Resubmissions

20-05-2023 01:01

230520-bdhlhahd64 10

20-05-2023 00:59

230520-bb6wbahd52 10

17-05-2023 15:12

230517-sld2qafe25 10

16-05-2023 18:13

230516-wt6ngsbb3s 10

16-05-2023 18:11

230516-wsz5babb2w 10

16-05-2023 18:10

230516-wr6wgabb2s 10

16-05-2023 18:03

230516-wm22qabh79 10

General

  • Target

    a.bin

  • Size

    5KB

  • Sample

    230516-wr6wgabb2s

  • MD5

    69525fa93fd47eb3c533afe3b1baba48

  • SHA1

    3dea1b337987177c73c64e89b370d90dc94c64cb

  • SHA256

    8e9c6b72a19705e65d654814d0770a67c7c4a2e52915f6115dc740ab254ed4a9

  • SHA512

    909202467de5c96404c154cd3be55643df62c13c395bd6e0406be5834c3a10b953f42cc3520ac5979af754af192260ec737d19892333e5a8dfab79aef9b23182

  • SSDEEP

    48:6di2oYDjX9iqhf3FXfkQHjJhyPFlWa8tYDdqIYM/cphuOulavTqXSfbNtm:uNiqp3JkQHyDUtE2WcpisvNzNt

Malware Config

Extracted

Family

redline

Botnet

PERSOM

C2

176.124.219.192:14487

Attributes
  • auth_value

    0695a610af712a57529526101d7e83b2

Extracted

Family

lokibot

C2

http://185.246.220.85/zang1/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

quasar

Version

1.4.0

Botnet

X

C2

45.141.27.208:4780

127.0.0.1:4780

Mutex

d6e77ea9-bff7-4566-b4dd-f1be3c293c5e

Attributes
  • encryption_key

    57F667877C1FCDA6663E2FDAC6FB8CFDE3CEA957

  • install_name

    winx.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    winx

  • subdirectory

    sys

Targets

    • Target

      a.bin

    • Size

      5KB

    • MD5

      69525fa93fd47eb3c533afe3b1baba48

    • SHA1

      3dea1b337987177c73c64e89b370d90dc94c64cb

    • SHA256

      8e9c6b72a19705e65d654814d0770a67c7c4a2e52915f6115dc740ab254ed4a9

    • SHA512

      909202467de5c96404c154cd3be55643df62c13c395bd6e0406be5834c3a10b953f42cc3520ac5979af754af192260ec737d19892333e5a8dfab79aef9b23182

    • SSDEEP

      48:6di2oYDjX9iqhf3FXfkQHjJhyPFlWa8tYDdqIYM/cphuOulavTqXSfbNtm:uNiqp3JkQHyDUtE2WcpisvNzNt

    • Detects LgoogLoader payload

    • LgoogLoader

      A downloader capable of dropping and executing other malware families.

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Panda Stealer payload

    • PandaStealer

      Panda Stealer is a fork of CollectorProject Stealer written in C++.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Downloads MZ/PE file

    • Stops running service(s)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Legitimate hosting services abused for malware hosting/C2

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Enterprise v6

Tasks