Overview

overview

10

Static

static

3

Anti Malwa...nt.zip

windows10-2004-x64

10

Resubmissions

28-10-2023 17:05

231028-vlv2caeb35 10

28-10-2023 17:04

231028-vln8sscd9w 10

28-10-2023 16:52

231028-vdn8tsea66 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Anti Malware VS Malware Document.zip

  • Size

    118.1MB

  • Sample

    231028-vlv2caeb35

  • MD5

    10381c0010548265a31da2da6f1611a3

  • SHA1

    3f188fdca7ce79f014b3efa00b1707fb60664e72

  • SHA256

    8f736d24115f70ad18ed620ec8c29efc805ea00e2ac72bb1e9078186488fa059

  • SHA512

    30925324113e0bc692d38c44196b5fa78c1bdff449d361a011ab5f86ee09299071769691da1200a750a55e182e432907a58ada4c36de83ad60e6e2f2aead5445

  • SSDEEP

    3145728:WcNV0c+BBchhJJnsNmDuzn2dOYIwWDB0tg:WcNqcAuD3gTY6wlg

Score
10/10
agentteslaformbookloaderbotprivateloaderredlinesmokeloadervidarzgratpub1t6tgbackdoorevasioninfostealerkeyloggerloaderminerratspywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t6tg

Decoy

dwolfgang.com

changeandcourse.com

sonexhospitallimited.com

izeera.com

7m9.lat

fem-studio.com

santocielostore.com

0xinxg7e50de2n7q2z.site

ssongg13026.cfd

promushealth.com

g7bety.com

molinoelvinculo.com

smallthingteamwork.world

zewagripro.shop

adam-automatik.com

raquelaranibar.com

aigeniusink.com

maddirazoki.com

nextino.app

verbenashungary.com

Extracted

Family

loaderbot

C2

http://185.236.76.77/cmd.php

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.greentnd.com
  • Port:
    587
  • Username:
    purchase1@greentnd.com
  • Password:
    xAu^5p6BT2vcelhn
  • Email To:
    ncho@remedica-cy.com

Targets

    • Target

      Anti Malware VS Malware Document.zip

    • Size

      118.1MB

    • MD5

      10381c0010548265a31da2da6f1611a3

    • SHA1

      3f188fdca7ce79f014b3efa00b1707fb60664e72

    • SHA256

      8f736d24115f70ad18ed620ec8c29efc805ea00e2ac72bb1e9078186488fa059

    • SHA512

      30925324113e0bc692d38c44196b5fa78c1bdff449d361a011ab5f86ee09299071769691da1200a750a55e182e432907a58ada4c36de83ad60e6e2f2aead5445

    • SSDEEP

      3145728:WcNV0c+BBchhJJnsNmDuzn2dOYIwWDB0tg:WcNqcAuD3gTY6wlg

    Score
    10/10
    agentteslaformbookloaderbotprivateloaderredlinesmokeloadervidarzgratpub1t6tgbackdoorevasioninfostealerkeyloggerloaderminerratspywarestealertrojanupxvmprotect

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect ZGRat V1

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • LoaderBot

      LoaderBot is a loader written in .NET downloading and executing miners.

      loaderminerloaderbot

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Formbook payload

      rat

    • LoaderBot executable

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Command and Scripting Interpreter

1
T1059

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

1
T1562

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks