Resubmissions
11-11-2023 08:23
231111-j96bfacf5s 1008-11-2023 14:52
231108-r8x8facc5z 1027-10-2023 03:52
231027-ee6lhabh8x 1027-10-2023 03:51
231027-ee1p9abh8s 1025-10-2023 10:35
231025-mm3htagf6y 1023-10-2023 09:11
231023-k5l8fahc84 1021-10-2023 11:53
231021-n2kf8aga32 1021-10-2023 11:26
231021-njywwsfg64 1020-10-2023 21:27
231020-1a8qysbe9t 10General
-
Target
a.exe
-
Size
5KB
-
Sample
230621-xg8sraba44
-
MD5
800a6337b0b38274efe64875d15f70c5
-
SHA1
6b0858c5f9a2e2b5980aac05749e3d6664a60870
-
SHA256
76a7490d3f1b0685f60a417d1c9cf96927b473825a914221f092f82ea112b571
-
SHA512
bf337140044a4674d69f7a2db30389e248593a99826c8731bc0a5ac71e46819eb539d8c7cbeab48108310359f5604e02e3bd64f17d9fdd380b574f329543645e
-
SSDEEP
48:6O/tGt28lK9iqmcfaFXfkeLJhyPFlWa8tYb/INV/cpwOulavTqXSfbNtm:j/IUiqtaJkeqDUt5xcpmsvNzNt
Malware Config
Extracted
redline
bart_simpson_bartik
89.23.101.91:1487
-
auth_value
c8be2eeac814c4f4fc93fc29dc2dab93
Extracted
purecrypter
http://192.210.215.42/v/panel/uploads/Dnlanfmltc.vdf
Extracted
formbook
4.1
sy18
mgn4.com
gemellebeauty.com
emj2x.top
melissamcduffee.com
holangman.top
cqmksw.com
pinax.info
u2sr03.shop
weighing.xyz
jetcasinosite-official6.top
xyz.ngo
suandoc.xyz
aboutwean.site
stockprob.com
bawdydesignz.com
buddybooster.net
scuderiaexotics.com
design-de-interiores.wiki
shipsmartstore.com
patricklloydrunning.com
Extracted
vidar
4.4
3f50d705ad2c827d332eeaf1c91ea776
https://steamcommunity.com/profiles/76561199235044780
https://t.me/headlist
-
profile_id_v2
3f50d705ad2c827d332eeaf1c91ea776
-
user_agent
Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD91D; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.124 Safari/537.36
Extracted
redline
Rocketpro
94.142.138.212:26540
-
auth_value
7ec2b1cebe4360f7f11bb80bbf7d8b26
Targets
-
-
Target
a.exe
-
Size
5KB
-
MD5
800a6337b0b38274efe64875d15f70c5
-
SHA1
6b0858c5f9a2e2b5980aac05749e3d6664a60870
-
SHA256
76a7490d3f1b0685f60a417d1c9cf96927b473825a914221f092f82ea112b571
-
SHA512
bf337140044a4674d69f7a2db30389e248593a99826c8731bc0a5ac71e46819eb539d8c7cbeab48108310359f5604e02e3bd64f17d9fdd380b574f329543645e
-
SSDEEP
48:6O/tGt28lK9iqmcfaFXfkeLJhyPFlWa8tYb/INV/cpwOulavTqXSfbNtm:j/IUiqtaJkeqDUt5xcpmsvNzNt
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Formbook payload
-
Downloads MZ/PE file
-
Stops running service(s)
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Uses the VBS compiler for execution
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Accesses 2FA software files, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-