Resubmissions

10-05-2024 16:25

240510-tw1h5shh47 10

24-08-2023 11:16

230824-nda8msdf8z 10

05-08-2023 22:52

230805-2tn2bsfa82 10

24-07-2023 06:25

230724-g6s6laag35 10

22-07-2023 15:57

230722-tee6wabg5w 10

20-07-2023 23:19

230720-3bb5gsbf5v 10

20-07-2023 23:06

230720-23f23sba63 10

03-02-2021 11:43

210203-6bgge2nfan 10

General

  • Target

    Downloads.rar

  • Size

    184.3MB

  • Sample

    230720-3bb5gsbf5v

  • MD5

    9e3e4dd2eca465797c3a07c0fa2254fe

  • SHA1

    16ceee08c07179157b0fb6de04b7605360f34b20

  • SHA256

    f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

  • SHA512

    f6033af5252203878aa0d1ba77f4816694a953103927362f6308c527e84c61be00816bf9ccba207991f93248ffefaaf31e27f5fd7806d3a4cb35d4104e79f746

  • SSDEEP

    3145728:6CNdBnKJ7rjucWU6bfga3QgbgShgbgSwSonIyRNlIyN+c3Os:t+sJb/3Q4h4wLIy/r91

Malware Config

Extracted

Family

zloader

Botnet

main

Campaign

26.02.2020

C2

https://airnaa.org/sound.php

https://banog.org/sound.php

https://rayonch.org/sound.php

Attributes
  • build_id

    19

rc4.plain

Extracted

Family

revengerat

Botnet

XDSDDD

C2

84.91.119.105:333

Mutex

RV_MUTEX-wtZlNApdygPh

Extracted

Family

revengerat

Botnet

Victime

C2

cocohack.dtdns.net:84

Mutex

RV_MUTEX-OKuSAtYBxGgZHx

Extracted

Family

zloader

Botnet

25/03

C2

https://wgyvjbse.pw/milagrecf.php

https://botiq.xyz/milagrecf.php

Attributes
  • build_id

    103

rc4.plain

Extracted

Family

revengerat

Botnet

samay

C2

shnf-47787.portmap.io:47787

Mutex

RV_MUTEX

Extracted

Family

zloader

Botnet

09/04

C2

https://eoieowo.casa/wp-config.php

https://dcgljuzrb.pw/wp-config.php

Attributes
  • build_id

    140

rc4.plain

Extracted

Family

zloader

Botnet

07/04

C2

https://xyajbocpggsr.site/wp-config.php

https://ooygvpxrb.pw/wp-config.php

Attributes
  • build_id

    131

rc4.plain

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://47.91.237.42:8443/__utm.gif

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    47.91.237.42,/__utm.gif

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • polling_time

    60000

  • port_number

    8443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)

  • watermark

    305419896

Extracted

Family

revengerat

Botnet

INSERT-COIN

C2

3.tcp.ngrok.io:24041

Mutex

RV_MUTEX

Extracted

Family

revengerat

Botnet

YT

C2

yukselofficial.duckdns.org:5552

Mutex

RV_MUTEX-WlgZblRvZwfRtNH

Extracted

Family

revengerat

Botnet

system

C2

yj233.e1.luyouxia.net:20645

Mutex

RV_MUTEX-GeVqDyMpzZJHO

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

srpmx.ddns.net:5552

Mutex

c6c84eeabbf10b049aa4efdb90558a88

Attributes
  • reg_key

    c6c84eeabbf10b049aa4efdb90558a88

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

HACK

C2

43.229.151.64:5552

Mutex

6825da1e045502b22d4b02d4028214ab

Attributes
  • reg_key

    6825da1e045502b22d4b02d4028214ab

  • splitter

    Y262SUCZ4UJJ

Targets

    • Target

      Downloads.rar

    • Size

      184.3MB

    • MD5

      9e3e4dd2eca465797c3a07c0fa2254fe

    • SHA1

      16ceee08c07179157b0fb6de04b7605360f34b20

    • SHA256

      f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

    • SHA512

      f6033af5252203878aa0d1ba77f4816694a953103927362f6308c527e84c61be00816bf9ccba207991f93248ffefaaf31e27f5fd7806d3a4cb35d4104e79f746

    • SSDEEP

      3145728:6CNdBnKJ7rjucWU6bfga3QgbgShgbgSwSonIyRNlIyN+c3Os:t+sJb/3Q4h4wLIy/r91

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    • Detected Djvu ransomware

    • Detects Zeppelin payload

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

    • Hakbit

      Ransomware which encrypts files using AES, first seen in November 2019.

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

    • Zeppelin Ransomware

      Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • RevengeRat Executable

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scripting

1
T1064

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

File and Directory Permissions Modification

1
T1222

Scripting

1
T1064

Modify Registry

5
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

2
T1490

Tasks