Overview

overview

10

Static

static

1

a.zip

windows10-1703-x64

10

Resubmissions

17-09-2023 21:42

230917-1kqywsfc99 10

09-09-2023 02:55

230909-denv1sha92 10

06-09-2023 17:13

230906-vrxr5aaa71 10

13-08-2023 17:31

230813-v3xlhafe8v 10

27-06-2023 12:47

230627-p1fx3sfa4w 10

13-06-2023 16:07

230613-tklwlsgh96 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a.zip

  • Size

    832B

  • Sample

    230909-denv1sha92

  • MD5

    10e578867faad166dc6a8f3868cef2f4

  • SHA1

    f541fab60d482834e90638c5aebdefe3d997174e

  • SHA256

    6fe03f61ee89f37688356f14ee8dc2d0c001e0d43281fad29386270a9c71c92c

  • SHA512

    38389b61e71eed9a9587900f60d59c145d070d0e02602f473c284befcd4898b1191f1982e71463c9cbe17ea36f4ec6c17d665f072e730981eae00fd805863114

Score
10/10
auroraformbookphemedroneredlinestatusrecordersy22evasioninfostealerratspywarestealertrojan

Malware Config

Extracted

Family

aurora

C2

212.87.204.93:8081

Extracted

Family

statusrecorder

C2

185.106.94.73

Extracted

Family

formbook

Version

4.1

Campaign

sy22

Decoy

vinteligencia.com

displayfridges.fun

completetip.com

giallozafferrano.com

jizihao1.com

mysticheightstrail.com

fourseasonslb.com

kjnala.shop

mosiacwall.com

vandistreet.com

gracefullytouchedartistry.com

hbiwhwr.shop

mfmz.net

hrmbrillianz.com

funwarsztat.com

polewithcandy.com

ourrajasthan.com

wilhouettteamerica.com

johnnystintshop.com

asgnelwin.com

Targets

    • Target

      a.zip

    • Size

      832B

    • MD5

      10e578867faad166dc6a8f3868cef2f4

    • SHA1

      f541fab60d482834e90638c5aebdefe3d997174e

    • SHA256

      6fe03f61ee89f37688356f14ee8dc2d0c001e0d43281fad29386270a9c71c92c

    • SHA512

      38389b61e71eed9a9587900f60d59c145d070d0e02602f473c284befcd4898b1191f1982e71463c9cbe17ea36f4ec6c17d665f072e730981eae00fd805863114

    Score
    10/10
    auroraformbookphemedroneredlinestatusrecordersy22evasioninfostealerratspywarestealertrojan

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

      stealeraurora

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Phemedrone

      An information and wallet stealer written in C#.

      stealerphemedrone

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Status Recorder Stealer

      Status Recorder is a crypto stealer written in C++.

      stealerstatusrecorder

    • Formbook payload

      rat

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Scripting

1
T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks