Overview

overview

10

Static

static

joined2023.exe

windows10-2004-x64

10

Resubmissions

24-01-2023 13:22

230124-ql79fsdd5v 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    joined2023.exe

  • Size

    3.9MB

  • Sample

    230124-ql79fsdd5v

  • MD5

    e32d1c9ffd23662ed5ca10a55935b0d6

  • SHA1

    d8e9bc81ff71cecbb5c4a761ab078c00afb25e2c

  • SHA256

    b2117810ce796c98090c62b23a4141f13861f6b1e401cfd23214416e1d34a7d4

  • SHA512

    21985146e9919222a2afec3fa4fdda4725c7137eee26f078372f4fcea2370e0b7e437cbdb392d9648872bb987e18fbbe5af8c1b81b93de2bf30210681a284e40

  • SSDEEP

    98304:kKBFq4/pXUb0JKQv9EbSr8kVSr+MgsXJFQ91J:BJ+LSrJ9MpiD

Score
10/10
44caliberasyncratmercurialgrabbernjratorcusstealeriumstormkittydefaulthackedevasionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

orcus

C2

applications-tri.at.ply.gg:28896

Mutex

d13fa6fd01354c1cb13a471f4d115873

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1055148664328306759/bxAEZTZ-kRLn3WPZNdGtreQXlAKfCVmcqjAkhu0eKmIIUgcgVFvENadDczyX96Jco6EC

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1059949869067944116/125-PuomaUyQ_Agw7Jz405pbRMMFoA7YzL1fuXr9W9SnxqrIA0uro1tBguC8qGaNiNyj

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1059951133780619324/DkJrb9sMyvvnTtNeg9xAQnaPAnQx81HiLYIxO9HjmOmu8BiipsU0tuvk_9Wo22Nk0A0W

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/AGYCqrDm

aes.plain

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

applications-tri.at.ply.gg:28896

Mutex

0796887e761bffbbe87ade248de931cd

Attributes
  • reg_key

    0796887e761bffbbe87ade248de931cd

  • splitter

    |'|'|

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

C2

applications-tri.at.ply.gg:28896

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Targets

    • Target

      joined2023.exe

    • Size

      3.9MB

    • MD5

      e32d1c9ffd23662ed5ca10a55935b0d6

    • SHA1

      d8e9bc81ff71cecbb5c4a761ab078c00afb25e2c

    • SHA256

      b2117810ce796c98090c62b23a4141f13861f6b1e401cfd23214416e1d34a7d4

    • SHA512

      21985146e9919222a2afec3fa4fdda4725c7137eee26f078372f4fcea2370e0b7e437cbdb392d9648872bb987e18fbbe5af8c1b81b93de2bf30210681a284e40

    • SSDEEP

      98304:kKBFq4/pXUb0JKQv9EbSr8kVSr+MgsXJFQ91J:BJ+LSrJ9MpiD

    Score
    10/10
    44caliberasyncratmercurialgrabbernjratorcusstealeriumstormkittydefaulthackedevasionpersistenceratspywarestealertrojan

    • 44Caliber

      An open source infostealer written in C#.

      stealer44caliber

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

      stealermercurialgrabber

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus main payload

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

      stealerstealerium

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Async RAT payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Orcurs Rat Executable

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

      evasion

    • Modifies Windows Firewall

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks