Overview

overview

10

Static

static

10

2023-08-17-18.zip

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2023-08-17-18.zip

  • Size

    65.4MB

  • Sample

    230817-ydgersed3v

  • MD5

    e989e0c721a60d4e1eb0c06214bd4582

  • SHA1

    cce7ee0dc97c078c1206598e5a2a12dbd7510ee9

  • SHA256

    e33f116c4d031b092c1aa75e0cb68b5db4e362739a6b41c27475c3a0ddb32b3a

  • SHA512

    13ff605cafaee947c28309b31a852fac8965a161bc7f8837dd70e5c8e8ee10935663d2ec7198952670b0b55ec6fbd7e678004be811d929a328aa26a31a74beb7

  • SSDEEP

    1572864:Qf79S6fYpAV7OKRyWIoHRb7EX2oPS37BGMXWT8HC/u:Qf7iAVqKRyW9HR7zLBG7T0yu

Score
10/10
amadeydcratformbookwarzoneratwshratsy22infostealermacromacro_on_actionratspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

S-%lu-

C2

77.91.68.18/nice/index.php

3.87/nice/index.php

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
exe.dropper

https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855

Extracted

Family

warzonerat

C2

chongmei33.publicvm.com:49746

Extracted

Family

formbook

Version

4.1

Campaign

sy22

Decoy

vinteligencia.com

displayfridges.fun

completetip.com

giallozafferrano.com

jizihao1.com

mysticheightstrail.com

fourseasonslb.com

kjnala.shop

mosiacwall.com

vandistreet.com

gracefullytouchedartistry.com

hbiwhwr.shop

mfmz.net

hrmbrillianz.com

funwarsztat.com

polewithcandy.com

ourrajasthan.com

wilhouettteamerica.com

johnnystintshop.com

asgnelwin.com

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

    • Target

      2023-08-17-18.zip

    • Size

      65.4MB

    • MD5

      e989e0c721a60d4e1eb0c06214bd4582

    • SHA1

      cce7ee0dc97c078c1206598e5a2a12dbd7510ee9

    • SHA256

      e33f116c4d031b092c1aa75e0cb68b5db4e362739a6b41c27475c3a0ddb32b3a

    • SHA512

      13ff605cafaee947c28309b31a852fac8965a161bc7f8837dd70e5c8e8ee10935663d2ec7198952670b0b55ec6fbd7e678004be811d929a328aa26a31a74beb7

    • SSDEEP

      1572864:Qf79S6fYpAV7OKRyWIoHRb7EX2oPS37BGMXWT8HC/u:Qf7iAVqKRyW9HR7zLBG7T0yu

    Score
    10/10
    dcratformbookwarzoneratwshratsy22infostealerratspywarestealertrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Formbook payload

      rat

    • Warzone RAT payload

      rat

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks