General
-
Target
Samples.zip
-
Size
12.8MB
-
Sample
220826-ha1q8shfa4
-
MD5
b7c83a49def36623b4c2d0cb539821fd
-
SHA1
a63b8606a655ab2471845204df97f259cd65cb4f
-
SHA256
501317a60d63bac59b9cc6994cd4d03207a929ab689939d062635656b4ed8231
-
SHA512
4c331d5c502350f320b8ac22c2ef78b931d8cba3f67df507335f31e8fa7a7980cc0db7c27cfdc80ffaee553e819d830620be8c9cbb751e1f2bfe9da2c5d391c7
-
SSDEEP
393216:hx/VnB01nPLQXdxdweGz/JVcqb74n9/Tbbasg:hx/VmFg1irRP4ntXb1g
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.slmona-group.com - Port:
587 - Username:
[email protected] - Password:
EX5KNbFZpP2H - Email To:
[email protected]
Extracted
asyncrat
1.0.7
Default
meskullzmint.com:8848
meskullzmint.com:4782
127.0.0.1:8080
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
agenttesla
Protocol: smtp- Host:
posta.ni.net.tr - Port:
587 - Username:
[email protected] - Password:
nilya1957 - Email To:
[email protected]
Extracted
warzonerat
spicydojo.duckdns.org:2323
Extracted
formbook
4.1
oy10
wzwanju.com
vaultnutrition.info
propane-gallon.site
balkanmetin2.com
costa-del-sol.email
kayodeokikiolu.com
singlesshirts.com
nearestfoods.com
trenddetail.com
yihaimaidan.net
dfdr3r.site
tuitionmatters.co.uk
benglas.online
coloraja.xyz
tianzicheng.com
lamkt.com
dileca.com
6698856.com
vishi.store
ablehair.com
Extracted
bitrat
1.38
otx66i7lyk5mdfdu55a7v2qkcsq2apyjferoizgzw5yblmf74uvkrkqd.onion:80
-
communication_password
3f09fec94c92a2a8544c7854ec598a24
-
install_dir
Install path
-
install_file
Install name
-
tor_process
tor
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:7707
127.0.0.1:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
blustealer
https://api.telegram.org/bot5432809476:AAHtE5EDW3VQZZBLnEbEZpHEIJz5LbF0no/sendMessage?chat_id=5571556378
Extracted
quasar
1.3.0.0
Renew
51.12.244.74:3788
QSR_MUTEX_1Q3lnFG6yfoKwTdOsQ
-
encryption_key
8ZgJdDwfl6yZfAWkQcvE
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
AfMaRTHbXDQeEqK.exe
-
Size
11.0MB
-
MD5
d49e5e8dd0e5e347b9bb061aa9c328dc
-
SHA1
d97c692a5c927f2db65c6ef9a240b061bdd668ed
-
SHA256
f157877dacee3384192d3438d6d6c4dd7f25eb313a45bd0799e15d90b4eb3114
-
SHA512
251b589318a39395dd8c40c0b54e6d000d60ce76710105d46059ede584ed939280c7f4d82ed513a5de224deb81f1213b2993301fd6134ebc796dd9b4283baef6
-
SSDEEP
49152:wE6zazjZSu8fiiiiic1LF6sjVWqvsLkUS16PVQaJbHJBSiiiiilsiiB9iiiip:wERZSu66QVWqkLkUSYPVQarBN
Score1/10 -
-
-
Target
AnZNZkqSCLtCdJP.exe
-
Size
126KB
-
MD5
ccc9e9ce00ae36543aea7653db6479ba
-
SHA1
0ebfeb138b7be5ad4fa3699d430fa6aaf393749c
-
SHA256
9b99bfeaca81fa2a9b5f525bd35d6f7f87866a65970f3fcde51085401e51e4d5
-
SHA512
552be92d536dd23207cbb09328663ebf33e3091acdacf73c1b037fba911cc4415a71522f0186025a44689d517ce04ce90f119ed988caa5e5621582d7525e55d6
-
SSDEEP
3072:Wnq4TwsW7L1GS9I3Hiy3eb8W5wBrjFbY:mQ7RMl3ebWZb
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
AwHQZpWsBXMfKoP.exe
-
Size
25KB
-
MD5
6bf7f7e0c20e4154dfd0a9500136e0ca
-
SHA1
2537d1c83362ca0c6fc78ee21fac75b763766d9e
-
SHA256
22a19734326aad3f8a2321db66c0a5c992665391b6b43da3764ae440ee41305f
-
SHA512
7093ca39c6a9beae85799c88d23223cb2be9eff7bab9cd7931c1351b0900effcc773a262e0d1dfa349446a0d4b19a0ca1ceb120853b368b36a3dbdf01495a271
-
SSDEEP
384:rQQ/dEM3FnK4aFc/QiLpPcnoyYX6ooOA:8Q/dECFnSc/gvYKoV
Score1/10 -
-
-
Target
AxStJPBXbsGYNCc.exe
-
Size
63KB
-
MD5
a06d89ba52a88bc5181dc101eb72bf54
-
SHA1
4491291c101c9d740c2be4e32ed860bcccfa04c1
-
SHA256
c3d0b87d7b8787629f8a79142a08c39e9a1a2cd85f5538ba212841c7942db190
-
SHA512
3fa8313c2d42c098b2ac05af38c2616faceda397c22677fc3802ae50323e9ce6445d2aabf142d0fa5be862679601b36a4b05bfc7562e77d6779c9294f1b8d8f3
-
SSDEEP
1536:nhp5LrUwk4Xq0WdsdPkKuUrsGoeMyGpGbbyw2LGlZVclN:nhp5LrUwk4XqdsdcMrscMvpGbbyt6zY
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload
-
-
-
Target
BcJRFxiQTFDdmBX.exe
-
Size
48KB
-
MD5
a671a69d4e3f7425bf163eae052250ff
-
SHA1
80c47eae696348b607f5f54ab3101c10c64192ce
-
SHA256
447f95e2299fbab8e30669f1fd5c71b2e69499e25adae3373093c0317f53fdc5
-
SHA512
527a88921d628ffbe1cfbe21f204e3dbf3cea026129c6a9e3d713a82b9c9e6f75155f5da4bfe2f14845d6542cdbe129fa72214b028c4fdc397456d33f789a85b
-
SSDEEP
768:mbRJZBILLWQ9+jiwtelDSN+iV08Ybygecb+zqBEmyIvEgK/JbZVc6KN:mbRq9wtKDs4zb1pu9xInkJbZVclN
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
BeRWDywBMMSobQZ.exe
-
Size
126KB
-
MD5
30d8ed3c4ce8a7101f099d0c362bdd2f
-
SHA1
620d7704df3924ae1af824c9f69af0edbec1a3e4
-
SHA256
73493f393423de3502be624402e63b53216a91ec15cb5ab1357661a75c2ad29e
-
SHA512
539a9e0ae03679118c553391c325cddcaeae40f6ea11a5a82b5f77f85050e09cccc62ee9e5ff897c7ec5c425c84e004de13dec43069389c77c65e2229728b484
-
SSDEEP
3072:mjememsTaR9OHR83H6uZ3o5b81McwBrHFbY:ge7aEAauZMbAMHlb
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
BgNDTadHLDiJwMQ.exe
-
Size
126KB
-
MD5
30d8ed3c4ce8a7101f099d0c362bdd2f
-
SHA1
620d7704df3924ae1af824c9f69af0edbec1a3e4
-
SHA256
73493f393423de3502be624402e63b53216a91ec15cb5ab1357661a75c2ad29e
-
SHA512
539a9e0ae03679118c553391c325cddcaeae40f6ea11a5a82b5f77f85050e09cccc62ee9e5ff897c7ec5c425c84e004de13dec43069389c77c65e2229728b484
-
SSDEEP
3072:mjememsTaR9OHR83H6uZ3o5b81McwBrHFbY:ge7aEAauZMbAMHlb
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
BjWXPytPSJRdiLA.exe
-
Size
215KB
-
MD5
306d61b898d8ca0ac21e0cea238dc164
-
SHA1
bb293cdaf8da2ae4d9bdb18a52626ca78cb0cb28
-
SHA256
963e8cf8e1df3604fd6e6c163b9be24125dfb764196eb71e936dd01deae08004
-
SHA512
b4cf5db97e8617cf41f3732d841341b17b79ed3939ad2a53fba8845606831782c8149efaefb637ca11788d15ea5dbb9366274bf182144d0917c21ab4178615ce
-
SSDEEP
3072:omQa+GAEz+ip3BJqTeUvrTGnXR/XRlf/ryiusenhgFUaoGu5D0I2OSoYUHIL:oWp31U2XR/DGiuPhgFUxGud0IktUH
Score7/10-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
-
-
Target
BmGjLSDwCWXaZqK.exe
-
Size
216KB
-
MD5
8225b4ef1537395fe9ca131692849f87
-
SHA1
117020a929e3bb2fa8fe59772b3db86a92512c3e
-
SHA256
08c6dedf958d8ef831d588cbb98fa5e7f7e05f8b5d020c60f85d374511aa9102
-
SHA512
82bbad09ba59b6201673806fd8164662c0a865d36734f5e43169c6297b8ca286b2d12d115d6d82e0e0c5da6699b373842f06a6bf1efd297bedb634a32e7a30bc
-
SSDEEP
3072:hGWqxwTKbt5v16C2+IJJYN0UivEE8fm+TbuCWJj72vpKahuOitgAMg1hzxCUnXR:h6wTq2D/UUkmICTKKyIgA1F8U
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
-
-
Target
CfGQYemJHRdTnFG.exe
-
Size
117KB
-
MD5
19358aa5a8795a331a7f742e98ee5e58
-
SHA1
a94378675c169915e3b11ae3ac8b3a0a17f714ac
-
SHA256
cd1124d49f6e248b69e167e7fb5914040da63675486608cfa035082a837fe6ff
-
SHA512
fbd3b723e1c6684a01b24edd711a1d361052e92d5e76870f7b2141800a3542ee714872823183b25a79542bb6cb7b7564df1b04962ab0de3bd9333800a57363ae
-
SSDEEP
3072:ZaOqc4zX7NK4w0qVc6j2D9bW0YBDrUbpgDwk:fF4zX7NKUGjg9ba
Score10/10-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
CgENMjeJGCZcdAF.exe
-
Size
98KB
-
MD5
92dcfe5ccfa95ab24ed7ed2933181a8b
-
SHA1
027ac2613387cd54463d0170889b849201f16e85
-
SHA256
8e4f9c50d684e420c808b44d32287262f57cdbb5780dca6488556a41107d3491
-
SHA512
86e515a88fc33b0c8773a4caa53521a96f4cf04ca09b80c79e8687363e5b054a0e82e275e8cb72c899233897a5353946ef68791673cfdb0605aac35c8c2d217e
-
SSDEEP
1536:5Csejmb+6BQyusX1UjtA0uWRf/eloc/9T1jVEyp:AtD6jSm0uWRfCogTjVEG
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
-
-
Target
CjYrWNZyEcMBBMa.exe
-
Size
143KB
-
MD5
8bb5a008412477ca9ccaec82ee6dd6a7
-
SHA1
1bd59951c56e68f91b2f510275c6276c4484411b
-
SHA256
a440e693962c333be050ef7ba0f9b5cbeac959d149a5f5b4d299197fb9415133
-
SHA512
3bbe3dba440811f1c8bdb3656f15c69f317cc957e9977ac17ccba4670d3cf5ecbd248aebbe476bb51e836710e12aea8959c9dc50f30490b8112d49eb6dc98d4d
-
SSDEEP
3072:9uO/rZAi3Tqn2ZiaPiJcuy/CBzjYqqKb33wqwwIaICM:w6dQ2Ziamcu8K8KbP
Score8/10-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
-
-
Target
CsFbNASzLBKdkHR.exe
-
Size
126KB
-
MD5
eb07425a3a7041d97579e87bd4443e13
-
SHA1
9428b250c7d822699aab4718cf5414bb3f102435
-
SHA256
fb6dbdc462a52a6d7b1b79ee926d865284e9602c7cd38ec7225c96167ecef9a9
-
SHA512
28d839f468aa769bc90fafd2eafb1e74639027411e16c8256231d9caf72c3fac08c1d7a83065bac212de73fded1bca30918ed88af645a20b3d23e69b2972c6f7
-
SSDEEP
1536:Yt4ZAUsImChnFm5va3Hp9QMa4JBE1b/UToyUpiOWBDfF0Kcl:Yt4Z7smnFm5va3Hbngb8TewBDfFbY
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
DaGdSGFqZFBbLpA.exe
-
Size
126KB
-
MD5
ccc9e9ce00ae36543aea7653db6479ba
-
SHA1
0ebfeb138b7be5ad4fa3699d430fa6aaf393749c
-
SHA256
9b99bfeaca81fa2a9b5f525bd35d6f7f87866a65970f3fcde51085401e51e4d5
-
SHA512
552be92d536dd23207cbb09328663ebf33e3091acdacf73c1b037fba911cc4415a71522f0186025a44689d517ce04ce90f119ed988caa5e5621582d7525e55d6
-
SSDEEP
3072:Wnq4TwsW7L1GS9I3Hiy3eb8W5wBrjFbY:mQ7RMl3ebWZb
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
DcDJLimAFTYswMQ.exe
-
Size
126KB
-
MD5
ccc9e9ce00ae36543aea7653db6479ba
-
SHA1
0ebfeb138b7be5ad4fa3699d430fa6aaf393749c
-
SHA256
9b99bfeaca81fa2a9b5f525bd35d6f7f87866a65970f3fcde51085401e51e4d5
-
SHA512
552be92d536dd23207cbb09328663ebf33e3091acdacf73c1b037fba911cc4415a71522f0186025a44689d517ce04ce90f119ed988caa5e5621582d7525e55d6
-
SSDEEP
3072:Wnq4TwsW7L1GS9I3Hiy3eb8W5wBrjFbY:mQ7RMl3ebWZb
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
aCRAEzePNKKgoZZ.exe
-
Size
47KB
-
MD5
5a723bd7aa2c6efdc3e9d7cf30b28b57
-
SHA1
931e33a992c56302809e7d8b7a116474490b6753
-
SHA256
53e13e8a6fb67554f49c8270523d068835894c4fb302ce133004813e490654ae
-
SHA512
d03d1d6a23f7e23f2757bbb64e55dfd8e852343da0c347e2098994ee8a353191451317465e1f841ccc6b596e23b91cf9f7d646c6f0614510d1c31c020a31d734
-
SSDEEP
768:dOEuILWCKi+DiBtelDSN+iV08Ybyge4uCsRr5h7zvEgK/J9lZVc6KN:dOtmBtKDs4zb1JDstD7znkJ3ZVclN
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload
-