Overview

overview

10

Static

static

10

6523.exe

windows7-x64

10

6523.exe

windows10-2004-x64

10

Amdau.exe

windows7-x64

10

Amdau.exe

windows10-2004-x64

10

CLEP.exe

windows7-x64

10

CLEP.exe

windows10-2004-x64

10

DCKA.exe

windows7-x64

10

DCKA.exe

windows10-2004-x64

10

DEV.exe

windows7-x64

10

DEV.exe

windows10-2004-x64

10

DEVMin.exe

windows7-x64

10

DEVMin.exe

windows10-2004-x64

10

DevSt.exe

windows7-x64

1

DevSt.exe

windows10-2004-x64

1

Documents-...uz.exe

windows7-x64

7

Documents-...uz.exe

windows10-2004-x64

5

IqXYLXKzl6.exe

windows7-x64

IqXYLXKzl6.exe

windows10-2004-x64

1

LEMON.exe

windows7-x64

10

LEMON.exe

windows10-2004-x64

10

LIMMin.exe

windows7-x64

10

LIMMin.exe

windows10-2004-x64

10

LIMSt.exe

windows7-x64

1

LIMSt.exe

windows10-2004-x64

1

LK2.exe

windows7-x64

10

LK2.exe

windows10-2004-x64

10

NINJA.exe

windows7-x64

7

NINJA.exe

windows10-2004-x64

7

PolymodXT.exe

windows7-x64

10

PolymodXT.exe

windows10-2004-x64

10

UM.exe

windows7-x64

10

UM.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    malware.zip

  • Size

    75.2MB

  • Sample

    231013-cqynxsaf7z

  • MD5

    9c5d4fde9036434c02da795d079f0651

  • SHA1

    e57b24f74086c01f46b4d814688415c27a5e0068

  • SHA256

    ffb44a5388958cda3be00af5170e3fa51c5bc59e7b6ea659836417a17594d18c

  • SHA512

    1f956bf4f628553e88850d045cea9a5e09fb43c2a00b6311c4df2245535acfdaf6c5256ece4104df07ed9c69e15a033a2748ad2eaa4f17634ab6e8c32cffda0f

  • SSDEEP

    1572864:jO3K/oykFae+/XkNwJ3ncS9pLkFg4FR40rbvXFahEvRY/Qj:K3K/jkFLobLkl40PvXpK/q

Score
10/10
agentteslaamadeyauroradcratlaplaslgoogloaderrhadamanthyssmokeloaderbackdoorclipperdownloaderevasionpersistenceratstealertrojan

Malware Config

Extracted

Family

laplas

C2

clipper.guru

Attributes
  • api_key

    5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e

Extracted

Family

rhadamanthys

C2

http://195.3.223.120/blob/fullidao.tk

http://195.3.223.120/blob/fulliano.tk

http://195.3.223.120/blob/luciano.tk

http://195.3.223.120/blob/gotto.tk

Extracted

Family

aurora

C2

185.239.239.194:8081

Extracted

Family

agenttesla

C2

https://discord.com/api/webhooks/1052047387167838281/ckxOZHqDK9Fs6wm9uehtyNosd3HZGLhQFPhbdBDnWi6cl945WnENSlc0bCmlN0xY5VHH

Extracted

Family

smokeloader

Version

2022

C2

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/
rc4.i32
rc4.i32

Extracted

Family

amadey

Version

3.86

C2

http://45.9.74.182/b7djSDcPcZ/index.php

Attributes
  • install_dir

    f3f10bd848

  • install_file

    bstyoops.exe

  • strings_key

    05986a1cda6dc6caabf469f27fb6c32d

rc4.plain

Targets

    • Target

      6523.exe

    • Size

      270KB

    • MD5

      2c64d25f93529b36cd27edfda1cac334

    • SHA1

      c5b203ecf73ee3f3ace7991b99ac3e4951767089

    • SHA256

      333303c7b9f0f951ddc68973cc187280287ecdf28dde13bf9f3dd60c572b0d69

    • SHA512

      802be998bacc7b47c50038c5fd28b24778e8d4729985966c9e174dcf89dfe75a16e1b03c41f2ccdd1554e4f260371865293af8abe3ca4f96f85e3f10c139e12f

    • SSDEEP

      3072:7sH37bKH3o0RzJwIu2PuuQcdsMcLK8egt:I37bK7RzJwIueuuQcH2Eg

    Score
    10/10
    smokeloaderbackdoortrojan
    behavioral1behavioral2

    • Target

      Amdau.exe

    • Size

      3.2MB

    • MD5

      c3ee25c18f2c408c9054d9c6d4c1e147

    • SHA1

      80d2395709b713647b199c22fdec5415d3a68052

    • SHA256

      c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0

    • SHA512

      d91a1675ca9a2923020ce244d00da6a9b686240dc7ef50185709ecbc2f6b8f92c371ee94ec277a2d3b0e33704c532d2f8779b39ac9f630b9b40f0794312d72f4

    • SSDEEP

      24576:0cUe92VHXy4fv6hfZQGwSWF6r+tLq9rNE0TR5sTlcJxbTGX+tIonLiMjrWD:rt9L4p7GJEeR51TGX10LPjrWD

    Score
    10/10
    amadeytrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Drops startup file

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      CLEP.exe

    • Size

      4.6MB

    • MD5

      2b3bff5880cb5d9ab44c302bd1047313

    • SHA1

      8cf83c7e71254a6ca5d40d58470897479c49e4c3

    • SHA256

      e65f40ce3d58d2634807945b468acf0fbc3f6b06631d499dcd99536ed4fae4bc

    • SHA512

      c3d46ca94eb85db7614f0c9ad57d5ab2afe380e5ae57b6967795d285936ee9133439010ddd3bd28267e203bb396062192cd3398092e2f37f46fa2be5aff426b4

    • SSDEEP

      49152:l7LFs2B0KVUUzpyZ9vAaE5FKY/t76oUz7UQqAOiyjrbsnHzvSP9rsvl/m9NjJTnP:RpsC/VyZpoUzJqTknTRQdXOY

    Score
    10/10
    laplasclipperstealer

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

      stealerclipperlaplas

    • Executes dropped EXE

    behavioral5behavioral6

    • Target

      DCKA.exe

    • Size

      179KB

    • MD5

      cee44021a4841cf66516938c3b09cd3a

    • SHA1

      0e2d3a5f496f87ea41b0fe273332dee4b0988d9f

    • SHA256

      7d16edee6fbccf5bcb73691b8f69113f3e80c804d66b49e71be48ef21eea30b5

    • SHA512

      43e3a990b9a19f6890c1a86ddf41a59d2f42c3dd902dcd73ece9f6fcf4ffb9347b785a10ab0a7a9e0fc8c72ad14d31e2a90593dd585d3a1aee71b72208b5c4cb

    • SSDEEP

      3072:bwevYpKTDMDU3fuuE46lC4PQyfHU6Ig4cjnjFRpbll/XbqefxlS3ETgmBN8vqI5L:sevY8m+u3wB4HzlrzPOefxoEBK7

    Score
    10/10
    rhadamanthysstealer

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys
    behavioral7behavioral8

    • Target

      DEV.exe

    • Size

      179KB

    • MD5

      9775295a19eff01e8ccb2d7f5702569d

    • SHA1

      8b069c942631ac9b642031005ba20f03324ecc84

    • SHA256

      7aadc76471387981789a8aa1d2c34ed48b79f84febe3160feea5f32c4aaaceb7

    • SHA512

      fdc7ce7da4ca98aa67ea9652c13e1d316f4bad8f7ae07224754fdffc559fd93b3e5488aa13e622610c7b3db22261183bffedccde6a76147e5cfc898a0b5a3733

    • SSDEEP

      3072:bwevYpKTDMDUjfuuE46lC4PQyfHU6Ig4cjnjFRpbll/XbqefxlS3ETgmBN8vqI5L:sevY8mCu3wB4HzlrzPOefxoEBK7

    Score
    10/10
    rhadamanthysstealer

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys
    behavioral10behavioral9

    • Target

      DEVMin.exe

    • Size

      3.6MB

    • MD5

      279c66b28f19a510ad6c0f155871fac3

    • SHA1

      427bcf049de4b9a848593463e0f36265baa6164c

    • SHA256

      ae0b0d973a8b3feff1fb7570e09fadf473b904b8bb53c7eb83da63a53c103164

    • SHA512

      f9ae2f0753e689f78ced7d1dbc4273fe17ca1eda2f62ee7a317a4a3614d91fcae62d7aacb8ea1a826f7e0a5a3c5723dc48830483af8e38497bc9593bd2f7f161

    • SSDEEP

      98304:JHmeIFVx0/o2Jrd9o2oNiN0KL5Zm2kVehky:DIFVxQJM2eRZfQhky

    Score
    10/10
    evasion

    • Modifies security service

      evasion

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops file in Drivers directory

    • Stops running service(s)

      evasion

    • Deletes itself

    • Drops file in System32 directory

    behavioral11behavioral12

    • Target

      DevSt.exe

    • Size

      2.9MB

    • MD5

      97824a1a018a194220866d5548eeff95

    • SHA1

      35538496cf8c2761fc44f2d5f58882cda4d78400

    • SHA256

      07df13bc321083e74a3512b9861332e566c8d2ff201a3a5c8fcd2fd9fc8bfef6

    • SHA512

      754576ae3794dda1d9a86f87369f5cb3a4f951fbbb9e81560a8cd056e603c81a8b9ae644802a5a81d6e263608fdbd371fb9056cf8b6ea1e7e1e42b4c02e13aed

    • SSDEEP

      49152:WW32/5/uXfOGcCwXwJeAqyKWJBafsL6M8Aoek1t:UsXW3wJrq2Ld8Ai

    Score
    1/10
    behavioral13behavioral14

    • Target

      Documents-EnemyFrauz.exe

    • Size

      1.1MB

    • MD5

      a490f1848b792df4dc37c9e1b200578d

    • SHA1

      f862b1f3460aafd54b1159b2a180f70e6b3d8d21

    • SHA256

      b61325a676000c0afb169f63048c583bc81cb52e1690a6ccf5642decb7831b5e

    • SHA512

      1e9a492976d2c80acd7cebfa8ca8fba55c3a9cb71ecf12a5c29e648f6fcc0d9d41930a33964c6b85ecbc96150a25dcc08578da5d2e0dd509d370256d4d20f268

    • SSDEEP

      24576:mDXdMCbh0lhSMXlPFN3RFEuHhra2oQfKhBdY7O8gz/7:mBMPt/G29fKhBdYy8ij

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      IqXYLXKzl6.exe

    • Size

      17KB

    • MD5

      076569d51c616ec2446a2e6b85205764

    • SHA1

      e66ed4fd01550e7fef7fe4b6b4d57aaaf1109c11

    • SHA256

      754794ccb5c349adb0551759cc1cd6add14616a50b5b3ffe1b4c0d133d13f300

    • SHA512

      cb11acacb7c5d73b84e01fe54d7c2b1ccba60c76b1c0aa5561d7482e598716f9228ef21690a85fcdf797c181cc44d6bcc7f0734d357bdac1b14d7ebc2e24162a

    • SSDEEP

      384:GWeOtTbX4sJStS77uBLbt+B6a2CaneFrmbSEM1+TAVDxfEHufIJzJf:HetAidANFAA36uwJzJf

    Score
    1/10
    behavioral17behavioral18

    • Target

      LEMON.exe

    • Size

      179KB

    • MD5

      6d5f74f263d5ab9b0e3315b495eb72d5

    • SHA1

      356f4e0a47151992426c425665d0382eb396a093

    • SHA256

      91ae44bd5a35834354cc69c2e04f9260cbf7025d18ec59af558f4213b81d7403

    • SHA512

      0fdb51ca3d04be5b82a5d5eb67ec9fe7ca02e3fbced6a1cd95224aa074dfcf3cabf101d7fa4f5d369a0f837ef3caf04ac96f12eada09ec834f7e244f5572afd1

    • SSDEEP

      3072:bwevYpKTDMDUKfuuE46lC4PQyfHU6Ig4cjnjFRpbll/XbqefxlS3ETgmBN8vqI5L:sevY8mlu3wB4HzlrzPOefxoEBK7

    Score
    10/10
    rhadamanthysstealer

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys
    behavioral19behavioral20

    • Target

      LIMMin.exe

    • Size

      3.6MB

    • MD5

      d0525e69e54066d5b3764acefd16a754

    • SHA1

      513304e7eca83acedad4655a135a6f4c2c1f4aed

    • SHA256

      d700f47bdc52906c398c026b3ac69382fb012434f7a6967323ede937af1658ce

    • SHA512

      b958797b913b1860daa2cdf4f6741835042e170fea4c4b5f3ae61432a9e24054dbcd40dbc4871d19b12d3f40d90523490caa37e6152d66850c05f18b7d738f03

    • SSDEEP

      98304:vKNU8zvQiW+xPSCcgu3ebV6GDRjar2H2wKr3:avhWXrycG1jamKr3

    Score
    10/10
    evasion

    • Modifies security service

      evasion

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops file in Drivers directory

    • Stops running service(s)

      evasion

    • Deletes itself

    • Drops file in System32 directory

    behavioral21behavioral22

    • Target

      LIMSt.exe

    • Size

      2.9MB

    • MD5

      b26439eb7f5e2a7f1e2dabcfa8e3a7b1

    • SHA1

      4c4ca12b90e83e563408557e028580dd43b56975

    • SHA256

      47a40add511868171afab04d336c6120be951799b6230fdbd581e6469e1a088e

    • SHA512

      4d6fedbafd7f6ca7b0a3b9bf0162cd1d607098e82e474cca971fd828f1d0d4c9a1a00811583abd11d93b76f39972abbe7e6fae6b633c0062befc3d93612b0a5f

    • SSDEEP

      49152:EW32/5cuXfOG+CwXxDebqytiJCaLsL6M8Aoek1d:anXWRxDQqCLd8AK

    Score
    1/10
    behavioral23behavioral24

    • Target

      LK2.exe

    • Size

      179KB

    • MD5

      27e018559bc0216c98fb188d3a3a8209

    • SHA1

      d0b477cf1d81182a2c0357432bd6b3e7a2bc43d4

    • SHA256

      563458d0d35d3e4a7809630809229fbe2977eabeb8639ceb677426308c156a3c

    • SHA512

      8ce3eccbef889189bebf0fd5cf36c257e4eba8344dc87d95d944718fd9bb16a833e951304420db0c46a9f4a8d050090b2758b709b5bacc47ed27b9a133b7e6be

    • SSDEEP

      3072:bwevYpKTDMDUqfuuE46lC4PQyfHU6Ig4cjnjFRpbll/XbqefxlS3ETgmBN8vqI5L:sevY8mlu3wB4HzlrzPOefxoEBK7

    Score
    10/10
    rhadamanthysstealer

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys
    behavioral25behavioral26

    • Target

      NINJA.exe

    • Size

      817KB

    • MD5

      9e870f801dd759298a34be67b104d930

    • SHA1

      c770dab38fce750094a42b1d26311fe135e961ba

    • SHA256

      6f1f83697d8caf1ac3cf0c3b05913633d49e756ed17189efc32cb0a6c3820e6b

    • SHA512

      f0719d751e71229369ba9c49eee649e130f8eed7e7b662c724f8e7b25a950d77d4ba69aa967394d007561383ca64b95bcb0f466dfc7e1d4e00bf9e3829c957bf

    • SSDEEP

      24576:5sGzuMNu2HWJD2U1zANRGTfllqapvYaqom:5tLezwRW3vJ

    Score
    7/10
    persistence

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral27behavioral28

    • Target

      PolymodXT.exe

    • Size

      550KB

    • MD5

      c7692b713225ebf0138f3e93ea1e6fa6

    • SHA1

      0c0181326a0a91a7622a582470c317766a29a9d5

    • SHA256

      2f67f590cabb9c79257d27b578d8bf9d1a278afa96b205ad2b4704e7b9a87ca7

    • SHA512

      b492fb9918154082715a54a9436bbfd78f3cb1c5036a44857034a4a93498c634a19840af93e15fe1a283da285f1f806824e657660139215fb5f26024ab365778

    • SSDEEP

      12288:8l1DS0q8hoY1IWt6HTZ/QeMK2pOtOOugi7YZb9MaCs64vPtz6JERgpptZigfScUo:k1DSCt6qhKxO

    Score
    10/10

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    behavioral29behavioral30

    • Target

      UM.exe

    • Size

      2.0MB

    • MD5

      ff7712b5d2dcafd6b9c775eecc8266a1

    • SHA1

      a11c9bd80f1c80f057517fc555fcf9b53c327302

    • SHA256

      51d0be1366d229621051abb5df81316256c997c46265be8c9fb6b6b01fd1ccb1

    • SHA512

      a8dbf46d54d80dd206c61007c668bd93a00a4d8b35937cfdf1b723d69484bc6230763a0cd73b602e58392a0b6814c8143877b479709fd6ab03ea98eda61c0edf

    • SSDEEP

      24576:Q1ZRQOCf1lwVKwZJ/g9zNCehkmWIUB+AzLXalEk1XgTQCQIIKY12ZvxjtXI/cMRW:FOCd4GdAB1d4DfUz5kGrr

    Score
    10/10
    lgoogloaderdownloader

    • Detects LgoogLoader payload

    • LgoogLoader

      A downloader capable of dropping and executing other malware families.

      downloaderlgoogloader

    • Suspicious use of SetThreadContext

    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

4
T1053

Persistence

Scheduled Task/Job

4
T1053

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Scheduled Task/Job

4
T1053

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

2
T1562

Credential Access

Discovery

Query Registry

5
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

2
T1489

Resource Development

Reconnaissance

Tasks

static1

ratlaplasrhadamanthysauroradcratagenttesla
Score
10/10

behavioral1

smokeloaderbackdoortrojan
Score
10/10

behavioral2

smokeloaderbackdoortrojan
Score
10/10

behavioral3

amadeytrojan
Score
10/10

behavioral4

amadeytrojan
Score
10/10

behavioral5

laplasclipperstealer
Score
10/10

behavioral6

laplasclipperstealer
Score
10/10

behavioral7

rhadamanthysstealer
Score
10/10

behavioral8

rhadamanthysstealer
Score
10/10

behavioral9

rhadamanthysstealer
Score
10/10

behavioral10

rhadamanthysstealer
Score
10/10

behavioral11

evasion
Score
10/10

behavioral12

evasion
Score
10/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
7/10

behavioral16

Score
5/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

rhadamanthysstealer
Score
10/10

behavioral20

rhadamanthysstealer
Score
10/10

behavioral21

evasion
Score
10/10

behavioral22

evasion
Score
10/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

rhadamanthysstealer
Score
10/10

behavioral26

rhadamanthysstealer
Score
10/10

behavioral27

persistence
Score
7/10

behavioral28

persistence
Score
7/10

behavioral29

Score
10/10

behavioral30

Score
10/10

behavioral31

lgoogloaderdownloader
Score
10/10

behavioral32

lgoogloaderdownloader
Score
10/10