General
-
Target
Downloads.rar
-
Size
154.7MB
-
Sample
210119-s26yznnqsn
-
MD5
f82e19eade5962a21f69504a854de42e
-
SHA1
2af264fdf337f13723e4f2d5ca4904e083db56ae
-
SHA256
1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f
-
SHA512
a7b0a23e8765d4f98edc6e912a75116584217ede98dd7fd81523b6d19cef4192135745efe52219bf198cab2b3a5f798b26331422c0a5da45f0b163a155e8092a
Malware Config
Extracted
zloader
main
26.02.2020
https://airnaa.org/sound.php
https://banog.org/sound.php
https://rayonch.org/sound.php
Extracted
zloader
07/04
https://xyajbocpggsr.site/wp-config.php
https://ooygvpxrb.pw/wp-config.php
Extracted
revengerat
XDSDDD
84.91.119.105:333
RV_MUTEX-wtZlNApdygPh
Extracted
revengerat
Victime
cocohack.dtdns.net:84
RV_MUTEX-OKuSAtYBxGgZHx
Extracted
zloader
25/03
https://wgyvjbse.pw/milagrecf.php
https://botiq.xyz/milagrecf.php
Extracted
revengerat
samay
shnf-47787.portmap.io:47787
RV_MUTEX
Extracted
zloader
09/04
https://eoieowo.casa/wp-config.php
https://dcgljuzrb.pw/wp-config.php
Extracted
revengerat
INSERT-COIN
3.tcp.ngrok.io:24041
RV_MUTEX
Extracted
revengerat
system
yj233.e1.luyouxia.net:20645
RV_MUTEX-GeVqDyMpzZJHO
Extracted
revengerat
YT
yukselofficial.duckdns.org:5552
RV_MUTEX-WlgZblRvZwfRtNH
Extracted
smokeloader
2020
http://etasuklavish.today/
http://mragyzmachnobesdi.today/
http://kimchinikuzims.today/
http://slacvostinrius.today/
http://straponuliusyn.today/
http://grammmdinss.today/
http://viprasputinsd.chimkent.su/
http://lupadypa.dagestan.su/
http://stoknolimchin.exnet.su/
http://musaroprovadnikov.live/
http://teemforyourexprensiti.life/
http://stolkgolmishutich.termez.su/
http://roompampamgandish.wtf/
Extracted
formbook
http://www.worstig.com/w9z/
http://www.joomlas123.com/i0qi/
http://www.norjax.com/app/
crazzysex.com
hanferd.com
gteesrd.com
bayfrontbabyplace.com
jicuiquan.net
relationshiplink.net
ohchacyberphoto.com
kauegimenes.com
powerful-seldom.com
ketotoken.com
make-money-online-success.com
redgoldcollection.com
hannan-football.com
hamptondc.com
vllii.com
aa8520.com
platform35markethall.com
larozeimmo.com
oligopoly.net
llhak.info
Extracted
qakbot
spx129
1590734339
94.10.81.239:443
94.52.160.116:443
67.0.74.119:443
175.137.136.79:443
73.232.165.200:995
79.119.67.149:443
62.38.111.70:2222
108.58.9.238:993
216.110.249.252:2222
67.209.195.198:3389
84.247.55.190:443
96.37.137.42:443
94.176.220.76:2222
173.245.152.231:443
96.227.122.123:443
188.192.75.8:995
24.229.245.124:995
71.163.225.75:443
75.71.77.59:443
104.36.135.227:443
Extracted
danabot
92.204.160.54
2.56.213.179
45.153.186.47
93.115.21.29
185.45.193.50
193.34.166.247
Extracted
zloader
googleaktualizacija
googleaktualizacija1
https://iqowijsdakm.ru/gate.php
https://wiewjdmkfjn.ru/gate.php
https://dksaoidiakjd.su/gate.php
https://iweuiqjdakjd.su/gate.php
https://yuidskadjna.su/gate.php
https://olksmadnbdj.su/gate.php
https://odsakmdfnbs.com/gate.php
https://odsakjmdnhsaj.com/gate.php
https://odjdnhsaj.com/gate.php
https://odoishsaj.com/gate.php
Extracted
smokeloader
2019
http://advertserv25.world/logstatx77/
http://mailstatm74.club/logstatx77/
http://kxservx7zx.club/logstatx77/
http://dsmail977sx.xyz/logstatx77/
http://fdmail709.club/logstatx77/
http://servicestar751.club/logstatx77/
http://staradvert9075.club/logstatx77/
http://staradvert1883.club/logstatx77/
Extracted
asyncrat
0.5.6A
sandyclark255.hopto.org:6606
sandyclark255.hopto.org:8808
sandyclark255.hopto.org:7707
adweqsds56332
-
aes_key
DStgwPf5qCYAcWWcPg3CaZBkDbYF3HQo
-
anti_detection
true
-
autorun
true
-
bdos
false
- delay
-
host
sandyclark255.hopto.org
- hwid
- install_file
-
install_folder
%AppData%
-
mutex
adweqsds56332
-
pastebin_config
null
-
port
6606,8808,7707
-
version
0.5.6A
Extracted
zloader
CanadaLoads
Nerino
https://monanuslanus.com/bFnF0y1r/7QKpXmV3Pz.php
https://lericastrongs.com/bFnF0y1r/7QKpXmV3Pz.php
https://hyllionsudks.com/bFnF0y1r/7QKpXmV3Pz.php
https://crimewasddef.com/bFnF0y1r/7QKpXmV3Pz.php
https://derekdsingel.com/bFnF0y1r/7QKpXmV3Pz.php
https://simplereffiret.com/bFnF0y1r/7QKpXmV3Pz.php
https://regeerscomba.com/bFnF0y1r/7QKpXmV3Pz.php
Targets
-
-
Target
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d
-
Size
144KB
-
MD5
9e9bb42a965b89a9dce86c8b36b24799
-
SHA1
e2d1161ac7fa3420648ba59f7a5315ed0acb04c2
-
SHA256
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d
-
SHA512
e5ba20e364c96260c821bc61eab51906e2075aa0d3755ef25aabfc8f6f9545452930be42d978d96e3a68e2b92120df4940b276c9872ebf36fa50913523c51ce8
Score10/10-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
-
Size
355KB
-
MD5
b403152a9d1a6e02be9952ff3ea10214
-
SHA1
74fc4148f9f2979a0ec88ffa613c2147c4d5e7e5
-
SHA256
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51
-
SHA512
0ac24ef826ae66bbba8bd5de70cb491d765ae33659452da97605701b3a39a33933f9d2795af1e8a8615cc99ae755fccc61fc44737122067eb05d7b1c435a4ec8
Score3/10 -
-
-
Target
0di3x.bin
-
Size
111KB
-
MD5
bd97f762750d0e38e38d5e8f7363f66a
-
SHA1
9ae3d7053246289ff908758f9d60d79586f7fc9f
-
SHA256
d4b767b57f453d599559532d7351feeecd4027b89b0b117552b7a3432ed4a158
-
SHA512
d0f00c07563aab832b181a7ab93413a93f913f813c83d63c25f4473b7fa2003b4b2a83c97bd9766f9f45a7f2de9e922139a010612f21b15407c9f2bb58a53e39
Score10/10-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself
-
Loads dropped DLL
-
-
-
Target
1.bin/1.exe
-
Size
12.5MB
-
MD5
af8e86c5d4198549f6375df9378f983c
-
SHA1
7ab5ed449b891bd4899fba62d027a2cc26a05e6f
-
SHA256
7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
-
SHA512
137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Danabot x86 payload
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
AgentTesla Payload
-
CryptOne packer
Detects CryptOne packer defined in NCC blogpost.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
rezer0
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab
-
Size
524KB
-
MD5
4aa199c19c28cd1d176b7f6ff59bd713
-
SHA1
ec321c45f365ad178bbbef4f873578ffc52b6114
-
SHA256
4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab
-
SHA512
b764a3378677a4d7ceba3d57442b98028581c0c2841bdac287c5caced0f350638a2c1c0a6136873d29627420b208789873c0d5a5ad4d28e3f1e3758e3a12a6f5
Score10/10-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
-
-
Target
2019-09-02_22-41-10.exe
-
Size
251KB
-
MD5
924aa6c26f6f43e0893a40728eac3b32
-
SHA1
baa9b4c895b09d315ed747b3bd087f4583aa84fc
-
SHA256
30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95
-
SHA512
3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a
Score10/10-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-
-
-
Target
2b5e50bc3077610128051bc3e657c3f0e331fb8fed2559c6596911890ea866ba
-
Size
183KB
-
MD5
6d2864f9d3349fc4292884e7baab4bcc
-
SHA1
b4e7df23ccd50f4d136f66e62d56815eab09e720
-
SHA256
2b5e50bc3077610128051bc3e657c3f0e331fb8fed2559c6596911890ea866ba
-
SHA512
dcfc50105df4ea00add6dc3d121baa3ff93180a0be71e444e89e3a8249d1fd2103eb34aa61aa57ada45c5a86ed5783a67e10f21eeb9dda802a49f627aaa0cec0
Score10/10-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
Suspicious use of SetThreadContext
-
-
-
Target
2c01b007729230c415420ad641ad92eb
-
Size
1.3MB
-
MD5
daef338f9c47d5394b7e1e60ce38d02d
-
SHA1
c0a07e8c32528d29aae26aaecbf6a67ed95b8c8e
-
SHA256
5d03fd083b626a5516194d5e94576349100c9c98ca7d6845642ed9579980ca58
-
SHA512
d0f4050fc2c5f38ab598729fb6930c84bf779d47b5a8b4e860bc0e9ca8be454ad5dce001d8f88299d8a079eafd4c26efcdd2d196352acfe45e940cc107fcebf4
Score10/10-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
31.exe
-
Size
12.5MB
-
MD5
af8e86c5d4198549f6375df9378f983c
-
SHA1
7ab5ed449b891bd4899fba62d027a2cc26a05e6f
-
SHA256
7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
-
SHA512
137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Danabot x86 payload
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
AgentTesla Payload
-
CryptOne packer
Detects CryptOne packer defined in NCC blogpost.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
rezer0
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
3DMark 11 Advanced Edition.exe
-
Size
11.6MB
-
MD5
236d7524027dbce337c671906c9fe10b
-
SHA1
7d345aa201b50273176ae0ec7324739d882da32e
-
SHA256
400b64f8c61623ead9f579b99735b1b0d9febe7c829e8bdafc9b3a3269bbe21c
-
SHA512
e5c2f87923b3331719261101b2f606298fb66442e56a49708199d8472c1ac4a72130612d3a9c344310f36fcb3cf39e4637f7dd8fb3841c61b01b95bb3794610a
Score1/10 -
-
-
Target
42f972925508a82236e8533567487761
-
Size
3.7MB
-
MD5
9d2a888ca79e1ff3820882ea1d88d574
-
SHA1
112c38d80bf2c0d48256249bbabe906b834b1f66
-
SHA256
8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138
-
SHA512
17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Async RAT payload
-
Warzone RAT Payload
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
42f972925508a82236e8533567487761(1)
-
Size
3.7MB
-
MD5
9d2a888ca79e1ff3820882ea1d88d574
-
SHA1
112c38d80bf2c0d48256249bbabe906b834b1f66
-
SHA256
8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138
-
SHA512
17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Async RAT payload
-
Warzone RAT Payload
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
-
Size
669KB
-
MD5
ead18f3a909685922d7213714ea9a183
-
SHA1
1270bd7fd62acc00447b30f066bb23f4745869bf
-
SHA256
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
-
SHA512
6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91
Score8/10-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Modifies file permissions
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
-
Size
80KB
-
MD5
8152a3d0d76f7e968597f4f834fdfa9d
-
SHA1
c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
-
SHA256
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
-
SHA512
eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
Score10/10-
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Deletes itself
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
-
-
Target
6a9e7107c97762eb1196a64baeadb291
-
Size
209KB
-
MD5
417457ac3e000697959127259c73ee46
-
SHA1
e060125845cc1c4098f87632f453969ad9ec01ab
-
SHA256
d74e9aa01bffcb4944742f93ad5b87d4c057f4faad008f04f7397634fe3f234d
-
SHA512
7e2dac573db052dc03d89499d9e879bc530e94f3d1235898064aa87e99aee8fced1ac4aeeba342b77afd1480e0584a238ad7cd79cdef9c562bb89d65ba365b31
Score10/10-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
-
-
Target
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
-
Size
21KB
-
MD5
6fe3fb85216045fdf8186429c27458a7
-
SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710
-
SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
-
SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
Score1/10 -
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
7Scheduled Task
4Winlogon Helper DLL
2Modify Existing Service
2Defense Evasion
Modify Registry
11File Deletion
4Virtualization/Sandbox Evasion
4Scripting
1File Permissions Modification
1Install Root Certificate
1