Resubmissions
11-11-2023 08:23
231111-j96bfacf5s 1008-11-2023 14:52
231108-r8x8facc5z 1027-10-2023 03:52
231027-ee6lhabh8x 1027-10-2023 03:51
231027-ee1p9abh8s 1025-10-2023 10:35
231025-mm3htagf6y 1023-10-2023 09:11
231023-k5l8fahc84 1021-10-2023 11:53
231021-n2kf8aga32 1021-10-2023 11:26
231021-njywwsfg64 1020-10-2023 21:27
231020-1a8qysbe9t 10General
-
Target
a.exe
-
Size
5KB
-
Sample
230613-tm9qfsha22
-
MD5
800a6337b0b38274efe64875d15f70c5
-
SHA1
6b0858c5f9a2e2b5980aac05749e3d6664a60870
-
SHA256
76a7490d3f1b0685f60a417d1c9cf96927b473825a914221f092f82ea112b571
-
SHA512
bf337140044a4674d69f7a2db30389e248593a99826c8731bc0a5ac71e46819eb539d8c7cbeab48108310359f5604e02e3bd64f17d9fdd380b574f329543645e
-
SSDEEP
48:6O/tGt28lK9iqmcfaFXfkeLJhyPFlWa8tYb/INV/cpwOulavTqXSfbNtm:j/IUiqtaJkeqDUt5xcpmsvNzNt
Malware Config
Extracted
Protocol: smtp- Host:
mail.agrilivestock.net - Port:
587 - Username:
upholding@agrilivestock.net - Password:
bk?fbH0ox.EC^
Extracted
asyncrat
1.0.7
Default
192.168.175.1:1800
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
remcos
Ares
nov231122.con-ip.com:7476
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
Windowsecurity.exe
-
copy_folder
Security Windows
-
delete_file
true
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Remcos-L3UAVE
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
true
-
take_screenshot_time
5
Extracted
quasar
1.4.0
newcrypt
103.136.199.131:4782
158.247.227.231:4782
973aa178-3f17-48ed-b33e-52dd11425768
-
encryption_key
3E9E141AD83C5BD6CE91880C0E256E15401EC674
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Google Chrome Updater
-
subdirectory
SubDir
Extracted
remcos
Layouts
datbuggy.servepics.com:58003
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-7OBYTV
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
agenttesla
https://api.telegram.org/bot5954474519:AAEGnfW1mRvGRxq-zIAvwJfpKEbhLLiqVaM/
Extracted
quasar
1.4.0
hplus20230325
103.136.199.131:4782
158.247.227.231:4782
17eb206f-a56e-4361-a18e-7ca16f3b99cc
-
encryption_key
3E9E141AD83C5BD6CE91880C0E256E15401EC674
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Google Chrome Updater
-
subdirectory
SubDir
Extracted
warzonerat
testing1212.ddns.net:5201
Extracted
smokeloader
summ
Extracted
redline
droid
83.97.73.129:19068
-
auth_value
4e534d26d67e90669e9843dbbfac4c52
Extracted
lokibot
http://161.35.102.56/~nikol/?p=74818831363
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
smokeloader
pub5
Extracted
redline
mare
83.97.73.129:19068
-
auth_value
9fe24c0b777bee62b94d563294dcc472
Targets
-
-
Target
a.exe
-
Size
5KB
-
MD5
800a6337b0b38274efe64875d15f70c5
-
SHA1
6b0858c5f9a2e2b5980aac05749e3d6664a60870
-
SHA256
76a7490d3f1b0685f60a417d1c9cf96927b473825a914221f092f82ea112b571
-
SHA512
bf337140044a4674d69f7a2db30389e248593a99826c8731bc0a5ac71e46819eb539d8c7cbeab48108310359f5604e02e3bd64f17d9fdd380b574f329543645e
-
SSDEEP
48:6O/tGt28lK9iqmcfaFXfkeLJhyPFlWa8tYb/INV/cpwOulavTqXSfbNtm:j/IUiqtaJkeqDUt5xcpmsvNzNt
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Modifies Windows Defender Real-time Protection settings
-
Modifies security service
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Windows security bypass
-
Async RAT payload
-
Modifies boot configuration data using bcdedit
-
Warzone RAT payload
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Windows security modification
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Manipulates WinMon driver.
Roottkits write to WinMon to hide PIDs from being detected.
-
Manipulates WinMonFS driver.
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
4Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
7Disabling Security Tools
3Impair Defenses
2Scripting
1Install Root Certificate
1