Overview

overview

10

Static

static

3

a.exe

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a.exe

  • Size

    5KB

  • Sample

    230908-1tmmtsff28

  • MD5

    fd3f7d8082b7cddb0e20ad1e8fd5d285

  • SHA1

    ff51a1c5cab13afe0178163b2b9d60e49c799b74

  • SHA256

    7ec0d3e3dc4222f34c482926ce1f971b51929e95b9d097140bc1f4b1c84dafd9

  • SHA512

    166a2e743346bd5016b36278fb4bae0a96f86ce920ebae777baada95be887b679f5360de914c0563828dc2eadf2c091564c9f5cb05de32bd7f3b252a6f53deaa

  • SSDEEP

    48:6AtGt28lK9iqmcfaFXfkeLJhyPFlWa8tYb/IL/cpwOulavTqXSfbNtm:RIUiqtaJkeqDUtfcpmsvNzNt

Score
10/10
amadeyauroradcratdjvuformbookgurcuhealerphemedroneredlinestatusrecordersy22discoverydropperevasioninfostealerpyinstallerransomwareratspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://80.66.79.27/o.png

Extracted

Family

aurora

C2

212.87.204.93:8081

Extracted

Family

statusrecorder

C2

185.106.94.73

Extracted

Family

formbook

Version

4.1

Campaign

sy22

Decoy

vinteligencia.com

displayfridges.fun

completetip.com

giallozafferrano.com

jizihao1.com

mysticheightstrail.com

fourseasonslb.com

kjnala.shop

mosiacwall.com

vandistreet.com

gracefullytouchedartistry.com

hbiwhwr.shop

mfmz.net

hrmbrillianz.com

funwarsztat.com

polewithcandy.com

ourrajasthan.com

wilhouettteamerica.com

johnnystintshop.com

asgnelwin.com

Targets

    • Target

      a.exe

    • Size

      5KB

    • MD5

      fd3f7d8082b7cddb0e20ad1e8fd5d285

    • SHA1

      ff51a1c5cab13afe0178163b2b9d60e49c799b74

    • SHA256

      7ec0d3e3dc4222f34c482926ce1f971b51929e95b9d097140bc1f4b1c84dafd9

    • SHA512

      166a2e743346bd5016b36278fb4bae0a96f86ce920ebae777baada95be887b679f5360de914c0563828dc2eadf2c091564c9f5cb05de32bd7f3b252a6f53deaa

    • SSDEEP

      48:6AtGt28lK9iqmcfaFXfkeLJhyPFlWa8tYb/IL/cpwOulavTqXSfbNtm:RIUiqtaJkeqDUtfcpmsvNzNt

    Score
    10/10
    amadeyauroradcratdjvuformbookgurcuhealerphemedroneredlinestatusrecordersy22discoverydropperevasioninfostealerpyinstallerransomwareratspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

      stealeraurora

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detect Gurcu Stealer V3 payload

    • Detects Healer an antivirus disabler dropper

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

      stealergurcu

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Phemedrone

      An information and wallet stealer written in C#.

      stealerphemedrone

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Status Recorder Stealer

      Status Recorder is a crypto stealer written in C++.

      stealerstatusrecorder

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Formbook payload

      rat

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Uses the VBS compiler for execution

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Scheduled Task/Job

1
T1053

Command and Scripting Interpreter

1
T1059

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

1
T1562

File and Directory Permissions Modification

1
T1222

Scripting

1
T1064

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks