Overview

overview

10

Static

static

3

a.exe

windows10-1703-x64

10

Resubmissions

11-11-2023 08:23

231111-j96bfacf5s 10

08-11-2023 14:52

231108-r8x8facc5z 10

27-10-2023 03:52

231027-ee6lhabh8x 10

27-10-2023 03:51

231027-ee1p9abh8s 10

25-10-2023 10:35

231025-mm3htagf6y 10

23-10-2023 09:11

231023-k5l8fahc84 10

21-10-2023 11:53

231021-n2kf8aga32 10

21-10-2023 11:26

231021-njywwsfg64 10

20-10-2023 21:27

231020-1a8qysbe9t 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a.exe

  • Size

    5KB

  • Sample

    231023-k5l8fahc84

  • MD5

    800a6337b0b38274efe64875d15f70c5

  • SHA1

    6b0858c5f9a2e2b5980aac05749e3d6664a60870

  • SHA256

    76a7490d3f1b0685f60a417d1c9cf96927b473825a914221f092f82ea112b571

  • SHA512

    bf337140044a4674d69f7a2db30389e248593a99826c8731bc0a5ac71e46819eb539d8c7cbeab48108310359f5604e02e3bd64f17d9fdd380b574f329543645e

  • SSDEEP

    48:6O/tGt28lK9iqmcfaFXfkeLJhyPFlWa8tYb/INV/cpwOulavTqXSfbNtm:j/IUiqtaJkeqDUt5xcpmsvNzNt

Score
10/10
asyncratdjvuformbookredlinesmokeloaderxmrig@dominatorofmamontdefaultup3sy22backdoordiscoveryevasioninfostealerminerpersistenceransomwareratspywarestealerthemidatrojanupxvmprotect

Malware Config

Extracted

Family

redline

Botnet

@DominatorOfMamont

C2

vikaneleneer.shop:80

Attributes
  • auth_value

    37db34188c1a0ff5ee85cb5c06da0d81

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

89.23.100.93:4449

Mutex

oonrejgwedvxwse

Attributes
  • delay

    1

  • install

    true

  • install_file

    calc.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

formbook

Version

4.1

Campaign

sy22

Decoy

vinteligencia.com

displayfridges.fun

completetip.com

giallozafferrano.com

jizihao1.com

mysticheightstrail.com

fourseasonslb.com

kjnala.shop

mosiacwall.com

vandistreet.com

gracefullytouchedartistry.com

hbiwhwr.shop

mfmz.net

hrmbrillianz.com

funwarsztat.com

polewithcandy.com

ourrajasthan.com

wilhouettteamerica.com

johnnystintshop.com

asgnelwin.com

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.1

Botnet

Default

C2

127.0.0.1:4449

20.211.121.138:4449
Mutex

udbyxlklndgyt

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Targets

    • Target

      a.exe

    • Size

      5KB

    • MD5

      800a6337b0b38274efe64875d15f70c5

    • SHA1

      6b0858c5f9a2e2b5980aac05749e3d6664a60870

    • SHA256

      76a7490d3f1b0685f60a417d1c9cf96927b473825a914221f092f82ea112b571

    • SHA512

      bf337140044a4674d69f7a2db30389e248593a99826c8731bc0a5ac71e46819eb539d8c7cbeab48108310359f5604e02e3bd64f17d9fdd380b574f329543645e

    • SSDEEP

      48:6O/tGt28lK9iqmcfaFXfkeLJhyPFlWa8tYb/INV/cpwOulavTqXSfbNtm:j/IUiqtaJkeqDUt5xcpmsvNzNt

    Score
    10/10
    asyncratdjvuformbookredlinesmokeloaderxmrig@dominatorofmamontdefaultup3sy22backdoordiscoveryevasioninfostealerminerpersistenceransomwareratspywarestealerthemidatrojanupxvmprotect

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Async RAT payload

      rat

    • Formbook payload

      rat

    • XMRig Miner payload

      miner

    • Blocklisted process makes network request

    • Contacts a large (1431) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Uses the VBS compiler for execution

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

File and Directory Permissions Modification

1
T1222

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Scripting

1
T1064

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Network Service Discovery

2
T1046

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks