Overview

overview

10

Static

static

3

8e9c6b72a1...a9.exe

windows7-x64

10

8e9c6b72a1...a9.exe

windows10-2004-x64

10

Resubmissions

23/05/2023, 01:28

230523-bvwvfsdc89 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    69525fa93fd47eb3c533afe3b1baba48.bin

  • Size

    2KB

  • Sample

    230523-bvwvfsdc89

  • MD5

    5585469fea3e302ef1d31f4dd933487f

  • SHA1

    c8c7604ddc69389e25fff30fde083198c3b98209

  • SHA256

    e47b928d0fc16348b828abeb3c2106a6d752512f60ef4583d6532cc0dbebebbf

  • SHA512

    83449dacd05787656f334e72d6a9e7507d5f79173b7efbfac015a555e87b7e69ee41674763283928c74c88398ccb83e6d6e0822915b8300afce24196680c2dec

Score
10/10
agentteslaformbooklockbitredlineremcossectopratxmrigxworminvoice2100remotehostgg04pr29infostealerkeyloggerminerpyinstallerransomwareratspywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

xworm

C2

62.171.178.45:7000

Mutex

tDbp1EmAkvM7wf10

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

agenttesla

C2

https://discord.com/api/webhooks/1105328307010015232/y3JHG4bp0jeynHE4DQgvB8OX8QijYxrk2CH91SY0HvNfeBptAktLBqo7Ix-7GllXk9Gz

https://discord.com/api/webhooks/1103875906361118810/4y7iINqCCd1vB_5CHVi8bfs-VsURmj2vh2ZdBw9vV7iC_QaLM-Uzs73INWoN8KSw28mH

https://discord.com/api/webhooks/1105881039911534693/dLNv0NzBF-zb_xIoSptqZ4HWjpGEbwpw-iv_RW0S-G20qwXmbtLrfVJrhYfVOXrx51pi

https://api.telegram.org/bot6225839139:AAHOVxUdRr3_xezeR4e_GlriGQEKuUFBpW0/

Extracted

Family

formbook

Version

4.1

Campaign

gg04

Decoy

clothandsoulfabricllc.com

kx1336.com

4638.global

fixlaunchcredtunionmemb.online

indivexport.com

betuluzun.online

colossusboutique.com

hgcst.com

authorizer.online

hong-travel.com

globalwealthstrategiesco.com

fobberq.com

tribally.net

cook-a.com

todipjane.africa

membershipexams.africa

3dseal.online

abris-spb.ru

mkkkkk.net

chargecentral.store

Extracted

Family

remcos

Botnet

RemoteHost

C2

45.81.243.246:2022

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-9QCNN0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

formbook

Version

4.1

Campaign

pr29

Decoy

venuelees.co.uk

izquitlmichigan.com

33456.biz

birdieveneer.online

happydaysenniskillen.com

mybfhoodie.com

8xanre.xyz

liberaltimes.africa

arnoza-clothing.ch

enhancedintimacy.com

911halocampus.com

kx1179.com

generate-industries.com

starshiptransports.com

process-strategies.net

lovemichigancity.com

brezentovye-shtory.ru

calforze.com

ashenyrebirth.com

fgjfytryur6787api15.xyz

Extracted

Path

C:\6KMVhDmrY.README.txt

Ransom Note
~~~ Your computer was infected with a ransomware virus~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You won't be able to decrypt them without our help. >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will decrypt all your files and delete your data from our database If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. >>>> Payment information To recover your files, Send $50 worth of Bitcoin to the following address: bc1qe4mvvcsycwsu6gp7chnd7r4wd5f5sgy2man87k Contact us (email addess): [email protected]

Extracted

Family

redline

Botnet

Invoice2100

C2

45.12.253.208:3030

Targets

    • Target

      8e9c6b72a19705e65d654814d0770a67c7c4a2e52915f6115dc740ab254ed4a9.exe

    • Size

      5KB

    • MD5

      69525fa93fd47eb3c533afe3b1baba48

    • SHA1

      3dea1b337987177c73c64e89b370d90dc94c64cb

    • SHA256

      8e9c6b72a19705e65d654814d0770a67c7c4a2e52915f6115dc740ab254ed4a9

    • SHA512

      909202467de5c96404c154cd3be55643df62c13c395bd6e0406be5834c3a10b953f42cc3520ac5979af754af192260ec737d19892333e5a8dfab79aef9b23182

    • SSDEEP

      48:6di2oYDjX9iqhf3FXfkQHjJhyPFlWa8tYDdqIYM/cphuOulavTqXSfbNtm:uNiqp3JkQHyDUtE2WcpisvNzNt

    Score
    10/10
    agentteslalockbitremcosxmrigxwormkeyloggerminerpyinstallerransomwareratspywarestealertrojanvmprotectformbookredlinesectopratinvoice2100remotehostgg04pr29infostealerupx

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Formbook payload

      rat

    • XMRig Miner payload

      miner

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks