Overview

overview

10

Static

static

3

a.exe

windows10-1703-x64

10

Resubmissions

11-11-2023 08:23

231111-j96bfacf5s 10

08-11-2023 14:52

231108-r8x8facc5z 10

27-10-2023 03:52

231027-ee6lhabh8x 10

27-10-2023 03:51

231027-ee1p9abh8s 10

25-10-2023 10:35

231025-mm3htagf6y 10

23-10-2023 09:11

231023-k5l8fahc84 10

21-10-2023 11:53

231021-n2kf8aga32 10

21-10-2023 11:26

231021-njywwsfg64 10

20-10-2023 21:27

231020-1a8qysbe9t 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a.exe

  • Size

    5KB

  • Sample

    231027-ee1p9abh8s

  • MD5

    800a6337b0b38274efe64875d15f70c5

  • SHA1

    6b0858c5f9a2e2b5980aac05749e3d6664a60870

  • SHA256

    76a7490d3f1b0685f60a417d1c9cf96927b473825a914221f092f82ea112b571

  • SHA512

    bf337140044a4674d69f7a2db30389e248593a99826c8731bc0a5ac71e46819eb539d8c7cbeab48108310359f5604e02e3bd64f17d9fdd380b574f329543645e

  • SSDEEP

    48:6O/tGt28lK9iqmcfaFXfkeLJhyPFlWa8tYb/INV/cpwOulavTqXSfbNtm:j/IUiqtaJkeqDUt5xcpmsvNzNt

Score
10/10
amadeyformbookloaderbotlokibotredlinesmokeloaderstealczgratkinza4hc5sy22backdoordiscoveryevasioninfostealerloaderminerpersistenceratspywarestealerthemidatrojanupx

Malware Config

Extracted

Family

loaderbot

C2

http://185.236.76.77/cmd.php

Extracted

Family

formbook

Version

4.1

Campaign

sy22

Decoy

vinteligencia.com

displayfridges.fun

completetip.com

giallozafferrano.com

jizihao1.com

mysticheightstrail.com

fourseasonslb.com

kjnala.shop

mosiacwall.com

vandistreet.com

gracefullytouchedartistry.com

hbiwhwr.shop

mfmz.net

hrmbrillianz.com

funwarsztat.com

polewithcandy.com

ourrajasthan.com

wilhouettteamerica.com

johnnystintshop.com

asgnelwin.com

Extracted

Family

stealc

rc4.plain

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

formbook

Version

4.1

Campaign

4hc5

Decoy

amandaastburyillustration.com

7141999.com

showshoe.info

sagemarlin.com

lithuaniandreamtime.com

therenixgroupllc.com

avalialooks.shop

vurporn.com

lemmy.systems

2816goldfinch.com

pacersun.com

checktrace.com

loadtransfer.site

matsuri-jujutsukaisen.com

iontrapper.science

5108010.com

beidixi.com

21305599.com

peakvitality.fitness

osisfeelingfee.com

Extracted

Family

lokibot

C2

http://davinci.kalnet.top/_errorpages/davinci/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      a.exe

    • Size

      5KB

    • MD5

      800a6337b0b38274efe64875d15f70c5

    • SHA1

      6b0858c5f9a2e2b5980aac05749e3d6664a60870

    • SHA256

      76a7490d3f1b0685f60a417d1c9cf96927b473825a914221f092f82ea112b571

    • SHA512

      bf337140044a4674d69f7a2db30389e248593a99826c8731bc0a5ac71e46819eb539d8c7cbeab48108310359f5604e02e3bd64f17d9fdd380b574f329543645e

    • SSDEEP

      48:6O/tGt28lK9iqmcfaFXfkeLJhyPFlWa8tYb/INV/cpwOulavTqXSfbNtm:j/IUiqtaJkeqDUt5xcpmsvNzNt

    Score
    10/10
    amadeyformbookloaderbotlokibotredlinesmokeloaderstealczgratkinza4hc5sy22backdoordiscoveryevasioninfostealerloaderminerpersistenceratspywarestealerthemidatrojanupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect ZGRat V1

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • LoaderBot

      LoaderBot is a loader written in .NET downloading and executing miners.

      loaderminerloaderbot

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Formbook payload

      rat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • LoaderBot executable

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

1
T1112

Scripting

1
T1064

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

6
T1012

Remote System Discovery

1
T1018

System Information Discovery

6
T1082

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks