Delphi_Wmi_Class_Generator_serial_keys_gen.zip

General
Target

Delphi_Wmi_Class_Generator_serial_keys_gen.zip

Size

5MB

Sample

210403-14emqsqbyn

Score
10 /10
MD5

b35b1ec22f3759604a358d03c3b3a310

SHA1

4c614d6587a4de7c00cde530c29e9dd53f454823

SHA256

682f4f0bb0f2742de5a6e606770f2cc365eb04e8bac84510777b3d2f3ad145b2

SHA512

b9311e218934454090776c52b8c1b1c174625e9b55532e1362b0ce8b6dcb95d8c9cb41fc32249489cdb62230643e7d89bd9405df01459aefdc170d917260b131

Malware Config

Extracted

Family azorult
C2

http://kvaka.li/1210776429.php

Extracted

Language ps1
Deobfuscated
URLs
ps1.dropper

http://labsclub.com/welcome

Extracted

Family metasploit
Version windows/single_exec

Extracted

Family smokeloader
Version 2020
C2

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

http://999080321test61-service10020125999080321.website/

http://999080321test51-service10020125999080321.xyz/

http://999080321test41-service100201pro25999080321.ru/

http://999080321yest31-service100201rus25999080321.ru/

http://999080321rest21-service10020125999080321.eu/

http://999080321test11-service10020125999080321.press/

http://999080321newfolder4561-service10020125999080321.ru/

http://999080321rustest213-service10020125999080321.ru/

http://999080321test281-service10020125999080321.ru/

http://999080321test261-service10020125999080321.space/

http://999080321yomtest251-service10020125999080321.ru/

http://999080321yirtest231-service10020125999080321.ru/

http://xsss99.icu/upload/

http://bingooodsg.icu/upload/

http://junntd.xyz/upload/

http://ginessa11.xyz/upload/

http://overplayninsx.xyz/upload/

http://bananinze.com/upload/

http://daunimlas.com/upload/

rc4.i32
rc4.i32

Extracted

Family raccoon
Botnet afefd33a49c7cbd55d417545269920f24c85aa37
Attributes
url4cnc
https://telete.in/jagressor_kz
rc4.plain
rc4.plain

Extracted

Family dridex
Botnet 10111
C2

210.65.244.183:8443

216.10.251.121:6601

rc4.plain
rc4.plain
Targets
Target

Delphi_Wmi_Class_Generator_serial_keys_gen.exe

MD5

3b024ffc1fdf4ef5bc78fe48d0feb1a0

Filesize

5MB

Score
10 /10
SHA1

859b62beef8bc1e7495a6d063d309586163869db

SHA256

4ff87821343d06ad2d65b085c487f825ca876e368c9367ad57a3d243c2633c81

SHA512

e68746f8a3ba67d83447be76372438512026fe698e5547d310b38f6e8e9d52f2e03492fb66e5687cd969032bcec9fda80dd45dedf0a40f0de7ad1b7d1cec0416

Tags

Signatures

  • Azorult

    Description

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    Tags

  • DcRat

    Description

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    Tags

  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    Tags

  • Glupteba

    Description

    Glupteba is a modular loader written in Golang with various components.

    Tags

  • Glupteba Payload

  • MetaSploit

    Description

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    Tags

  • NetSupport

    Description

    NetSupport is a remote access tool sold as a legitimate system administration software.

    Tags

  • Pony,Fareit

    Description

    Pony is a Remote Access Trojan application that steals information.

    Tags

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Taurus Stealer

    Description

    Taurus is an infostealer first seen in June 2020.

    Tags

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • xmrig

    Description

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    Tags

  • Checks for common network interception software

    Description

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    Tags

    TTPs

  • CryptOne packer

    Description

    Detects CryptOne packer defined in NCC blogpost.

    Tags

  • Dridex Loader

    Description

    Detects Dridex both x86 and x64 loader in memory.

    Tags

  • XMRig Miner Payload

    Tags

  • Blocklisted process makes network request

  • Executes dropped EXE

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery
  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Description

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    Tags

  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads local data of messenger clients

    Description

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks for any installed AV software in registry

    TTPs

    Security Software Discovery
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix