Overview

overview

10

Static

static

10

files/1.exe

windows7-x64

1

files/1.exe

windows10-2004-x64

1

files/10.exe

windows7-x64

7

files/10.exe

windows10-2004-x64

7

files/11.exe

windows7-x64

10

files/11.exe

windows10-2004-x64

10

files/12.exe

windows7-x64

8

files/12.exe

windows10-2004-x64

8

files/13.exe

windows7-x64

10

files/13.exe

windows10-2004-x64

10

files/14.exe

windows7-x64

10

files/14.exe

windows10-2004-x64

10

files/15.exe

windows7-x64

10

files/15.exe

windows10-2004-x64

10

files/2.exe

windows7-x64

10

files/2.exe

windows10-2004-x64

10

files/3.exe

windows7-x64

10

files/3.exe

windows10-2004-x64

10

files/4.exe

windows7-x64

10

files/4.exe

windows10-2004-x64

10

files/5.exe

windows7-x64

10

files/5.exe

windows10-2004-x64

10

files/6.exe

windows7-x64

6

files/6.exe

windows10-2004-x64

6

files/7.exe

windows7-x64

10

files/7.exe

windows10-2004-x64

10

files/8.exe

windows7-x64

10

files/8.exe

windows10-2004-x64

10

files/9.exe

windows7-x64

10

files/9.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    56122070a3bdb1f168cbae330d58b9c268700509420d2670ccafd01221b45751

  • Size

    4.0MB

  • Sample

    220725-gnzweshef5

  • MD5

    07c1b94a3b5f00dce9c3ac2196b0e970

  • SHA1

    8625b31a1309e3cf1a8f02bc74157af1735760c0

  • SHA256

    56122070a3bdb1f168cbae330d58b9c268700509420d2670ccafd01221b45751

  • SHA512

    b247773e08251b857729085a720a448a80f4bf59dd0970bcad6c307fe70e2e9061b6f79e10f20ef2d77712d56cb05738e49a507e77f7b19042f40fc08518bee4

Score
10/10
formbookhawkeye_rebornlokibotm00nd3v_loggernanocorenetwireponydist0botnetcollectiondiscoveryevasioninfostealerkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Extracted

Family

lokibot

C2

https://lokipanelhostingpanel.gq/panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

http://verificatcert.ga/evans/fre.php

https://photonewsiq.com/bu/Panel/five/fre.php

http://ilwell.pw/kc1/css/css/fre.php

Extracted

Family

pony

C2

http://extrainformativo.com.au/wp-admin/js/widgets/med/gate.php

http://uluulupetcafe.sg/nweje/panelnew/gate.php

http://mepsb-com.me/solisoft/coreserver/gate.php
Attributes
  • payload_url

    http://extrainformativo.com.au/wp-admin/js/widgets/med/shit.exe

Extracted

Family

formbook

Version

3.8

Campaign

di

Decoy

baoxiaofan.com

bestwaycartage.com

sag-architecture.com

salamcanteen.com

clinicalpsychologistkerala.com

mttv222.com

theweproject.com

fybbracelets.net

vv666h.com

bangfupin.com

arkprojetos.com

realgoaldigger.com

pilotedphotography.com

6zonxm55.biz

gaoduanmi.com

aminahmad.com

bountymarketing.net

christopher-rennebach.com

02xjys.faith

estilomiau.com

Extracted

Family

formbook

Version

3.8

Campaign

st0

Decoy

link23.info

perfecto-intl.com

550194.top

ceoes.com

pill-sure.com

wakasan.info

momweed.biz

dmcee.com

lcltravels.com

onlinexhibition.com

lmdbshow.com

totamedia.com

unitedobth.com

twfitzone.com

whiteandbluemusic.com

businessbuh.site

mihalstkeowntrodquimp.win

jbcmarrakech.com

bbab1.com

realtec-project.com

Extracted

Family

nanocore

Version

1.2.2.0

C2

nzekanze.hopto.org:50945

127.0.0.1:50945
Mutex

4cda8dc2-7153-402d-bf02-946a53eacd5e

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2018-02-22T04:56:28.410536736Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    50945

  • default_group

    May12

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    4cda8dc2-7153-402d-bf02-946a53eacd5e

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    nzekanze.hopto.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

netwire

C2

212.7.208.129:4951

Attributes
  • activex_autorun

    true

  • activex_key

    {W5H5J6SC-J820-0WAA-6G7H-B07JHQR8687C}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • lock_executable

    false

  • mutex

    LGcSGuSj

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    true

Targets

    • Target

      files/1.exe

    • Size

      587KB

    • MD5

      92e0f4b0b4cb094bda52966982f552a1

    • SHA1

      b0d28c1a06cbdbf41b7f97514b8341bef46706c9

    • SHA256

      f46d3fd6ba2e53f2d510d589f1d1f2792e3cc5ac0e293d3c0ba182ebc0c64c25

    • SHA512

      8e4e5c5b34fb1f1067d7a4990209c7cd3a75c3197a6b50e77512320c92cada0885455870fce93117e18c97213b5e645ace2062f7f0192572e58c3c4f8ffea560

    Score
    1/10
    behavioral1behavioral2

    • Target

      files/10.exe

    • Size

      56KB

    • MD5

      3316d124b26e337d968f1a224b9dbec5

    • SHA1

      c2ee282a3e1205cf19ff28a9e811e5dcd565558a

    • SHA256

      daa68b22e69d67c9f0066b5172aa0a56db69e1dce48a9f916cc84be66e0792f9

    • SHA512

      4cf4dcfca4b3abf3bdfa4f39e2f47e0320c4a8f1582841deec001a7f8c3cb83f2fcc3596730500e02a58d6b83cf17bf8d4e8b59300b4ebed66dbba24a9f9c800

    Score
    7/10

    • Drops startup file

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      files/11.exe

    • Size

      189KB

    • MD5

      8cf1c74955a561ce883a703b1faff789

    • SHA1

      14ffa74eac88ab864f68973ab3c748c143f4f84e

    • SHA256

      63eca8a02459496ca30e77bd24c25e3fc7513a886f7f7cb5e2c6978ba5d75e29

    • SHA512

      af20b6c77507164009d48b78809b87f0b46e69cc3ca589966c10af45d43a5f17cfc10285365cbd27352ef9ab28cc07c1f449d1e469ac94e43d2641629263b54c

    Score
    10/10
    lokibotcollectionpersistencespywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Modifies WinLogon for persistence

      persistence

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      files/12.exe

    • Size

      32KB

    • MD5

      7cf3aecad9d39a53f50786d6a8027029

    • SHA1

      fb29cbd768bd1f8f3de4ad7e7e0d59266b51717b

    • SHA256

      fff353843eb081d94aac5c048c7cbc41e62ecd476a2cbee970066199f81afdaa

    • SHA512

      92df490a3e12087578d3d29cfe91e057aacbaa621e21484dc7f6867976536353d3f91ebc2d7aef644d8b345f9ba09ab07ca21811e2ed915cd131aab80c86a643

    Score
    8/10
    evasionpersistence
    behavioral7behavioral8

    • Target

      files/13.exe

    • Size

      550KB

    • MD5

      1ab0e5e724ed825791af685cef1bba4a

    • SHA1

      6c636e5d996c34020bf69bf0247c65fc5a156870

    • SHA256

      5ce17a2507528630348f999bd97c37f25c110e148689bd92dc58b8f6790b2c78

    • SHA512

      f122e0a39359ffbbdfc99232412a32b76cbd892ca95bce9a3796a366d3565ecc82e597ab1224bba6ad329ee9a6bf84d91c107c9394948eb04fd42800506a0963

    Score
    10/10
    ponycollectiondiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral9behavioral10

    • Target

      files/14.exe

    • Size

      632KB

    • MD5

      cf123d2f8c6cf7a88472483607163eb5

    • SHA1

      7f15a558d3d63d689d754d3cea804b9ebb79c50b

    • SHA256

      f11ce5b6edfa6ee04b2334cb820f03fd99df64185daf857f4a241653ef2f1a64

    • SHA512

      9b9bb092d139447df86a8286dae1907f56e624e0324ec693e9f91c1b0f2e25041e3187fe44ae618b6cdf35715373ff05b5825d416fb9d858bf265b44cb26ed6d

    Score
    10/10
    formbookdipersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      files/15.exe

    • Size

      615KB

    • MD5

      147d68f27c2a0f9babd0b425dabc8a18

    • SHA1

      98f0e21df059931e3fd50b06a494d19ebced3963

    • SHA256

      5b2b78d61f6460bb5b5b3b21ae238327786192a2339015db4f3f7b0afcb5e36b

    • SHA512

      49d9710a97532e65e67628d116ba35200e27327c9ae8bff995c347a0774095b97fc28ec5d805d0cff42541969c33b88a22aeffc86cf9249675646ddbe65d4532

    Score
    10/10
    ponycollectiondiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      files/2.exe

    • Size

      632KB

    • MD5

      d41280a6e0d472497a8786e84ca35eb4

    • SHA1

      a064b75867d0fd14f4bd4f28aa1243ff0031f0b5

    • SHA256

      e857e4a4ef4ff78fd220ba78a5bff8bd68ef7d944f24aba2276ec057a7667f31

    • SHA512

      86f196b581f6b7c524e1176495d8ed8a14a5267e4df0c7b6a06173a1108c3f1635d81b9ba0313ec719156e2ff0803f5c66c3406b9adec5ec9b5f5c54c969563b

    Score
    10/10
    lokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      files/3.exe

    • Size

      636KB

    • MD5

      5e1e0f573490a4d5e3daed2b4ef597cf

    • SHA1

      14a3833a1a3788f9869cfec18bf0f5e96fd6582b

    • SHA256

      c6cc9eb1d60c3e355950bdd5e54f87f2d3536d6e36a6283d83fb218ef30c1801

    • SHA512

      1e0193f1d422f1c6c85f0830221cebead9cffeb602ce91f4731d47ea84255c1cd6c2974d2c0f0d49d16fc77d2b9466a12e8d20bdd562c9cd99f9980662a604bd

    Score
    10/10
    formbookst0persistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      files/4.exe

    • Size

      13.3MB

    • MD5

      3506d61924caf464f2504d3e330ba11e

    • SHA1

      4472cc23b5e7860a8fd5d371152ab92c263273f4

    • SHA256

      8810286390803f16cf848691b51bfc92b21ace6a537503a86bc3ed497d579f2c

    • SHA512

      cf9009cf2a56b7d611f268c3931e85ac99b3a22e3461d1bb492e114cd198d108f9e269f4a12b2cb03985ebf6a7dbe404334176e1530e7282b653b82ca586634f

    Score
    10/10
    ponycollectiondiscoverypersistenceratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral19behavioral20

    • Target

      files/5.exe

    • Size

      634KB

    • MD5

      115e42b9f0329ccbc4c9149d6d3a6277

    • SHA1

      c8dae001f0e0ba2a9ec5c2e39115a264954add7d

    • SHA256

      59e99a443adbbec76e5f51f3599a9df4c6e2e3950e00b6f6da725c18160458df

    • SHA512

      96efa75c263a64e32f5a41356167af85760a23ee1ab76d9b4eda5d3e3b3fb2642e722174bf2359a984e8dba3bef1691bc1c2d7eae54794e4cf677755c7224258

    Score
    10/10
    lokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      files/6.exe

    • Size

      552KB

    • MD5

      713e8df6bd82d3260543d0d969905d5b

    • SHA1

      e0fb35f6f3672d51140dc240ae23e627a4043a0f

    • SHA256

      a100ce0a67c5890bcc38d2b6e30f9164dfe266126ec40a2fd7eb8e941dc7d025

    • SHA512

      47e75a0604ec838992b9e9a552c7727c6902a8b0627b9f254f2ca9ae1fa70f5762895e94e32b40b3a2a1dfe0246043dd4ad4cb983a0bac7546275189c5375953

    Score
    6/10

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral23behavioral24

    • Target

      files/7.exe

    • Size

      606KB

    • MD5

      04e3d309e2a400b3f582d264968d6c9f

    • SHA1

      8c8fa00ce7de7e160d5c66ba254b768860ac90b7

    • SHA256

      192a44548a2f3094eb7ad10e775caca07417d2f9525d8a6941e154872860e20a

    • SHA512

      c0ad455b4dc0e16dc0eda9e77b28e057649272dd4cda50df9c07bf541a68d7949e60177cfbb6d826421fdc784f4c9363d72834d39a70992721c23ad9a149a669

    Score
    10/10
    lokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      files/8.exe

    • Size

      1.1MB

    • MD5

      462b767e71149ee7d99e089a3666134f

    • SHA1

      a562e803e316f62dcb888fca2776ccaff856f087

    • SHA256

      798fef99b6daee1950dd12f5f42980e1c6ce8a9729619556238f14a20da274fc

    • SHA512

      b07ca68ae9cbf0b7800377a7791d2d75a6345f6119b9053917bc1ea1e3dfd2517c2ba8f1465595f3ba629e5346bc6dc7cd2e7975d959abf323180d07e09cd7e8

    Score
    10/10
    nanocoreevasionkeyloggerspywarestealertrojan

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      files/9.exe

    • Size

      225KB

    • MD5

      d6cabf8ccf6234a76fef52b30f60e798

    • SHA1

      f1f351318f77fe80d1191e238127776a2066ce6c

    • SHA256

      f2ec4e6c59e621e82f6e0f8e683f4a525c498041a272011d0c3772d6716c5317

    • SHA512

      5d830240d0bce8005f9c598c0a54ed721989de40b35a325b7db257f48701e1fd64c8a1eca617e9f71acd294c362ceeeb78fc56af7a115531eec635fe5d0fc2b7

    Score
    10/10
    netwirebotnetratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral29behavioral30

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

2
T1064

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

4
T1060

Privilege Escalation

Defense Evasion

Modify Registry

7
T1112

Scripting

2
T1064

Credential Access

Credentials in Files

9
T1081

Discovery

Query Registry

7
T1012

System Information Discovery

11
T1082

Lateral Movement

Collection

Email Collection

10
T1114

Data from Local System

9
T1005

Exfiltration

Command and Control

Impact

Tasks

static1

infostealerm00nd3v_loggerhawkeye_reborn
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
7/10

behavioral4

Score
7/10

behavioral5

lokibotcollectionpersistencespywarestealertrojan
Score
10/10

behavioral6

lokibotcollectionpersistencespywarestealertrojan
Score
10/10

behavioral7

evasionpersistence
Score
8/10

behavioral8

evasionpersistence
Score
8/10

behavioral9

ponycollectiondiscoveryratspywarestealer
Score
10/10

behavioral10

ponycollectiondiscoveryratspywarestealer
Score
10/10

behavioral11

formbookdipersistenceratspywarestealertrojan
Score
10/10

behavioral12

formbookdiratspywarestealertrojan
Score
10/10

behavioral13

ponycollectiondiscoveryratspywarestealer
Score
10/10

behavioral14

ponycollectiondiscoveryratspywarestealer
Score
10/10

behavioral15

lokibotcollectionspywarestealertrojan
Score
10/10

behavioral16

lokibotcollectionspywarestealertrojan
Score
10/10

behavioral17

formbookst0persistenceratspywarestealertrojan
Score
10/10

behavioral18

formbookst0ratspywarestealertrojan
Score
10/10

behavioral19

ponycollectiondiscoverypersistenceratspywarestealer
Score
10/10

behavioral20

ponycollectiondiscoverypersistenceratspywarestealer
Score
10/10

behavioral21

lokibotcollectionspywarestealertrojan
Score
10/10

behavioral22

lokibotcollectionspywarestealertrojan
Score
10/10

behavioral23

Score
6/10

behavioral24

Score
6/10

behavioral25

lokibotcollectionspywarestealertrojan
Score
10/10

behavioral26

lokibotcollectionspywarestealertrojan
Score
10/10

behavioral27

nanocoreevasionkeyloggerspywarestealertrojan
Score
10/10

behavioral28

nanocoreevasionkeyloggerspywarestealertrojan
Score
10/10

behavioral29

netwirebotnetratstealer
Score
10/10

behavioral30

netwirebotnetratstealer
Score
10/10