Resubmissions
24-08-2023 11:16
230824-nda8msdf8z 1005-08-2023 22:52
230805-2tn2bsfa82 1024-07-2023 06:25
230724-g6s6laag35 1022-07-2023 15:57
230722-tee6wabg5w 1020-07-2023 23:19
230720-3bb5gsbf5v 1020-07-2023 23:06
230720-23f23sba63 1003-02-2021 11:43
210203-6bgge2nfan 1022-11-2020 06:42
201122-6x1at779dj 10General
-
Target
Downloads.rar
-
Size
184.3MB
-
Sample
230724-g6s6laag35
-
MD5
9e3e4dd2eca465797c3a07c0fa2254fe
-
SHA1
16ceee08c07179157b0fb6de04b7605360f34b20
-
SHA256
f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7
-
SHA512
f6033af5252203878aa0d1ba77f4816694a953103927362f6308c527e84c61be00816bf9ccba207991f93248ffefaaf31e27f5fd7806d3a4cb35d4104e79f746
-
SSDEEP
3145728:6CNdBnKJ7rjucWU6bfga3QgbgShgbgSwSonIyRNlIyN+c3Os:t+sJb/3Q4h4wLIy/r91
Malware Config
Extracted
zloader
main
26.02.2020
https://airnaa.org/sound.php
https://banog.org/sound.php
https://rayonch.org/sound.php
-
build_id
19
Extracted
revengerat
XDSDDD
84.91.119.105:333
RV_MUTEX-wtZlNApdygPh
Extracted
revengerat
Victime
cocohack.dtdns.net:84
RV_MUTEX-OKuSAtYBxGgZHx
Extracted
zloader
25/03
https://wgyvjbse.pw/milagrecf.php
https://botiq.xyz/milagrecf.php
-
build_id
103
Extracted
revengerat
samay
shnf-47787.portmap.io:47787
RV_MUTEX
Extracted
zloader
09/04
https://eoieowo.casa/wp-config.php
https://dcgljuzrb.pw/wp-config.php
-
build_id
140
Extracted
zloader
07/04
https://xyajbocpggsr.site/wp-config.php
https://ooygvpxrb.pw/wp-config.php
-
build_id
131
Extracted
cobaltstrike
305419896
http://47.91.237.42:8443/__utm.gif
-
access_type
512
-
beacon_type
2048
-
host
47.91.237.42,/__utm.gif
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
60000
-
port_number
8443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)
-
watermark
305419896
Extracted
revengerat
INSERT-COIN
3.tcp.ngrok.io:24041
RV_MUTEX
Extracted
revengerat
YT
yukselofficial.duckdns.org:5552
RV_MUTEX-WlgZblRvZwfRtNH
Extracted
revengerat
system
yj233.e1.luyouxia.net:20645
RV_MUTEX-GeVqDyMpzZJHO
Extracted
njrat
0.7d
HacKed
srpmx.ddns.net:5552
c6c84eeabbf10b049aa4efdb90558a88
-
reg_key
c6c84eeabbf10b049aa4efdb90558a88
-
splitter
|'|'|
Extracted
njrat
0.7d
HACK
43.229.151.64:5552
6825da1e045502b22d4b02d4028214ab
-
reg_key
6825da1e045502b22d4b02d4028214ab
-
splitter
Y262SUCZ4UJJ
Targets
-
-
Target
Endermanch@CleanThis.exe
-
Size
618KB
-
MD5
a50fc0da1d2b3c4aa8a6adaccf69a5de
-
SHA1
e001f4043ab4be644ea10e0d65303d6e57b31ffe
-
SHA256
cf6eb8377789e316629c0396a2dbb53c69b5fd67bbd0e7163b8d305aaa756e90
-
SHA512
4bbc7676391ed4085f628d1f4e1f0af16f5cd6fd9efb8c61176bccdb6ee03b06896c6ddfba9fcf363b133ade3a8a1b8cd17ef92d8eb9adeec247f9bd41dbec2b
-
SSDEEP
12288:EQIfqOiX9P/aazd1ctyDXHrJW2dGMToCRn5VxWRaqsrOkqgyQD:EQIydX/d1rTLRd/TvVUsrOkqFQD
Score10/10-
Modifies WinLogon for persistence
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
-
-
Target
Endermanch@ColorBug.exe
-
Size
53KB
-
MD5
6536b10e5a713803d034c607d2de19e3
-
SHA1
a6000c05f565a36d2250bdab2ce78f505ca624b7
-
SHA256
775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de
-
SHA512
61727cf0b150aad6965b4f118f33fd43600fb23dde5f0a3e780cc9998dfcc038b7542bfae9043ce28fb08d613c2a91ff9166f28a2a449d0e3253adc2cb110018
-
SSDEEP
1536:ynqAKryDLrASOcRw52sjzIUK7RkYrJ2lrKX:SNdMT8Z8cX
Score6/10-
Adds Run key to start application
-
-
-
Target
Endermanch@DeriaLock.exe
-
Size
484KB
-
MD5
0a7b70efba0aa93d4bc0857b87ac2fcb
-
SHA1
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
-
SHA256
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
-
SHA512
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14
-
SSDEEP
6144:lqHKx3YCgy8HmmjJpnVhvLqCO3bLinIz1wASx:lqHoyHNj/nVhvLcyII
Score7/10-
Drops startup file
-
-
-
Target
Endermanch@Deskbottom.exe
-
Size
461KB
-
MD5
c954b69e480950ad8f138bf8848c562c
-
SHA1
207c3f932d8ac66bc10e090a97c02ac07dbb68fa
-
SHA256
2f4bd27bffe3a5d1f541f1ee682d060316a0043312b35f18dfe5137efe8d7680
-
SHA512
e8bbce74a647939337df72c3ab29c320aeef2b6f0214d68768bc7da8262a978e6ed54f7b1aefadb394abc85518757acf8e8633a145c39cb3f712adf8561aeaa9
-
SSDEEP
12288:B3ITun1mejo8Hg+D3qn/SDoHD4TjuJZ8zmjlwFSH:yyn/0TOlGkOu2r
Score1/10 -
-
-
Target
Endermanch@DesktopPuzzle.exe
-
Size
239KB
-
MD5
2f8f6e90ca211d7ef5f6cf3c995a40e7
-
SHA1
f8940f280c81273b11a20d4bfb43715155f6e122
-
SHA256
1f5a26f24a2bfdd301008f0cc51a6c3762f41b926f974c814f1ecaa4cb28e5e6
-
SHA512
2b38475550edee5519e33bd18fea510ad73345a27c20f6457710498d34e3d0cf05b0f96f32d018e7dc154a6f2232ea7e3145fd0ed5fb498f9e4702a4be1bb9c8
-
SSDEEP
3072:r/3qftCdbSFtY8Zf8pOk0rHitNWIekbnfFPsr24Cv/Eng9m3ihlCeKH6Fb6aX3WA:WoI/rC0k7ar68nimCYHe3qZr0SlC
Score1/10 -
-
-
Target
Endermanch@FakeAdwCleaner.exe
-
Size
190KB
-
MD5
248aadd395ffa7ffb1670392a9398454
-
SHA1
c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5
-
SHA256
51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc
-
SHA512
582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e
-
SSDEEP
3072:15TDpNFVbxDSXJFFGhcBR1WLZ37p73G8Wn7GlDOg+ELqdSxo5XtIZjnvxRJgghaR:157TcfFPB6B3GL7g+me5aZjn5VlI9T/
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
Endermanch@FreeYoutubeDownloader.exe
-
Size
396KB
-
MD5
13f4b868603cf0dd6c32702d1bd858c9
-
SHA1
a595ab75e134f5616679be5f11deefdfaae1de15
-
SHA256
cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7
-
SHA512
e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24
-
SSDEEP
12288:jANwRo+mv8QD4+0V16nkFkkk2kyW9EArjaccoH0qzh4:jAT8QE+kHW9EAr+fr4i
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
Endermanch@HMBlocker.exe
-
Size
48KB
-
MD5
21943d72b0f4c2b42f242ac2d3de784c
-
SHA1
c887b9d92c026a69217ca550568909609eec1c39
-
SHA256
2d047b0a46be4da59d375f71cfbd578ce1fbf77955d0bb149f6be5b9e4552180
-
SHA512
04c9fa8358944d01b5fd0b6d5da2669df4c54fe79c58e7987c16bea56c114394173b6e8a6ac54cd4acd081fcbc66103ea6514c616363ba8d212db13b301034d8
-
SSDEEP
768:xE09MOEzWGoOIx2qCZVZmj+Wg5VK2LDakrDZ5yS/wwHA49kszNAY1XKoJc4P1:t7w73bUNMMkrDry+6Ut
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
-
-
Target
Endermanch@HappyAntivirus.exe
-
Size
1.9MB
-
MD5
cb02c0438f3f4ddabce36f8a26b0b961
-
SHA1
48c4fcb17e93b74030415996c0ec5c57b830ea53
-
SHA256
64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32
-
SHA512
373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3
-
SSDEEP
49152:p/VoMTzwF77l0VqmuTefhLTtk31XyXb9:ptoMTzwVmq3ettk31ob9
Score1/10 -
-
-
Target
Endermanch@Illerka.C.exe
-
Size
378KB
-
MD5
c718a1cbf0e13674714c66694be02421
-
SHA1
001d5370d3a7ee48db6caaecb1c213b5dfdf8e65
-
SHA256
cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f
-
SHA512
ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a
-
SSDEEP
1536:IM64RFcdoYicOWtlo4yJDsE4KmtZxq3/1d+DSaumOY6eeLnAGTpZspibfaSuOypE:IMJkoY9lpoaKm2vacPESu/wK3+
Score10/10-
UAC bypass
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks whether UAC is enabled
-
-
-
Target
Endermanch@InternetSecurityGuard.exe
-
Size
6.1MB
-
MD5
04155ed507699b4e37532e8371192c0b
-
SHA1
a14107131237dbb0df750e74281c462a2ea61016
-
SHA256
b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77
-
SHA512
6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371
-
SSDEEP
98304:hvOOFJ+Z8eAgy7SH9s76RSvyqJOBgECfMfYv+85JH0DVczt8A:hvOOFJ+ggr9s76R+wcMAv+IHCczt8
Score10/10-
UAC bypass
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Enumerates VirtualBox registry keys
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory
-
Sets file execution options in registry
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
Endermanch@Koteyka2.exe
-
Size
762KB
-
MD5
7734f0e56da17e9a5940fd782d739f9b
-
SHA1
4dfae67e40be6c4c83191ea0cf8d1b28afba884c
-
SHA256
8855299560183b57556d9714a2b958cdc6190fcdfb270633da2a47dfeee20015
-
SHA512
53d07938bafbcb9524cdba6d25e09fcdae128a83718ab686374f0526730e2e6380f60e3bf951601e48f6f8e64563c484ddd8baf9be2878a5ad393817028a9632
-
SSDEEP
12288:QFQBbdVT8tOkTAoJ/z4VXKSjUSQny+uuCj6rIuIenGgOqbzxpx+13tarWIp927q5:QOBbdVT8tOcJ/z4V5USQnypu26rweGgv
Score1/10 -
-
-
Target
Endermanch@LPS2019.exe
-
Size
1.1MB
-
MD5
2eb3ce80b26345bd139f7378330b19c1
-
SHA1
10122bd8dd749e20c132d108d176794f140242b0
-
SHA256
8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2
-
SHA512
e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a
-
SSDEEP
24576:pXhZgPlmWcA4Te9+g6+lET/+xRXKRwFSmjTGIWrwg:xInpSe99pCkRXKRMdGIWrN
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
Endermanch@Movie.mpeg.exe
-
Size
414KB
-
MD5
d0deb2644c9435ea701e88537787ea6e
-
SHA1
866e47ecd80da89c4f56557659027a3aee897132
-
SHA256
ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3
-
SHA512
6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf
-
SSDEEP
6144:BCoFAtv2DDWANPG4F0vwDsl6JEFiGUHzAB4lTa7tKzWNYRbvhLWxsqgyn:koOv2D60PLyvaJTT9Za7kziYD69g
Score7/10-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
Endermanch@NavaShield(1).exe
-
Size
9.7MB
-
MD5
1f13396fa59d38ebe76ccc587ccb11bb
-
SHA1
867adb3076c0d335b9bfa64594ef37a7e2c951ff
-
SHA256
83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d
-
SHA512
82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc
-
SSDEEP
196608:CtbTP1ErBwMQjd1YTHdmpCP2PVgP/acIE/xQ0zyZejVk+YzbRdTZ:C1E1+dYx6OP9hdyZwV4zd
Score3/10 -
-
-
Target
Endermanch@NavaShield.exe
-
Size
9.7MB
-
MD5
1f13396fa59d38ebe76ccc587ccb11bb
-
SHA1
867adb3076c0d335b9bfa64594ef37a7e2c951ff
-
SHA256
83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d
-
SHA512
82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc
-
SSDEEP
196608:CtbTP1ErBwMQjd1YTHdmpCP2PVgP/acIE/xQ0zyZejVk+YzbRdTZ:C1E1+dYx6OP9hdyZwV4zd
Score3/10 -
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
9Registry Run Keys / Startup Folder
8Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
9Registry Run Keys / Startup Folder
8Winlogon Helper DLL
1Abuse Elevation Control Mechanism
2Bypass User Account Control
2Defense Evasion
Modify Registry
14Abuse Elevation Control Mechanism
2Bypass User Account Control
2Impair Defenses
2Disable or Modify Tools
2Virtualization/Sandbox Evasion
1Pre-OS Boot
1Bootkit
1