Overview

overview

10

Static

static

3

Anti Malwa...nt.zip

windows10-2004-x64

10

Resubmissions

28-10-2023 17:05

231028-vlv2caeb35 10

28-10-2023 17:04

231028-vln8sscd9w 10

28-10-2023 16:52

231028-vdn8tsea66 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Anti Malware VS Malware Document.zip

  • Size

    118.1MB

  • Sample

    231028-vdn8tsea66

  • MD5

    10381c0010548265a31da2da6f1611a3

  • SHA1

    3f188fdca7ce79f014b3efa00b1707fb60664e72

  • SHA256

    8f736d24115f70ad18ed620ec8c29efc805ea00e2ac72bb1e9078186488fa059

  • SHA512

    30925324113e0bc692d38c44196b5fa78c1bdff449d361a011ab5f86ee09299071769691da1200a750a55e182e432907a58ada4c36de83ad60e6e2f2aead5445

  • SSDEEP

    3145728:WcNV0c+BBchhJJnsNmDuzn2dOYIwWDB0tg:WcNqcAuD3gTY6wlg

Score
10/10
agentteslaformbookloaderbotlokibotprivateloaderredlinesmokeloaderzgratpub14hc5t6tgbackdoordiscoveryevasioninfostealerkeyloggerloaderminerratspywarestealertrojanupx

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

formbook

Version

4.1

Campaign

4hc5

Decoy

amandaastburyillustration.com

7141999.com

showshoe.info

sagemarlin.com

lithuaniandreamtime.com

therenixgroupllc.com

avalialooks.shop

vurporn.com

lemmy.systems

2816goldfinch.com

pacersun.com

checktrace.com

loadtransfer.site

matsuri-jujutsukaisen.com

iontrapper.science

5108010.com

beidixi.com

21305599.com

peakvitality.fitness

osisfeelingfee.com

Extracted

Family

formbook

Version

4.1

Campaign

t6tg

Decoy

dwolfgang.com

changeandcourse.com

sonexhospitallimited.com

izeera.com

7m9.lat

fem-studio.com

santocielostore.com

0xinxg7e50de2n7q2z.site

ssongg13026.cfd

promushealth.com

g7bety.com

molinoelvinculo.com

smallthingteamwork.world

zewagripro.shop

adam-automatik.com

raquelaranibar.com

aigeniusink.com

maddirazoki.com

nextino.app

verbenashungary.com

Extracted

Family

lokibot

C2

http://davinci.kalnet.top/_errorpages/davinci/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

agenttesla

Credentials

Extracted

Family

loaderbot

C2

http://185.236.76.77/cmd.php

Targets

    • Target

      Anti Malware VS Malware Document.zip

    • Size

      118.1MB

    • MD5

      10381c0010548265a31da2da6f1611a3

    • SHA1

      3f188fdca7ce79f014b3efa00b1707fb60664e72

    • SHA256

      8f736d24115f70ad18ed620ec8c29efc805ea00e2ac72bb1e9078186488fa059

    • SHA512

      30925324113e0bc692d38c44196b5fa78c1bdff449d361a011ab5f86ee09299071769691da1200a750a55e182e432907a58ada4c36de83ad60e6e2f2aead5445

    • SSDEEP

      3145728:WcNV0c+BBchhJJnsNmDuzn2dOYIwWDB0tg:WcNqcAuD3gTY6wlg

    Score
    10/10
    agentteslaformbookloaderbotlokibotprivateloaderredlinesmokeloaderzgratpub14hc5t6tgbackdoordiscoveryevasioninfostealerkeyloggerloaderminerratspywarestealertrojanupx

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect ZGRat V1

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • LoaderBot

      LoaderBot is a loader written in .NET downloading and executing miners.

      loaderminerloaderbot

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Formbook payload

      rat

    • LoaderBot executable

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • Modifies file permissions

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Command and Scripting Interpreter

1
T1059

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

1
T1562

File and Directory Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks