Overview

overview

10

Static

static

10

2023-06-18.zip

windows10-2004-x64

10

Resubmissions

23-06-2024 06:12

240623-gyd2psscqf 10

16-07-2023 19:09

230716-xt4pkahc8t 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2023-06-18.zip

  • Size

    285.3MB

  • Sample

    230716-xt4pkahc8t

  • MD5

    8c0f5e86d1f5493a0880a5b4904681af

  • SHA1

    8cbed3b39884500b8d277bbf92f4597b271cf98f

  • SHA256

    d8d8e2bd36c25798e8243ccb42440baf3f49559a1e251f2f29e70b3d46f597ed

  • SHA512

    7f4bfefe043eb5ba8ccfe563b5aa8d6f0f8c26b4f1a67c642e157d77445e786c5a0ba97f1c0a00a1f7343fe34f63d5973511f1dc64209c966b5d30a5f9503cad

  • SSDEEP

    6291456:d8ArxcDqoEQal3nJ9Xs2URMmQlZYYUlrF+CpICF0ciqgVvdTS/+cRdtqj:dRrRoEFD9Xs9D3hBF+pP9S/jLy

Score
10/10
agentteslaamadeyasyncratdcratformbookgafgythealermirainanocorenetwirenjratprivateloaderredlinexmrigdefaultdrowedduzajasonmiraijy95botnetcollectiondropperevasioninfostealerkeyloggerminerpersistencepyinstallerratspywarestealertrojan

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

gafgyt

C2

45.81.234.229:606

Extracted

Family

mirai

Botnet

MIRAI

C2

190.btc-f2pool.top

Extracted

Family

mirai

Botnet

MIRAI

C2

190.btc-f2pool.top

Extracted

Family

asyncrat

Version

0.5.7B

C2

209.25.141.180:6498

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

nanocore

Version

1.2.2.0

C2

sneakerpop.bounceme.net:6349

madbunny.duckdns.org:6349
Mutex

f23c9a26-21f9-4616-b2a4-7a31333df843

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    madbunny.duckdns.org

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2023-03-12T14:07:36.727208736Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    6349

  • default_group

    BOLD

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    f23c9a26-21f9-4616-b2a4-7a31333df843

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    sneakerpop.bounceme.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

mirai

C2

www.violtebotnet.cc

Extracted

Family

amadey

Version

3.84

C2

77.91.68.63/doma/net/index.php

Extracted

Family

mirai

Botnet

MIRAI

C2

190.btc-f2pool.top

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

5.tcp.eu.ngrok.io:16050

5.tcp.eu.ngrok.io:5304
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

njrat

Version

im523

Botnet

Drowed

C2

source-seconds.at.ply.gg:36244

Mutex

7c27d7599d944dcc420f1985da53674a

Attributes
  • reg_key

    7c27d7599d944dcc420f1985da53674a

  • splitter

    |'|'|

Extracted

Family

mirai

Botnet

MIRAI

C2

190.btc-f2pool.top

Extracted

Family

amadey

Version

3.83

C2

77.91.68.30/music/rock/index.php

Extracted

Family

mirai

Botnet

MIRAI

C2

190.btc-f2pool.top

Extracted

Family

netwire

C2

william1979.ddns.net:4416

mathkros79.ddns.net:4416

engine79.ddns.net:4416

chrisle79.ddns.net:4416

jacknop79.ddns.net:4416

smath79.ddns.net:4416

whatis79.ddns.net:4416

goodgt79.ddns.net:4416

bonding79.ddns.net:4416
Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    Jan 2018

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password2$

  • registry_autorun

    false

  • use_mutex

    false

Extracted

Family

redline

Botnet

jason

C2

83.97.73.129:19071

Attributes
  • auth_value

    87d1dc01751f148e9bec02edc71c5d94

Extracted

Family

redline

Botnet

duza

C2

83.97.73.129:19071

Attributes
  • auth_value

    787a4e3bbc78fd525526de1098cb0621

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5480024987:AAEOw0FrXbZvPh7UKydmAyaZODSJd4PSlkU/

Extracted

Family

formbook

Version

4.1

Campaign

jy95

Decoy

do-si-dough.com

cchapmanganato.com

04it.icu

kawebdesign.site

oasisconnects.com

op091.com

psychicstandupcomedy.com

harveylee.online

x55568.com

orbinlopez.one

45745931.buzz

undiereleaseco.com

cludybot.net

sailtmtbar.com

siennashih.com

premintxyz.net

xn--bj4bt9j.com

giornalaiditalia.com

colorfullemonade.com

baddiebearz.com

Targets

    • Target

      2023-06-18.zip

    • Size

      285.3MB

    • MD5

      8c0f5e86d1f5493a0880a5b4904681af

    • SHA1

      8cbed3b39884500b8d277bbf92f4597b271cf98f

    • SHA256

      d8d8e2bd36c25798e8243ccb42440baf3f49559a1e251f2f29e70b3d46f597ed

    • SHA512

      7f4bfefe043eb5ba8ccfe563b5aa8d6f0f8c26b4f1a67c642e157d77445e786c5a0ba97f1c0a00a1f7343fe34f63d5973511f1dc64209c966b5d30a5f9503cad

    • SSDEEP

      6291456:d8ArxcDqoEQal3nJ9Xs2URMmQlZYYUlrF+CpICF0ciqgVvdTS/+cRdtqj:dRrRoEFD9Xs9D3hBF+pP9S/jLy

    Score
    10/10
    agentteslaformbookhealernetwireredlineduzajasonjy95botnetcollectiondropperevasioninfostealerkeyloggerpersistenceratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detects Healer an antivirus disabler dropper

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Formbook payload

      rat

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Windows security modification

      evasiontrojan

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks