Overview

overview

10

Static

static

10

7.0.0.0.exe

windows7-x64

7

7.0.0.0.exe

windows10-2004-x64

7

ILMerge.exe

windows7-x64

1

ILMerge.exe

windows10-2004-x64

1

pack/AbPmX.exe

windows7-x64

10

pack/AbPmX.exe

windows10-2004-x64

10

pack/AcAoB.exe

windows7-x64

10

pack/AcAoB.exe

windows10-2004-x64

10

pack/AdEXN.exe

windows7-x64

10

pack/AdEXN.exe

windows10-2004-x64

10

pack/AeCKK.exe

windows7-x64

1

pack/AeCKK.exe

windows10-2004-x64

1

pack/AeSRJ.exe

windows7-x64

7

pack/AeSRJ.exe

windows10-2004-x64

7

pack/AfDTM.exe

windows7-x64

10

pack/AfDTM.exe

windows10-2004-x64

10

pack/AfMaR.exe

windows7-x64

10

pack/AfMaR.exe

windows10-2004-x64

10

pack/AfZcW.exe

windows7-x64

10

pack/AfZcW.exe

windows10-2004-x64

10

pack/AnWLP.exe

windows7-x64

1

pack/AnWLP.exe

windows10-2004-x64

1

pack/AnZNZ.exe

windows7-x64

10

pack/AnZNZ.exe

windows10-2004-x64

10

pack/ApRnS.exe

windows7-x64

10

pack/ApRnS.exe

windows10-2004-x64

10

pack/AqDpY.exe

windows7-x64

1

pack/AqDpY.exe

windows10-2004-x64

1

pack/AsNMX.exe

windows7-x64

1

pack/AsNMX.exe

windows10-2004-x64

1

pack/AwHQZ.exe

windows7-x64

10

pack/AwHQZ.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    pack.7z

  • Size

    21.5MB

  • Sample

    220810-m31n6abbf8

  • MD5

    7db1fe010858843c6c24bfe2ba0b8954

  • SHA1

    6924d33e7a785c37ce9b86a3c235a4c285502372

  • SHA256

    7bb432c0ac0cf65de6c795685a41b1478f9d979e2b05bd9c8fb11725f9942e01

  • SHA512

    71f0d23b5298ce30c14d407cbf01636c07048c0ccd28cf0c55aa1bdf2b29e7e0598d063cd0ade4ce07209cccd5b45232b26b201db70afca6dc20bfff6cb7ac33

Score
10/10
agentteslaasyncratbitratblustealerformbooknanocorenetwirenjratorcusquasarraccoonredlineremcosstormkittyxloader48b666ccdcdf3511c5b4921dc5f7b868andrewcheatdefaultdoctordolevzmsmpengmybotoffice04remotehosttelespammer1de29f48yjn86uu0pagilenetbotnetcollectioninfostealerratspywarestealerupx

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

192.168.1.4:6606

192.168.1.4:7707

192.168.1.4:8808

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

141.98.6.228:8808

xeirz.ddns.net:1604

192.168.1.2:6606

192.168.1.2:7707

192.168.1.2:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain

Extracted

Family

redline

Botnet

cheat

C2

109.206.241.81:55527

ponchikvps.ddns.net:1337

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

192.168.1.4:8848

aka1.ddns.net:8848

aka1.ddns.net:8828

aka1.ddns.net:1616

aka2.ddns.net:8848

aka2.ddns.net:8828

aka2.ddns.net:1616

aka3.ddns.net:8848

aka3.ddns.net:8828

aka3.ddns.net:1616

192.168.1.7:8848
Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
aes.plain
aes.plain
aes.plain
aes.plain

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5449766717:AAHzRorvKI5URgvleGHlq6ZvqElY68-XL18/sendMessage?chat_id=1293496579

Extracted

Family

netwire

C2

37.0.14.206:3384

ponchikvps.ddns.net:3677

ponchikvps.ddns.net:3360
Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • offline_keylogger

    true

  • password

    Password234

  • registry_autorun

    false

  • use_mutex

    false

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5520247480:AAEoBq-eVV-KfON2FKSf_2riekCozVDdnus/sendDocument

https://api.telegram.org/bot5160627201:AAFqhXgzctTZMSuR7dIpLe50dmHi1xpPyYQ/sendDocument

Extracted

Family

formbook

Version

4.1

Campaign

f48y

Decoy

7772214.com

pinsmakers.info

organicspoonful.com

kxza1.xyz

panacuraconversion.com

hkgst.net

roguemd.online

klm6.net

mercantilegrub.com

sighthoundsavoy.co.uk

wintergedichte.info

kave22.com

benidias.uk

beautysuggestion.com

flightfright.com

ying1388.com

nattyssweettooth.com

motorads.uk

918eacequiamadre.com

x5ln3.xyz

Extracted

Family

bitrat

Version

1.38

C2

192.168.1.4:12

eichelberger.duckdns.org:7744
Attributes
  • communication_password

    81dc9bdb52d04dc20036dbd8313ed055

  • install_dir

    Install path

  • install_file

    Install name

  • tor_process

    tor

Extracted

Family

njrat

Version

0.7d

Botnet

MyBot

C2

dgever.ddns.net:1604

ponchikvps.ddns.net:6522
Mutex

cac8839188c03ea55e36819553cd7507

Attributes
  • reg_key

    cac8839188c03ea55e36819553cd7507

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

remcos

Botnet

msmpeng

C2

191.101.30.16:4444

securewebareaxxx.ddns.net:4444
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-08LKIV

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    svchost

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

formbook

Version

4.1

Campaign

de29

Decoy

sacredsong.net

talleresdemecanica.com

ezcdn285.net

sellingyourcloset.com

aplicativoparaempresa.site

diouma.online

mypets.place

piksel3d.online

specauto.care

crctm.net

teenpornbb.co

travelhorrycounty.com

sean-dodd.com

atlasvle.site

relocationtx.com

experiencias.pro

wnndh.com

i-memorial.com

d2w2e361f357a2vfay2og.xyz

nginx.host

Extracted

Family

orcus

C2

xeirz.ddns.net:1604

Mutex

aeab5a7c6ed742ff8f5b15b26bac10a6

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Extracted

Family

raccoon

Botnet

48b666ccdcdf3511c5b4921dc5f7b868

C2

http://5.253.84.117/

rc4.plain

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

109.206.241.81:4782

Mutex

d695f8ee-15de-4e23-9b75-4d53bcab9c01

Attributes
  • encryption_key

    1604B933367CFC643050158C7CDFCA5B18F1F19E

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

remcos

Botnet

DOCTOR

C2

185.222.58.111:5355

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    PerfLog.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-GC26TV

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    PerfLog

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

remcos

Botnet

RemoteHost

C2

37.0.14.206:3352

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Remcos-SSCE3Q

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

xloader

Version

2.6

Campaign

uu0p

Decoy

easeupp.com

ffffcc.xyz

commercialsymposium.com

bahamascargologistics.com

avajwelr.xyz

flipwatch.xyz

serprobumar.com

zlasher.store

zxlsn6.com

xiaojiaowanwan.com

hrkpacking.com

visitprnow.com

stkjzz.com

printfusion.net

blackoakssavannah.com

yuiseika.com

watnefarms.com

oneclickmsp.com

niu-tou.com

wholytraffic.com

Extracted

Family

nanocore

Version

1.2.2.0

C2

timmy06.ddns.net:28286

127.0.0.1:28286
Mutex

7089eeb0-6b9e-441d-ba36-b1625eb8df78

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2022-05-09T11:31:15.610207936Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    28286

  • default_group

    JULY 2022

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    7089eeb0-6b9e-441d-ba36-b1625eb8df78

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    timmy06.ddns.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

redline

Botnet

TeleSpammer1

C2

65.108.209.36:36162

Attributes
  • auth_value

    944996cfdb320d3f737fb63253ad2af3

Extracted

Family

remcos

Botnet

Andrew

C2

185.222.58.111:5355

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    PerfLog.exe

  • copy_folder

    Remcos

  • delete_file

    true

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-2BHLXE

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    PerfLog

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

formbook

Version

4.1

Campaign

jn86

Decoy

yzeym.top

bettymassage.co.uk

zvzac.com

eventscomparison.xyz

ybzgh.com

3618shop.com

sosoicey.com

sundancerenewable.com

whorephotos.com

zamawiamy.online

idmtoucan.site

home-visites.com

maxtesler.website

terilio.net

aaemp.com

linksy.site

hairurge.com

lizzo.ltd

ukmcqc.co.uk

coolerzap.net

Extracted

Family

quasar

Version

1.4.0

Botnet

dolevz

C2

xeirz.ddns.net:1604

Mutex

601aeefd-4173-4fb6-a6a3-5c54ed74afab

Attributes
  • encryption_key

    B96CFB0B9E6C92FCB3C6AB35C7338CDEC4993B7C

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      7.0.0.0.exe

    • Size

      6.4MB

    • MD5

      514ca6348b6d29069d6b436fc1f1c159

    • SHA1

      ebd3d2d7924b78a165eb2d689eae5ff90c709e01

    • SHA256

      35b846afc6bf51292d8a401a68a24a0e36d131d7798ceaa8713f08b6942fe0b5

    • SHA512

      e51f635718f021f5f238b2510c8e7b99b57318cbcbae09773ea123c275f48156f6ca76be6aaea7901a6d7351d54aa8486dbcd01160a18082c59fb09211ab533e

    Score
    7/10
    agilenet

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet
    behavioral1behavioral2

    • Target

      ILMerge.exe

    • Size

      668KB

    • MD5

      2bb6322885e6ca0986206de174e842c9

    • SHA1

      c5ea70169106d32bc513d28ea76ae8ea1e49380b

    • SHA256

      8110d740b485bcb06ff406b17001714c3a146fe6517098c9dc90d812b83389fd

    • SHA512

      9750180c54a5bd8f0e1fa8a8f529364430f2ef444efbf8ac51e8d2a0aaa4e3d21fe553865ba8567c7c19e4ae84d04b20464f391743e88c52c00cac0bf20fc2a7

    Score
    1/10
    behavioral3behavioral4

    • Target

      pack/AbPmX.exe

    • Size

      45KB

    • MD5

      a23c5f26bb7a11952d408d99242e5c06

    • SHA1

      0712a50bbb25a1803df9e9f7fd195ed86f54d1a7

    • SHA256

      d140f6813ba550ee767cdcac73ea9f38868e6e3653289b7f0f49d04db65860c0

    • SHA512

      4955d486cb75050c702877ac6d4ea26b0328cb8978e2854b1fd06fd62c9f98a89918e78ed66caedf3459b6fb542fba170e98e0d4e0940a6a65384b75d0830b47

    Score
    10/10
    asyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Async RAT payload

      rat
    behavioral5behavioral6

    • Target

      pack/AcAoB.exe

    • Size

      95KB

    • MD5

      0ec54c61531a22e6ccc517293d137d67

    • SHA1

      4bc1bb4273cbefc10efbae5e55a03f4aaba624ab

    • SHA256

      98049233378275be99a475de751e30042eee539f0644fbc0cd84b041aaab2396

    • SHA512

      0bf6b2ee458083ed74f4954e308dd5742fd31b269dd757af507be9ab821b2833de46bbc532854719c9cf7acfbf0fac995a86d580f13d7f82cee9b5d0a6790ec8

    Score
    10/10
    redlinecheatinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    behavioral7behavioral8

    • Target

      pack/AdEXN.exe

    • Size

      45KB

    • MD5

      a23c5f26bb7a11952d408d99242e5c06

    • SHA1

      0712a50bbb25a1803df9e9f7fd195ed86f54d1a7

    • SHA256

      d140f6813ba550ee767cdcac73ea9f38868e6e3653289b7f0f49d04db65860c0

    • SHA512

      4955d486cb75050c702877ac6d4ea26b0328cb8978e2854b1fd06fd62c9f98a89918e78ed66caedf3459b6fb542fba170e98e0d4e0940a6a65384b75d0830b47

    Score
    10/10
    asyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Async RAT payload

      rat
    behavioral9behavioral10

    • Target

      pack/AeCKK.exe

    • Size

      15KB

    • MD5

      a29ccdfe75b6d00c5af0d219040ec8fa

    • SHA1

      056a8309ed4c51c11d841c136e8e9d4d40b0c347

    • SHA256

      27a5e7226e99dfd6f1940565c19e61efcf4047085693b2c8c46e5ce843c1e943

    • SHA512

      229bdf1ab0a6761cc72edf5f78d6da02f5219cc5863b15ec1883fc531ba04df6a661b650cd10c5fcc9d6e5d473775b19f00442edcaaf664a18140dc5bc2e830c

    Score
    1/10
    behavioral11behavioral12

    • Target

      pack/AeSRJ.exe

    • Size

      5.3MB

    • MD5

      95c9c83e4d5f20a4bd8a5354cec20d27

    • SHA1

      4f75dc7c374a15026bc3e557d5849d8f27414971

    • SHA256

      ae8b777d1cb934b3f9badd12d3599c739aa7b8972f99b48a5ba668866e34fff4

    • SHA512

      72c65d5a5162355d251c4452b050355c686b751719ee9ccbd6e19f3e414dbf1aea598e1704aad7183f2c1654622927fd84badd36b42e845ffc5496cf0eb808fd

    Score
    7/10
    spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral13behavioral14

    • Target

      pack/AfDTM.exe

    • Size

      47KB

    • MD5

      81a1f53a7e0431c385b3537c9e86e9ca

    • SHA1

      fee349b7f96843c91ed47a19f9aa2f58520ddb1c

    • SHA256

      c47cc8f39a3d676895f1bbb92f94d50d5e5d20f7be816b76c09b08cef4d380a7

    • SHA512

      626f5d74a98e3b8cc8f3be3ea7d5611918731a35331dad3603d18426cefd694e6d66b46fb277c46300792c3da930022fc6db28afb68a6e9e4d974a90c9e091c4

    Score
    10/10
    asyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Async RAT payload

      rat
    behavioral15behavioral16

    • Target

      pack/AfMaR.exe

    • Size

      45KB

    • MD5

      a23c5f26bb7a11952d408d99242e5c06

    • SHA1

      0712a50bbb25a1803df9e9f7fd195ed86f54d1a7

    • SHA256

      d140f6813ba550ee767cdcac73ea9f38868e6e3653289b7f0f49d04db65860c0

    • SHA512

      4955d486cb75050c702877ac6d4ea26b0328cb8978e2854b1fd06fd62c9f98a89918e78ed66caedf3459b6fb542fba170e98e0d4e0940a6a65384b75d0830b47

    Score
    10/10
    asyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Async RAT payload

      rat
    behavioral17behavioral18

    • Target

      pack/AfZcW.exe

    • Size

      45KB

    • MD5

      a23c5f26bb7a11952d408d99242e5c06

    • SHA1

      0712a50bbb25a1803df9e9f7fd195ed86f54d1a7

    • SHA256

      d140f6813ba550ee767cdcac73ea9f38868e6e3653289b7f0f49d04db65860c0

    • SHA512

      4955d486cb75050c702877ac6d4ea26b0328cb8978e2854b1fd06fd62c9f98a89918e78ed66caedf3459b6fb542fba170e98e0d4e0940a6a65384b75d0830b47

    Score
    10/10
    asyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Async RAT payload

      rat
    behavioral19behavioral20

    • Target

      pack/AnWLP.exe

    • Size

      15KB

    • MD5

      a29ccdfe75b6d00c5af0d219040ec8fa

    • SHA1

      056a8309ed4c51c11d841c136e8e9d4d40b0c347

    • SHA256

      27a5e7226e99dfd6f1940565c19e61efcf4047085693b2c8c46e5ce843c1e943

    • SHA512

      229bdf1ab0a6761cc72edf5f78d6da02f5219cc5863b15ec1883fc531ba04df6a661b650cd10c5fcc9d6e5d473775b19f00442edcaaf664a18140dc5bc2e830c

    Score
    1/10
    behavioral21behavioral22

    • Target

      pack/AnZNZ.exe

    • Size

      45KB

    • MD5

      a23c5f26bb7a11952d408d99242e5c06

    • SHA1

      0712a50bbb25a1803df9e9f7fd195ed86f54d1a7

    • SHA256

      d140f6813ba550ee767cdcac73ea9f38868e6e3653289b7f0f49d04db65860c0

    • SHA512

      4955d486cb75050c702877ac6d4ea26b0328cb8978e2854b1fd06fd62c9f98a89918e78ed66caedf3459b6fb542fba170e98e0d4e0940a6a65384b75d0830b47

    Score
    10/10
    asyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Async RAT payload

      rat
    behavioral23behavioral24

    • Target

      pack/ApRnS.exe

    • Size

      136KB

    • MD5

      6862264bbd7688ac4bd96f16786cd153

    • SHA1

      8fd23a996f8b78914f9969cb3c31be7ffd02e346

    • SHA256

      701ef63a3a8c4f2eb90d64cd897e0098460e1272a54404b90ab794a685b98ffc

    • SHA512

      23df9d7fe2e8028d2b7f985344ac5ff0d01f9a45f0925f6b37b0df64aab3702612e5bfb56cb29bc2325bd26ffe152fc69f4af5e36d0e94a97a6f04d27460c2e2

    Score
    10/10
    stormkittycollectionstealer

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      pack/AqDpY.exe

    • Size

      15KB

    • MD5

      a29ccdfe75b6d00c5af0d219040ec8fa

    • SHA1

      056a8309ed4c51c11d841c136e8e9d4d40b0c347

    • SHA256

      27a5e7226e99dfd6f1940565c19e61efcf4047085693b2c8c46e5ce843c1e943

    • SHA512

      229bdf1ab0a6761cc72edf5f78d6da02f5219cc5863b15ec1883fc531ba04df6a661b650cd10c5fcc9d6e5d473775b19f00442edcaaf664a18140dc5bc2e830c

    Score
    1/10
    behavioral27behavioral28

    • Target

      pack/AsNMX.exe

    • Size

      6KB

    • MD5

      2077e8080a5f540e281242a1b475f865

    • SHA1

      b6e2e18a6a3574bab7f17185dc0b00da1a34a95c

    • SHA256

      04153178e5f9f669cd1c89d653d45a0431d46ff5e9dc6128522bc02aacdb9895

    • SHA512

      4e2bc30f93fbc06302fa29efcc0e5d164bf533dcf04235d2465863536d8fdd249d583555453836dd3e76df6d6f79a511185b9ef936312d6f25d8d89eb7b58f91

    Score
    1/10
    behavioral29behavioral30

    • Target

      pack/AwHQZ.exe

    • Size

      160KB

    • MD5

      3564b2127c519a9e39b63f0e6994a3d1

    • SHA1

      158c22dea6eb92f518af7ea947e08521a904e3ad

    • SHA256

      09103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd

    • SHA512

      37bdd044469917c500a4d4cfc8b8280207198be956bb208efdac7a74dc3a49b97df237885ece8bf8d3e0c9642156c24285e9ed8fa27adad32adbde6613fc5029

    Score
    10/10
    netwirebotnetratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral31behavioral32

MITRE ATT&CK Enterprise v6

Tasks

static1

ratdefaultcheatupxf48ymybotmsmpengde2948b666ccdcdf3511c5b4921dc5f7b868office04doctorremotehostuu0ptelespammer1andrewjn86dolevzasyncratredlineblustealernetwireremcosagentteslaformbookbitratnjratorcusraccoonquasarxloadernanocore
Score
10/10

behavioral1

agilenet
Score
7/10

behavioral2

Score
7/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

asyncratdefaultrat
Score
10/10

behavioral6

asyncratdefaultrat
Score
10/10

behavioral7

redlinecheatinfostealer
Score
10/10

behavioral8

redlinecheatinfostealer
Score
10/10

behavioral9

asyncratdefaultrat
Score
10/10

behavioral10

asyncratdefaultrat
Score
10/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

spywarestealer
Score
7/10

behavioral14

spywarestealer
Score
7/10

behavioral15

asyncratdefaultrat
Score
10/10

behavioral16

asyncratdefaultrat
Score
10/10

behavioral17

asyncratdefaultrat
Score
10/10

behavioral18

asyncratdefaultrat
Score
10/10

behavioral19

asyncratdefaultrat
Score
10/10

behavioral20

asyncratdefaultrat
Score
10/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

asyncratdefaultrat
Score
10/10

behavioral24

asyncratdefaultrat
Score
10/10

behavioral25

stormkittycollectionstealer
Score
10/10

behavioral26

stormkittycollectionstealer
Score
10/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

netwirebotnetratstealer
Score
10/10

behavioral32

netwirebotnetratstealer
Score
10/10