Overview

overview

10

Static

static

1

sus.zip

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sus.zip

  • Size

    1KB

  • Sample

    230510-3pm4xace8x

  • MD5

    f8554227ffb4b19c58f38c459d8929cf

  • SHA1

    684a2014816c1c20582e97ab69064f3d4348ba7e

  • SHA256

    85c3c3e707c2567bca0e211c6ea81a11e6207ecdc51f49cfd21ebffe8bd503e7

  • SHA512

    1ce8e237f7c6f2356554ca13dfaa16ec99baa0b3e12a7b17061f00409c28ba91494ffd9a37123a8d5dd0c913a54d689a7dd9915cc8f971264ea148d307bf15a5

Score
10/10
gh0stratredlinesectopratsystembcxworm06.05 youtubecheatmixaevasioninfostealerpersistenceransomwarerattrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://62.204.41.23/file.png

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://62.204.41.23/r.png

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://62.204.41.23/o.png

Extracted

Family

redline

Botnet

cheat

C2

194.87.151.202:9578

Extracted

Family

systembc

C2

148.251.236.201:443

Extracted

Family

redline

Botnet

06.05 youtube

C2

23.226.129.17:20619

Attributes
  • auth_value

    21645ccdf8187508e3b133b1d80a162e

Extracted

Family

xworm

C2

62.171.178.45:7000

Mutex

tDbp1EmAkvM7wf10

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.75:4132

Attributes
  • auth_value

    9d14534b25ac495ab25b59800acf3bb2

Targets

    • Target

      sus.zip

    • Size

      1KB

    • MD5

      f8554227ffb4b19c58f38c459d8929cf

    • SHA1

      684a2014816c1c20582e97ab69064f3d4348ba7e

    • SHA256

      85c3c3e707c2567bca0e211c6ea81a11e6207ecdc51f49cfd21ebffe8bd503e7

    • SHA512

      1ce8e237f7c6f2356554ca13dfaa16ec99baa0b3e12a7b17061f00409c28ba91494ffd9a37123a8d5dd0c913a54d689a7dd9915cc8f971264ea148d307bf15a5

    Score
    10/10
    gh0stratredlinesectopratsystembcxworm06.05 youtubecheatmixaevasioninfostealerpersistenceransomwarerattrojanupx

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

      trojansystembc

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Command-Line Interface

1
T1059

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

File Deletion

2
T1107

Impair Defenses

1
T1562

Scripting

1
T1064

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

2
T1490

Service Stop

1
T1489

Tasks