dot net installer.exe
    .exe windows x86
  • inps_979.xls
    .xls windows office2003
  • jar.jar
    .jar
  • june9.dll
    .dll windows x86
  • mouse_2.exe
    .exe windows x86
  • oof.exe
    .exe windows x86
  • openme.exe
    .exe windows x86
  • ou55sg33s_1.exe
    .exe windows x86
  • senate.m4a
    .dll windows x86
  • starticon3.exe
    .exe windows x86
  • str.dll
    .dll windows x86
  • svchost.exe
    .exe windows x86
  • update.exe
    .exe windows x86
  • vir1.xls
    .xls .xlsm office2007
  • wwf[1].exe
    .exe windows x86
  • xNet.dll
    .dll windows x86
  • 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요.exe
    .exe windows x86
  • 전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe
    .exe windows x86