Overview

overview

10

Static

static

10

2022-10-24.zip

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2022-10-24.zip

  • Size

    973.8MB

  • Sample

    230720-h97ntsea2y

  • MD5

    0523322523fc2607b21cf06ee2c06e2f

  • SHA1

    49924c11f7b22dbb1fec51402214a4b62f0c4da0

  • SHA256

    3a2e31f2844df5cb91eedbf24c0b93de4b0aa08525f733132c2bce0d7ab81acc

  • SHA512

    a6ca6c07ece8ad4f4c832cf40bf35e267bfc56f34d0aa252b2cfdcc75ee7fd2b9aa55b547b849820163ca48bd05c9061c76d80756427950d2e5181ebace1ebae

  • SSDEEP

    25165824:cbjDAJklOVFPCJ4jMrhQVzccWZYSXn4yPPGwnSQuw:cbj8Sl66PhncWZYyWw6w

Score
10/10
asyncratauroradcraterbiumformbookgafgytiratalaplasmiraineshtanjratpurecrypterraccoonredlinerhadamanthyssnakekeyloggersocelarsstormkittysystembctofseebrouteursd1d6daf7a5018968dea23d67c142f047defaultdozkeylzrdmiraig28pevasioninfostealerpersistencepyinstallerratspywarestealerthemidatrojanupxvmprotect

Malware Config

Extracted

Family

gafgyt

C2

185.28.39.15:839

Extracted

Family

irata

C2

https://iuskmmdm.ml

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

purecrypter

C2

https://cdn.discordapp.com/attachments/1033689147958902804/1033916196451516516/Njnwwomqhh.bmp

https://cdn.discordapp.com/attachments/1033689147958902804/1033908505989628004/Dfygmnwx.png

http://45.139.105.228/Pinkptlahbx.bmp

https://onedrive.live.com/download?cid=A091E1A18B960958&resid=A091E1A18B960958%21160&authkey=AP6mjbZ6I7me0us

http://185.216.71.120/Dsysssji.bmp

https://onedrive.live.com/download?cid=A091E1A18B960958&resid=A091E1A18B960958%21159&authkey=AFru6OsgFq10mzo

https://onedrive.live.com/download?cid=BD9480D014FE52E5&resid=BD9480D014FE52E5%21322&authkey=AHyzW5kyN2MBgPo

https://fullline.com.my/loader/uploads/Cofucfwmi.bmp

https://onedrive.live.com/download?cid=96F930A16702BA42&resid=96F930A16702BA42%21110&authkey=AMJ1Am8lmlZPVrM

http://41.216.183.235/Ogrogk.jpeg

http://185.216.71.120/Ypvoi.png

https://transfer.sh/get/afXUmU/Uyofoxfltd.jpeg

http://185.216.71.120/Eztxeazszv.png

https://onedrive.live.com/download?cid=A091E1A18B960958&resid=A091E1A18B960958%21165&authkey=AKz2N-2upLtVH0U

http://www.ugr.leszczynskie.net/mapa/Upfhbfhbavc.png

http://185.216.71.120/Yqnvktamyg.png

http://194.180.48.203/Uhprtckm.bmp

http://45.139.105.228/Ittogj.bmp

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

aurora

C2

176.124.220.67:8081

Extracted

Family

rhadamanthys

C2

http://104.161.119.221:8899/live-edge/nft.png

Extracted

Family

socelars

C2

https://hdbywe.s3.us-west-2.amazonaws.com/sadew1013/

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

systembc

C2

95.179.146.128:443

146.70.53.169:443

Extracted

Family

njrat

Version

0.7d

Botnet

Brouteurs

C2

forthewin.ddns.net:13337

Mutex

fc4dbf906d35a96ddea0300f5b82bfb3

Attributes
  • reg_key

    fc4dbf906d35a96ddea0300f5b82bfb3

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

asyncrat

Version

XSSYE 1.0.8

Botnet

Default

C2

open.imgov.cn:8443

Mutex

91e5d29b47a7d36802e6e1151434cd02

Attributes
  • delay

    30

  • install

    false

  • install_file

    1111game.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

raccoon

Botnet

d1d6daf7a5018968dea23d67c142f047

C2

http://5.255.103.158/

xor.plain

Extracted

Family

laplas

C2

clipper.guru

Attributes
  • api_key

    f9ff07c5a5e00d26196b3460b72ad41c90dbd24c7405de597560a9a72e3582dd

Extracted

Family

snakekeylogger

Credentials

Extracted

Family

erbium

C2

http://77.73.133.53/cloud/index.php

Extracted

Family

redline

Botnet

Dozkey

C2

91.212.166.17:47242

Attributes
  • auth_value

    c06f8f31502cdaf6d673db7589189fd5

Extracted

Family

formbook

Version

4.1

Campaign

g28p

Decoy

whhmgs.asia

wellmedcaredirect.net

beggarded.com

wtpjiv.site

todo-celulares.com

parkitny.net

43345.top

pro-genie.com

cwdxz.com

cbc-inc.xyz

healthspots.net

rulil.top

pyramidaudit.solutions

k8sb15.live

hempaware.report

usclink.life

stayefs.net

05262.top

shop-izakaya-jin.com

iccworldcupnews.com

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      2022-10-24.zip

    • Size

      973.8MB

    • MD5

      0523322523fc2607b21cf06ee2c06e2f

    • SHA1

      49924c11f7b22dbb1fec51402214a4b62f0c4da0

    • SHA256

      3a2e31f2844df5cb91eedbf24c0b93de4b0aa08525f733132c2bce0d7ab81acc

    • SHA512

      a6ca6c07ece8ad4f4c832cf40bf35e267bfc56f34d0aa252b2cfdcc75ee7fd2b9aa55b547b849820163ca48bd05c9061c76d80756427950d2e5181ebace1ebae

    • SSDEEP

      25165824:cbjDAJklOVFPCJ4jMrhQVzccWZYSXn4yPPGwnSQuw:cbj8Sl66PhncWZYyWw6w

    Score
    10/10
    formbookredlinetofseedozkeyg28pevasioninfostealerpersistenceratspywarestealertrojanupx

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies Windows Defender notification settings

      evasiontrojan

    • Modifies security service

      evasion

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Formbook payload

      rat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

4
T1031

New Service

1
T1050

Scheduled Task

1
T1053

Privilege Escalation

New Service

1
T1050

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

4
T1112

Disabling Security Tools

3
T1089

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks