General
-
Target
1.bin.zip
-
Size
12.5MB
-
Sample
220421-cy7xkahgcr
-
MD5
b0f9f99051935522de89e43cfab1f609
-
SHA1
c2749569ee7744fc7e03d149bec33bcf005ea5d9
-
SHA256
396007e9ec9b5959369bfbb175d43cf8f734140aad3075332da443c0cf733f50
-
SHA512
af9ede003f79402ef466b1cc81d842ea68949f0dcd146a181ed70517e27a2660decd05d64a547fce73faa26eb9354805545afe7a715d30381a4226b1a71310cf
Malware Config
Extracted
gozi_rm3
-
build
300869
-
exe_type
loader
Extracted
gozi_rm3
86920224
https://sibelikinciel.xyz
-
build
300869
-
exe_type
loader
-
server_id
12
-
url_path
index.htm
Extracted
raccoon
7765746aa9cb9b6c88bb5a7789286d92b104fd16
-
url4cnc
https://telete.in/blintick
Extracted
guloader
https://onedrive.live.com/download?cid=8D14D74EB13B02D0&resid=8D14D74EB13B02D0%21161&authkey=AAzCpAsT_Jf9zKg
https://drive.google.com/uc?export=download&id=1ELoiNSVTziaBatbVNZQWxal_RsriCCrt
http://ffacscs.ug/nw_kUILGeMGK73.bin
http://blockchains.pk/nw_kUILGeMGK73.bin
https://qif.ac.ke/flow_AoGPhiVz245.bin
https://onedrive.live.com/download?cid=46B98FE6F0D79519&resid=46B98FE6F0D79519%211842&authkey=ANcfRm-0LjxFJQY
https://drive.google.com/uc?export=download&id=11NAZslAWBWkK1b4dFviELvvgWl48QHr6
Extracted
formbook
4.0
w9z
crazzysex.com
hanferd.com
gteesrd.com
bayfrontbabyplace.com
jicuiquan.net
relationshiplink.net
ohchacyberphoto.com
kauegimenes.com
powerful-seldom.com
ketotoken.com
make-money-online-success.com
redgoldcollection.com
hannan-football.com
hamptondc.com
vllii.com
aa8520.com
platform35markethall.com
larozeimmo.com
oligopoly.net
llhak.info
Extracted
qakbot
324.141
spx129
1590734339
94.10.81.239:443
94.52.160.116:443
67.0.74.119:443
175.137.136.79:443
73.232.165.200:995
79.119.67.149:443
62.38.111.70:2222
108.58.9.238:993
216.110.249.252:2222
67.209.195.198:3389
84.247.55.190:443
96.37.137.42:443
94.176.220.76:2222
173.245.152.231:443
96.227.122.123:443
188.192.75.8:995
24.229.245.124:995
71.163.225.75:443
75.71.77.59:443
104.36.135.227:443
Extracted
danabot
92.204.160.54
2.56.213.179
45.153.186.47
93.115.21.29
185.45.193.50
193.34.166.247
Targets
-
-
Target
1.bin
-
Size
12.5MB
-
MD5
af8e86c5d4198549f6375df9378f983c
-
SHA1
7ab5ed449b891bd4899fba62d027a2cc26a05e6f
-
SHA256
7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
-
SHA512
137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Danabot x86 payload
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Gozi RM3
A heavily modified version of Gozi using RM3 loader.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Raccoon Stealer Payload
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
AgentTesla Payload
-
CryptOne packer
Detects CryptOne packer defined in NCC blogpost.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Formbook Payload
-
Guloader Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-