Overview

overview

10

Static

static

10

15becbaa36...1f.exe

windows7_x64

7

15becbaa36...1f.exe

windows10_x64

7

Nuovo ordine .exe

windows7_x64

10

Nuovo ordine .exe

windows10_x64

10

189d5314ce...6e2b44

linux_amd64

189d5314ce...6e2b44

linux_mipsel

189d5314ce...6e2b44

linux_mips

18ccb7df2f...2a.exe

windows7_x64

10

18ccb7df2f...2a.exe

windows10_x64

10

1b11ae98b8...4f.dll

windows7_x64

10

1b11ae98b8...4f.dll

windows10_x64

10

204591aa6d...b8.exe

windows7_x64

10

204591aa6d...b8.exe

windows10_x64

10

2c7540c6d0...ff.exe

windows7_x64

10

2c7540c6d0...ff.exe

windows10_x64

10

2cb4d62827...d9.dll

windows7_x64

10

2cb4d62827...d9.dll

windows10_x64

10

4fd784c26d...49.exe

windows7_x64

10

4fd784c26d...49.exe

windows10_x64

10

553dc4c06c...5f.exe

windows7_x64

10

553dc4c06c...5f.exe

windows10_x64

10

5afed1cccc...2d.dll

windows7_x64

10

5afed1cccc...2d.dll

windows10_x64

10

62742e4698...10.exe

windows7_x64

10

62742e4698...10.exe

windows10_x64

10

6707289e11...1b.exe

windows7_x64

10

6707289e11...1b.exe

windows10_x64

10

69a43a40f0...e5.exe

windows7_x64

10

69a43a40f0...e5.exe

windows10_x64

10

6ca42fe27f...b7.exe

windows7_x64

10

6ca42fe27f...b7.exe

windows10_x64

10

6db4bb653b...97.jar

windows7_x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3.zip

  • Size

    13.3MB

  • Sample

    210730-qq3swj6yjj

  • MD5

    5b94016ad9b8f7e20e15a485c2ebd589

  • SHA1

    6a93b9f4229cf2d2b27058777440ed194bddfa49

  • SHA256

    d1933850d05d345bc57356333ebe41446a5e1f7a7b09626a6906202f174852c1

  • SHA512

    5e9b90cd397459ac6b622783a1453af459d76cbc4f5b2d5533bf05b645b0bb739d92afcd95ce8a494c3ebf7cf041e6fdb8dd0bd22090a24da54ef9fe3102c482

Score
10/10
a310loggeragentteslaamadeybazarloadercobaltstrikecryptbotformbooklokibotsmokeloaderxloaderagilenetbackdoordiscoverydropperevasionkeyloggerlinuxloaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.alruomigroup.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    HpabZXh7
C2

https://api.telegram.org/bot1635424534:AAEmSdFTyNmSh6Kk0U8EAlLQQg5g_gOyE74/sendDocument

Extracted

Family

cryptbot

C2

wymesc72.top

morjed07.top
Attributes
  • payload_url

    http://hoftsi10.top/download.php?file=lv.exe

Extracted

Family

cobaltstrike

C2

http://softzbh.com:443/jquery-3.3.2.slim.min.js

Attributes
  • user_agent

    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Extracted

Family

formbook

Version

4.1

C2

http://www.prospertraining.info/ymmi/

Decoy

terrapotencia.com

issytosou.net

samankapan.com

zzxitang.com

iapple-uk.com

robertcollinsrealtor.com

theweehero.com

jyotisagar.net

powerbi.fitness

nuoyilm.com

modelsara.com

langvietco.com

aplusroofer.com

isabelacalaca.com

bearhawk.one

exporaoverseas.com

box-appliance.com

walkingfishvod.com

onlyqna.com

feed-parser.com

Extracted

Family

smokeloader

Version

2020

C2

http://custom100.ru/

http://other191.com/

http://custom300.com/

http://600other.com/
rc4.i32
rc4.i32

Extracted

Family

amadey

Version

2.41

C2

ama529.ru/gBcskbwWs/index.php

amaad100.com/gBcskbwWs/index.php

900ama.com/gBcskbwWs/index.php

Extracted

Family

lokibot

C2

http://185.227.139.18/dsaicosaicasdi.php/IDEUeAngcojy8

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

xloader

Version

2.3

C2

http://www.lazz.life/mm8v/

Decoy

candobiotec.com

furnikna.com

smartmoto-canada.com

austinsubarusouth.com

seauxfierce.com

ashcomgh.com

salvamentoselcastor.com

lifetioncoin.tech

mypay.money

eczaci-tr.com

fireloxmusic.com

prendafamily.com

chroniclefighter.com

ogopizza.online

qualiacare.com

kamenjoy.com

shinanogroup.com

zaceniadult.info

thehetaira.com

enter-coworking.com

Targets

    • Target

      15becbaa3657b788030771ccb6072e63f14728533aac9f1dcfe2cf89ebdac51f

    • Size

      26KB

    • MD5

      facf63137dbdea9cacefa9ec4daa3f00

    • SHA1

      eb63911b6cee65a41d7b5493bf2c30ef60b78800

    • SHA256

      15becbaa3657b788030771ccb6072e63f14728533aac9f1dcfe2cf89ebdac51f

    • SHA512

      68cf68f5e851b2a5f073741c375b9e347bf7e7eed5071106effa2ca83d180a61f54d49206093569f8c2b188a872a2a9c1a17bb1f00b37d293599679b5b8da19b

    Score
    7/10
    spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1behavioral2

    • Target

      Nuovo ordine .exe

    • Size

      847KB

    • MD5

      c59677e174a469869400d73ef00bb6e3

    • SHA1

      c5dd150a844d4f51c18629948def7e7cb6c1452d

    • SHA256

      dc2768ccfc25f2dc8a57db7a9c9ddd4532fc6044ffd9419c96cdf6e0251e7823

    • SHA512

      52009a1cf4f97826ee86e8b48b79f62be2929ad871037cc34fb6dff7a7b37b75c513136b0d385256bbada7722721f7cf3e4024b442494f9aceca850ce26db6cb

    Score
    10/10
    agentteslaagilenetkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      189d5314ce773d4497cd2c8aacc99f939bbc32c188d9db8a09e12005ae6e2b44

    • Size

      68KB

    • MD5

      dad721da7c429de8bc412c33a1354651

    • SHA1

      9e8747675a2d257e581cc9cc7e55a8530ba536e4

    • SHA256

      189d5314ce773d4497cd2c8aacc99f939bbc32c188d9db8a09e12005ae6e2b44

    • SHA512

      9322eeac13146a47c9624a1e72fd2a91018dff52b8ed3c71b13d1d581754e923e5276a18ea3ab2dc6a6f52a1a439f79adc0792ba1035cb11e85823596604f6fc

    Score
    1/10
    behavioral5behavioral6behavioral7

    • Target

      18ccb7df2f91787a9392bf60d2f7019c86af65584c8a9c4846dee62e3240912a

    • Size

      647KB

    • MD5

      cdf94f8f45a48e6092f6265304b71aa9

    • SHA1

      90ab6d5b9e2882a4b0f5f60e929170bbcd6c5283

    • SHA256

      18ccb7df2f91787a9392bf60d2f7019c86af65584c8a9c4846dee62e3240912a

    • SHA512

      e635c8dc0c23438d7bc9193238187403a61fae05e90f2ab3cf534278b2c6b5d0dca278518ab18583105b82140a3001dd38d37425dc249848fc1fc51fa956cc64

    Score
    10/10
    cryptbotspywarestealerdiscovery

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • CryptBot Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral8behavioral9

    • Target

      1b11ae98b85bb0645abe36adcd852e6e84b51c6b5c811729f3c19f14f32d4e4f

    • Size

      380KB

    • MD5

      3a11f98d3d4fb8df67c97dc1bd06ff2e

    • SHA1

      c3e206b0babe20ffd9663a4e28272ef6c24bab8a

    • SHA256

      1b11ae98b85bb0645abe36adcd852e6e84b51c6b5c811729f3c19f14f32d4e4f

    • SHA512

      bbc4bf5b0d7d4a303f19f33f7065fc2ca2c40590baf8a7d7994344c8f1c76f2e756ed5892f36b1743546ba2460e13f599825b551306a3773cb9570f6bc626d52

    Score
    10/10
    cobaltstrikebackdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of SetThreadContext

    behavioral10behavioral11

    • Target

      204591aa6d44da7eef69d7ee3d32a9b4cb8e405a575fc3cbcf2d5e0217879cb8

    • Size

      854KB

    • MD5

      7a15c195fb598e46a7d8ecef14ee24ee

    • SHA1

      670daee05f85f7c30030bd12ae6dbb5c5bcce1cf

    • SHA256

      204591aa6d44da7eef69d7ee3d32a9b4cb8e405a575fc3cbcf2d5e0217879cb8

    • SHA512

      6b61a8931cb939c35e6fe3120cc6a32305d413497f5723444439b26dbfc5246f33dbc817c410270f022ee0d23f33ba29e20ef3c01784edb60ec2d3e213c7bebc

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan
    behavioral12behavioral13

    • Target

      2c7540c6d066510b73a1a5c668dc74ec6d0d3f0716bb3adb6cd83afdd07f35ff

    • Size

      614KB

    • MD5

      028bf5bc572cf06e10c315334c397649

    • SHA1

      cf69c58a4e35b7290af44ec658edc3582655f84d

    • SHA256

      2c7540c6d066510b73a1a5c668dc74ec6d0d3f0716bb3adb6cd83afdd07f35ff

    • SHA512

      cda1ba7ed4e86e60bb83bc1c71ec51c57b5f676622c3daf067d3c04e176ff2709417bc0ec2fbade98f5140e077eacffc0e54cbf1415f2c7f45caac9ce20e929c

    Score
    10/10
    formbookratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Suspicious use of SetThreadContext

    behavioral14behavioral15

    • Target

      2cb4d628278053eba42c82d58fb894c230451ffe70d519ff79c5f1cc76f32fd9

    • Size

      514KB

    • MD5

      2abdfeb9090ff090ae9db0a5559e09c7

    • SHA1

      4925d41d6db6e3f47250be8cdc21bb1548c7261a

    • SHA256

      2cb4d628278053eba42c82d58fb894c230451ffe70d519ff79c5f1cc76f32fd9

    • SHA512

      e11be9b4828d3fbb39bbf7dcf673fb4e5facef5ee6b9e023feb2c75bc6be7cdb52994151074dfb5008123fd533b6b6978af7b0d94231da088cee307a88293ceb

    Score
    10/10
    cobaltstrikebackdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Blocklisted process makes network request

    behavioral16behavioral17

    • Target

      4fd784c26daf0b1877d7ffd53710b7312d89c8af0f3e640c1584d238e7e68949

    • Size

      951KB

    • MD5

      bdbc972b35f56a3d6ee884adafe8bf8a

    • SHA1

      0d64630e7013645bfa3d9c8191363c7c6b6fd860

    • SHA256

      4fd784c26daf0b1877d7ffd53710b7312d89c8af0f3e640c1584d238e7e68949

    • SHA512

      93ad7a6c4b44c9e1edb0bee5221aeccce0352c34019bdaff8151095db69e86e671bde6c62c8de4326816a8e75f88366bb8a8245983c332b510b4ffde417ddc95

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan
    behavioral18behavioral19

    • Target

      553dc4c06cd2a8a13eebb90e6c2a9e7fc09a81858d7233199f0f03d2051bfb5f

    • Size

      158KB

    • MD5

      7456214bc55be7cc872f065ebe8af1b1

    • SHA1

      94fcad942bc030f7c8e0f7665ab995a47db7a06c

    • SHA256

      553dc4c06cd2a8a13eebb90e6c2a9e7fc09a81858d7233199f0f03d2051bfb5f

    • SHA512

      5b0afcb86716c3e487a2351a118e0ef6f4944715a8e862054a30e588ed5029cd50a3b58c2c9331e72cf5ba47ca781fe87b26c3699958b283f1638e7b4cfa8128

    Score
    10/10
    amadeysmokeloaderbackdoorsuricatatrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • suricata: ET MALWARE Amadey CnC Check-In

      suricata

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    behavioral20behavioral21

    • Target

      5afed1ccccb12db0f6da9f25c43d10b4e63995881b65526004cd6f6a390c792d

    • Size

      1.1MB

    • MD5

      8f216511aa115a119ee15a10d067e8f2

    • SHA1

      dcd717e5262762b11d1ffe2465c4bce71bf44d18

    • SHA256

      5afed1ccccb12db0f6da9f25c43d10b4e63995881b65526004cd6f6a390c792d

    • SHA512

      bded5745f20238edd1ab90aa6729e9494b8cc3269107058747a47797aaeea2730ca08edf6173497c74e214f81d3f3af405e5921ea2b3bf516cddfbb08dd94106

    Score
    10/10
    bazarloaderdropperloader

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

      loaderdropperbazarloader

    • Bazar/Team9 Loader payload

    • Blocklisted process makes network request

    behavioral22behavioral23

    • Target

      62742e4698b352658390b6b4f5088ddebb673503d5a4151f19c2face25932210

    • Size

      115KB

    • MD5

      21e6f4fefdf70039a9160ca04a388389

    • SHA1

      8c12b3bafd5afeb9966bd91ae87e94d73b321ba4

    • SHA256

      62742e4698b352658390b6b4f5088ddebb673503d5a4151f19c2face25932210

    • SHA512

      2608da1dd4e4d48f2bd83885ce599dde40eb09466e78c3edc933100d325ab4cee6ae9488afda3c22d7e75c3f74e9fe63526309a8322b8d98da73e7c637ba2731

    Score
    10/10
    lokibotspywarestealersuricatatrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • suricata: ET MALWARE LokiBot Checkin

      suricata

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata

    • Suspicious use of SetThreadContext

    behavioral24behavioral25

    • Target

      6707289e11e16158e605882cdd2ce2fc9574428dd0114c6d6246146cb6ba7b1b

    • Size

      629KB

    • MD5

      401dd1e7907e4e7f7cc2c5bbb958df9d

    • SHA1

      39b943e797c7a932f4a65a7d8f90bea31e0d7c05

    • SHA256

      6707289e11e16158e605882cdd2ce2fc9574428dd0114c6d6246146cb6ba7b1b

    • SHA512

      27c9aa747bf843cb49a253253f8055cf2d856258294582e5ba1c7b6548b003ee56b37f5eabaaae9578c98784dce8011271e01be97d2dab752855b3244be7e069

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Suspicious use of SetThreadContext

    behavioral26behavioral27

    • Target

      69a43a40f02660c2065fe3b76861dab28cc292301c180f1eafbf6c3f7b57afe5

    • Size

      1.1MB

    • MD5

      1735796a48ffa604112d7e14856a594c

    • SHA1

      ee60792f75050256e850d3e4330327e0c51c951c

    • SHA256

      69a43a40f02660c2065fe3b76861dab28cc292301c180f1eafbf6c3f7b57afe5

    • SHA512

      0eae5f9dc4a14122f76195cc66d4e5f985dbd2ba27062c8e6c5afd333fcc8ec4b9b21cd1385fe55ab95789e9ee34d11657fa3dd7c18926c7e3e557860fcd3e74

    Score
    10/10
    agentteslaevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral28behavioral29

    • Target

      6ca42fe27fbffcc87eb0995f36e945d8e62e0c06ea606be6a32382eb557970b7

    • Size

      887KB

    • MD5

      8edea84854ac21f8a056f647d010fd0d

    • SHA1

      3f328de3b2df09e90ef319fe0dacc7dfb585a831

    • SHA256

      6ca42fe27fbffcc87eb0995f36e945d8e62e0c06ea606be6a32382eb557970b7

    • SHA512

      3836df64e8624248e111d30aa1c665e229d24c9fe0877543156e58d932d6ed1b692c61bc9aa1c74b7b2ab33f19d7cfedbda5193d13d5f8478ca77ad998a5b38a

    Score
    10/10
    agentteslaevasionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral30behavioral31

    • Target

      6db4bb653b7dc11b7cda176c18697d9b2a758b2e1de9b83e3804dce2fbc8ba97

    • Size

      650KB

    • MD5

      a4a5060b5ecca405641bb1f3ac0052fd

    • SHA1

      0a304bae725613656099f5f8399a41ad6c1c744f

    • SHA256

      6db4bb653b7dc11b7cda176c18697d9b2a758b2e1de9b83e3804dce2fbc8ba97

    • SHA512

      2048da4b0cfcddaeb19eccd3a06bd28f1360eeb3106b095c16d38cf5170a05a3bf9ff6fa13a660db3ba878bebffb4a240ef13edc3afc10ec34140a964ba79010

    Score
    3/10
    behavioral32

MITRE ATT&CK Enterprise v6

Tasks

static1

a310logger
Score
10/10

behavioral1

spywarestealer
Score
7/10

behavioral2

spywarestealer
Score
7/10

behavioral3

agentteslaagilenetkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral4

agentteslaagilenetkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

cryptbotspywarestealer
Score
10/10

behavioral9

cryptbotdiscoveryspywarestealer
Score
10/10

behavioral10

cobaltstrikebackdoortrojan
Score
10/10

behavioral11

cobaltstrikebackdoortrojan
Score
10/10

behavioral12

agentteslakeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral13

agentteslakeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral14

formbookratspywarestealersuricatatrojan
Score
10/10

behavioral15

formbookratspywarestealersuricatatrojan
Score
10/10

behavioral16

cobaltstrikebackdoortrojan
Score
10/10

behavioral17

cobaltstrikebackdoortrojan
Score
10/10

behavioral18

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral19

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral20

amadeysmokeloaderbackdoorsuricatatrojan
Score
10/10

behavioral21

amadeysmokeloaderbackdoorsuricatatrojan
Score
10/10

behavioral22

bazarloaderdropperloader
Score
10/10

behavioral23

bazarloaderdropperloader
Score
10/10

behavioral24

lokibotspywarestealersuricatatrojan
Score
10/10

behavioral25

lokibotspywarestealersuricatatrojan
Score
10/10

behavioral26

xloaderloaderrat
Score
10/10

behavioral27

xloaderloaderrat
Score
10/10

behavioral28

agentteslaevasionkeyloggerspywarestealertrojan
Score
10/10

behavioral29

agentteslaevasionkeyloggerspywarestealertrojan
Score
10/10

behavioral30

agentteslaevasionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral31

agentteslaevasionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral32

Score
3/10