Resubmissions

25-12-2022 14:22

221225-rppf7abf39 10

25-12-2022 14:22

221225-rpkg8seg4s 10

25-12-2022 14:21

221225-rpexraeg31 10

25-12-2022 14:21

221225-rn92haeg3z 10

25-12-2022 14:13

221225-rjx65seg3w 10

General

  • Target

    allcome.zip

  • Size

    7.4MB

  • Sample

    221225-rjx65seg3w

  • MD5

    853a314f529e8d0a81e1082a5fc2acd7

  • SHA1

    0f8b76562383e4f2b4d71399e26affbd760f3466

  • SHA256

    be1bc698d63cbfc97d75edaa1fe850772d1e082a7b9a24aa5e09ed5b3bdeedde

  • SHA512

    cc21dc39e488c070d301a5107e92e422f8cf4a9345508b1c56206949769a2435e5f5f1b30ccdca22eb2f2f2b3a2c0e801a8aa3c418eb20192150e118a1908b4e

  • SSDEEP

    196608:wqNG3GKMWwzq67YKTwE8Jc+0algVV+uZT63SX9DzVOosAeSE:wKG3GKMWw90KL8R0kgVV+x36PsAVE

Malware Config

Extracted

Family

allcome

C2

http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/exp.php?usr=Class1c228

http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php?cf6zrlhn=finarnw

Wallets

D92TTxkBTyJfavHWmAJfHpZRLeUY9ReHvf

rEtKYAu1Pwa9ydAB9YfXrTgVTtwB7QAghY

0x4aab8F9FFFE07459b1365A10405a4Fe7Aa7F1f81

XeZnNrJyBV3NimCP61bnJK8EYEqe984rn8

t1Vrj6CU9hHRwiuoSWDhgwtRhmPxRu9MqXs

GBEARLBYJHWXMY7AFAGF7VGMRMRK2D5HSRADSABSPMRIW6XPDQBRQSMI

0x43B091611E359447bAC8b2aE1619424A8417De38

qqvqg5fjmjjkd6egvwxv5et63jpakdqvuq3ye335x0

bc1qrzlvgv39ynr32vzacpg8y4y4yklmr370sxwqj3

0x4aab8F9FFFE07459b1365A10405a4Fe7Aa7F1f81

ltc1qef2n5uu37e34nvtrfhnurdj9lc574h90grpa0e

380990138409

Targets

    • Target

      2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02

    • Size

      9.1MB

    • MD5

      58ec0acfe4edcc15917b97ef91596f07

    • SHA1

      60e610685d9a549926e7a9b0cb6bcc6509708d3c

    • SHA256

      2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02

    • SHA512

      5769c348149efc107d94bd02e6bbb16440c7974533b843cc42fb7c23fb3e2209754ab69ca9f04a0ba4c56c83e5c30983568a1b1d5f9861c1328befdf09e78736

    • SSDEEP

      196608:K2ejh9Qo2P3Cgnpmtw69DvGSfkDpVpyPc9izcM/WaQCf:Kd4CHx3IyP4izp+Uf

    • Allcome

      A clipbanker that supports stealing different cryptocurrency wallets and payment forms.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

    • Target

      95de56b7b27bfdfae1c741a5f02a42d1a4f7a23286ca8b292e85132b8b87bb57

    • Size

      850KB

    • MD5

      f183d934a954fc80602a9173f55f22c9

    • SHA1

      a472c526f1dec0eb9bccdf2e083171a176faf1c4

    • SHA256

      95de56b7b27bfdfae1c741a5f02a42d1a4f7a23286ca8b292e85132b8b87bb57

    • SHA512

      48d42d3c6ca44944ea6879bb5c6367e5c03b938648f9667f235815acb02aa8191e02ca840acc855bf83b9ed0945a5516bb6c4433e7859efafb58b4b18b92ef24

    • SSDEEP

      12288:jYmzPxoepv5EUOPri4BTVUDnV89SxP3ol8VU9o:/xoS6TjUDnlP3G9o

    Score
    10/10
    • Allcome

      A clipbanker that supports stealing different cryptocurrency wallets and payment forms.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • Target

      d950b50f5f6430bec1db8de9f36b9a4e.exe

    • Size

      650KB

    • MD5

      d950b50f5f6430bec1db8de9f36b9a4e

    • SHA1

      65a005725dc0c018ff8e5d20d57992cf0ad9a2d8

    • SHA256

      ac1ee2ae3f9d02314391ea2cf5931325da346f5d40ea7cf12f4fb86e62fe1e89

    • SHA512

      5a828a0d93a9a2d458a941ede1dfc27a672e1bd03ea99441cf34a163397c723788fc90565cde7cb5d7ff09a8a0aa26d267c8b93b54659f440b0b784f3bbbf478

    • SSDEEP

      12288:GazUTpipJVJH0GpAl+N5IKOPri4BTVUDn8HC7Mvt6fDVyh:GNETR0GpAl+N5OTjUDnsC7u0O

    Score
    10/10
    • Allcome

      A clipbanker that supports stealing different cryptocurrency wallets and payment forms.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    • Target

      d62c1f65b0ad9427fa41e32951526435e372d2f09bb81e6079dabdad915f84b4.bin

    • Size

      120KB

    • MD5

      e5d69699bde3b15ff93d21c5b673bd8a

    • SHA1

      7407968eb3d942ebabee4b432df4c4a9ac96c3e3

    • SHA256

      d62c1f65b0ad9427fa41e32951526435e372d2f09bb81e6079dabdad915f84b4

    • SHA512

      46312be3e25e994e56e92869ea93a2452a149d0c04fb9067f13412f5d5f527597ec1c62a2c682d93a6d84f8b9065c21713177056f6853427853bdf9aa4038121

    • SSDEEP

      3072:A5vUIjgiKb54RAYC5B5mAwCEOaIx91R6CW454DOeMxSXc:AdRgvb5wAN5mAFaIaRMxSX

    Score
    10/10
    • Allcome

      A clipbanker that supports stealing different cryptocurrency wallets and payment forms.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks