Overview

overview

10

Static

static

3

005bcf0514...c8.exe

windows10-1703-x64

10

Resubmissions

11-05-2023 23:45

230511-3r21vaba37 10

11-05-2023 14:55

230511-saw36afh91 10

10-05-2023 18:44

230510-xdkazshg76 10

08-05-2023 20:41

230508-zgd99aed8v 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    005bcf051418d05c2750b593278c9fc8.exe

  • Size

    6KB

  • Sample

    230510-xdkazshg76

  • MD5

    005bcf051418d05c2750b593278c9fc8

  • SHA1

    3425e499c953eefad59edde4f83e1c04687799c7

  • SHA256

    9b6573b930e72d319ef4efa0975ff1b59673f96633a03d5e338bc8d7418418f4

  • SHA512

    25faa9966fa531c948c00c2454427220ba79d28230fdac1aec0a5793983d07ff2d71dba0b122bcc5bc24abb1fd18586fe2d4215d796eb9b0ba1d55099538f679

  • SSDEEP

    96:MEOIQNVjrXcWD7RtwkYv1X5Yp7svNzNt:MFIojrsWHnwkYv1XyIn

Score
10/10
agentteslaformbookgh0stratredlinesectopratsystembcxworm06.05 youtubecheatlux3misikmi28evasioninfostealerkeyloggerpersistencepyinstallerransomwareratspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://62.204.41.23/r.png

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://62.204.41.23/file.png

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://62.204.41.23/o.png

Extracted

Family

systembc

C2

148.251.236.201:443

Extracted

Family

redline

Botnet

cheat

C2

194.87.151.202:9578

Extracted

Family

redline

Botnet

06.05 youtube

C2

23.226.129.17:20619

Attributes
  • auth_value

    21645ccdf8187508e3b133b1d80a162e

Extracted

Family

redline

Botnet

lux3

C2

176.123.9.142:14845

Attributes
  • auth_value

    e94dff9a76da90d6b000642c4a52574b

Extracted

Family

xworm

C2

62.171.178.45:7000

Mutex

tDbp1EmAkvM7wf10

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

redline

Botnet

misik

C2

217.196.96.102:4132

Attributes
  • auth_value

    9133827666bc8f4b05339316460b08aa

Extracted

Family

formbook

Version

4.1

Campaign

mi28

Decoy

cgbshop.uk

economydriver.africa

sarahmodene.com

keithdevelopment.online

flightswithcrypto.com

lanotte-oro.com

e-organizer.ru

gestiondocs.com

impressivehistory.com

kytziabaringstore.com

artshopvenice.com

centrooncapreta.com

114sn.com

smg-bd.com

alambreszirma.com

buddhaux.agency

sihaiyijia.net

introverts.life

gfaqvi.xyz

cheapestprotein.co.uk

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6014676296:AAHxuWZXqY8bUcQ2pv4pgUzoljef3z45sCM/

Targets

    • Target

      005bcf051418d05c2750b593278c9fc8.exe

    • Size

      6KB

    • MD5

      005bcf051418d05c2750b593278c9fc8

    • SHA1

      3425e499c953eefad59edde4f83e1c04687799c7

    • SHA256

      9b6573b930e72d319ef4efa0975ff1b59673f96633a03d5e338bc8d7418418f4

    • SHA512

      25faa9966fa531c948c00c2454427220ba79d28230fdac1aec0a5793983d07ff2d71dba0b122bcc5bc24abb1fd18586fe2d4215d796eb9b0ba1d55099538f679

    • SSDEEP

      96:MEOIQNVjrXcWD7RtwkYv1X5Yp7svNzNt:MFIojrsWHnwkYv1XyIn

    Score
    10/10
    agentteslaformbookgh0stratredlinesectopratsystembcxworm06.05 youtubecheatlux3misikmi28evasioninfostealerkeyloggerpersistencepyinstallerransomwareratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

      trojansystembc

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Formbook payload

      rat

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

File Deletion

2
T1107

Impair Defenses

1
T1562

Scripting

1
T1064

Credential Access

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

2
T1490

Service Stop

1
T1489

Tasks