General
-
Target
https://anonfiles.com/R1G9Zc79qe/Malware_Testing_rar
-
Sample
210302-pzhrrgvnls
Malware Config
Extracted
metasploit
windows/download_exec
http://172.98.192.214:443/cSVlo1FeFAInvJDJkZ9P99GLwSTqIGUF
Extracted
lokibot
http://becharnise.ir/fb2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://pitr0s.com/DJ/luck/fre.php
Extracted
systembc
fb01ddd.com:4039
fb01ddd.xyz:4039
Extracted
snakekeylogger
Protocol: smtp- Host:
server255.web-hosting.com - Port:
587 - Username:
dakbooks@janrytwo.xyz - Password:
rK(gSd%NWaQ@
Targets
-
-
Target
https://anonfiles.com/R1G9Zc79qe/Malware_Testing_rar
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner Payload
-
Dave packer
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Stops running service(s)
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-