Overview

overview

10

Static

static

10

1106-01-Redline.exe

windows7-x64

10

1106-01-Redline.exe

windows10-2004-x64

10

1106-02-Stealc.exe

windows7-x64

10

1106-02-Stealc.exe

windows10-2004-x64

10

1106-03-Ag...la.exe

windows7-x64

10

1106-03-Ag...la.exe

windows10-2004-x64

10

1106-04-Warzone.exe

windows7-x64

10

1106-04-Warzone.exe

windows10-2004-x64

10

1106-05-Windigo.exe

windows7-x64

7

1106-05-Windigo.exe

windows10-2004-x64

7

1106-06-Zgrat.exe

windows7-x64

10

1106-06-Zgrat.exe

windows10-2004-x64

10

1106-07-Bl...er.exe

windows7-x64

7

1106-07-Bl...er.exe

windows10-2004-x64

7

1106-08-Glupteba.exe

windows7-x64

10

1106-08-Glupteba.exe

windows10-2004-x64

10

1106-09-Msfvenom.exe

windows7-x64

10

1106-09-Msfvenom.exe

windows10-2004-x64

10

1106-10-Windigo.exe

windows7-x64

7

1106-10-Windigo.exe

windows10-2004-x64

7

1106-11-Njrat.exe

windows7-x64

10

1106-11-Njrat.exe

windows10-2004-x64

10

1106-12-Gh0st.dll

windows7-x64

1

1106-12-Gh0st.dll

windows10-2004-x64

1

Resubmissions

06-11-2023 19:37

231106-ybwfxadf81 10

06-11-2023 19:33

231106-x9tjjadf4z 10

06-11-2023 16:18

231106-tr58tscc9y 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1106.zip

  • Size

    29.5MB

  • Sample

    231106-x9tjjadf4z

  • MD5

    4f9569a30d64acc637466bf9e6fd3ee3

  • SHA1

    400d2dd7f83ce4f8c2f4b635974ad1a627126e2f

  • SHA256

    871978fb97af5fca44a98714b79a3e86dfdb468eed6980dadc7f2bf7e5bf1aaa

  • SHA512

    ada7c51fe5cec1498dcfe684079d8149001e62e132668184ee8f6e44380a687089d965036fca54bf9c47b9e694bbd04a128bf363c719d66d15a515280ceb95f0

  • SSDEEP

    786432:spTkpJnaPfNUivIaAPXUXsvh7UG2gD5kpJnaPMkC4e:sxkujOUsviG2uke+

Score
10/10
agentteslablankgrabbergh0stratgluptebametasploitnjratredlinestealcwarzoneratzgrathi can you give moneybackdoormicrosoftdiscoverydropperevasioninfostealerkeyloggerloaderpersistencephishingratrootkitspywarestealerthemidatrojanupx

Malware Config

Extracted

Family

metasploit

Version

windows/exec

Extracted

Family

njrat

Version

v2.0

Botnet

Hi can you give money

C2

172.94.4.171:7772

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Extracted

Family

stealc

C2

http://91.215.85.189

Attributes
  • url_path

    /43851895e447afd7.php

rc4.plain

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    cash@com12345cash@com12345

Extracted

Family

warzonerat

C2

103.212.81.154:6028

Targets

    • Target

      1106-01-Redline.exe

    • Size

      390KB

    • MD5

      b21b03838b19d9312b8347926cba7b4f

    • SHA1

      23586801006ce4aac996958897c068eca3940221

    • SHA256

      30546f4ba8084cfa8e2b379e6dfee8700c00d6a194417fba874814cbf94dfc85

    • SHA512

      7bd791337408ee3002f9149e0dc4ad089daecddeeeef446711dcb9628993a22114fea29604b415667122aef30ad75753a984df0b8309fe8363d68cbfc5d6c209

    • SSDEEP

      6144:kz2K5o2F93z2rnTUX75zZ2OU7PBCksQNZZGq1cpF2lpO3y:DgoPrcwlZxNnGq1i2lp7

    Score
    10/10
    redlinediscoveryinfostealerspywarestealermicrosoftphishing

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Detected potential entity reuse from brand microsoft.

      phishingmicrosoft
    behavioral1behavioral2

    • Target

      1106-02-Stealc.exe

    • Size

      256KB

    • MD5

      189736b36bdf727a34cf673e7797823b

    • SHA1

      a3ea45dd1d9fdbaf19c5197ee6515c78168bc4b9

    • SHA256

      bb6758a9bce33333cbe3c141c2f7c94077d97cf25c83eb4282cc5ddcaeccc194

    • SHA512

      4d8c1143a785df75885ef851f88249a5078d436bf3a3e9ac74326df11cd7cea87ccbca5bbe08aaea75cd675a5b00a58ce1e3da4df373f81c765e4bfbce16f141

    • SSDEEP

      6144:NlL+epunGnKy5a6MlWLuerZDqtJD80VK/o:rvunGnKyyW6eNDqtJDrc

    Score
    10/10
    stealcdiscoveryspywarestealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral3behavioral4

    • Target

      1106-03-AgentTesla.exe

    • Size

      700KB

    • MD5

      5b61637836afea5019078c8841f39712

    • SHA1

      061befc3ad783a590cb6e408062f8b2291c7b12f

    • SHA256

      8f3ed9c86757d9adaf489ce86c6ac422240af48f5c109807b31b3646b67d9757

    • SHA512

      c025a05bde0a92a785f470f74f33a8e30ba93edbcf026b05cbabbe1c7f884508829a418d8b1f5762b2769abb80a799e82add5eefb8ed75be66110185b7e139f5

    • SSDEEP

      12288:vwgJjWP9lZtDKIcXY4mnTwwlJk15TsVuhk37F1VoKc8XUbsS:PkDDKIcSEwEQVu237VoKc8X+

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      1106-04-Warzone.exe

    • Size

      191KB

    • MD5

      996dd49201700930e0196a0b06f2a540

    • SHA1

      96c2cacce22898106473c1caef52f52cef7bb86d

    • SHA256

      d67122e881107797472553cc88f939e134c6443a435308e1333f4fb43dc59ff1

    • SHA512

      76820043e1b61c3892c92fcd552bb539cf333d52de7ca73db118ef7981b930d864629bb8bd075ca8a48b97a9790eb209233f0ce77faa149dbbdc3e2f5f70583b

    • SSDEEP

      3072:YkmlIja3IsCmIvI1zSIdPauWk9qtZHhUZ7OybN/AyoOzldQuoDm2heF1:YJ6aCtUzFUuMtZHx6zBZdQuoDVeF

    Score
    10/10
    warzoneratinfostealerrat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT payload

      rat

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      1106-05-Windigo.exe

    • Size

      5.6MB

    • MD5

      cedb53f0cc2618efb65716e1c8901305

    • SHA1

      bc284beeb54c018bfa1bae059245ff8b4fe06bf7

    • SHA256

      52f59830741fff205da17b574dce37b598f59d5f9f75d7bac51f98f21e408fd2

    • SHA512

      698811994e88047479688aad4293451f74ae8edd36621764464cfb285d32fb5007d1512bd23d18af4f53741a52d810916354a03c2bb98bc4e805cec558aeb466

    • SSDEEP

      98304:0iRmxZFsM4kxzDcT+GcY437KvDwEHuujlsaSzsC0p43MpQdZ9nc+fsCb+oSBAON6:VRm1syxacY48eda2TMpQdZ9nc+fyhNjG

    Score
    7/10
    discovery

    • Executes dropped EXE

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral10behavioral9

    • Target

      1106-06-Zgrat.exe

    • Size

      7.5MB

    • MD5

      f86edaaf9c119e2dbe9b58c4307842a5

    • SHA1

      1c28fe601d25f3df520d62f82940b1fa61813433

    • SHA256

      cf004015f5e10ab40a8bd7d3994e53ab17264e41ddec6cacea849e1f630cc21c

    • SHA512

      993540f0b6d004cf193b154cd43b2f55704e84020a2a0fff14987ee3659deb652749fa7d835cd644c0117bdd355ce8a5f5162ec991c8d7bee29c4c00a93df85d

    • SSDEEP

      196608:PrkiyCGE2FTbUbYtprkiyCGE2FTbUbYt9eJhho0Zvvh4toep:DbNGRU0bNGRUrLo0Zvvh4Gu

    Score
    10/10
    zgratratevasionspywarethemidatrojan

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      1106-07-BlankGrabber.exe

    • Size

      6.7MB

    • MD5

      6c6869a179da5341caafd09de6e1bf70

    • SHA1

      a2054d75c801851a959dcfac38c3bcc76bd164a6

    • SHA256

      d183a634193b6b34a746350a0a6fc1580e7ab7fdf78c20fc343d26773b22f294

    • SHA512

      5e9d1a96c413ab7cf53efb5f5574e804df9273967dd31dbe910a7fbd912a4eaae3d35ae112ed55c921ddcb3ff2ff744e228eee62c8caa4c7f6da065ed53a9fcd

    • SSDEEP

      98304:2jDe7pzFECBCPaB88MMhJMjarCtaCObO/OH9KkqQz4W1/rlcgRgeDxHMv03zMk:2mNzXCyB6yA+KO0WNrlAusvZk

    Score
    7/10
    upx

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral13behavioral14

    • Target

      1106-08-Glupteba.exe

    • Size

      4.1MB

    • MD5

      62c5023b7795f6cda227123440759692

    • SHA1

      5f1a0c39e76804d9f72074ff381c59be19b4dd77

    • SHA256

      4db29e860c01192913f9c177570bbb5ea70282ca6fd2c93e1488b4e989474ab9

    • SHA512

      70f3c5877a450485eb52aaa1707a8cdc5f1a7e2afbee371e4c808600f4c55a6992fe99ef918a0851627072564ba6479a6f6bb17573231d653ad3f53f3614a4e4

    • SSDEEP

      98304:4HeHXGGmYFuHsBIxknjn1eYgExLMY+GACXMAVfwuZM:BH2GmouHsBIWnBAKBf1ZM

    Score
    10/10
    gluptebadiscoverydropperevasionloaderpersistencerootkittrojanupx

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba payload

    • Windows security bypass

      evasiontrojan

    • Modifies boot configuration data using bcdedit

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

      rootkitevasion

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

      rootkitevasion

    • Drops file in System32 directory

    behavioral15behavioral16

    • Target

      1106-09-Msfvenom.exe

    • Size

      72KB

    • MD5

      6710a1bc4c55a70ba0fd9a9f93d70eff

    • SHA1

      886ae53b0bd3f4ef8d1b87d4d246b507a92f681e

    • SHA256

      9b8fa305f5afd88c14d12cb56a630594b7976796b49601d37130e73a9ee3532a

    • SHA512

      318e25afb0531498f64b86a2a1429b5a873cda8537ed39d0c3b03d554e050161426882c203d32352798299095403e33703691cffc79b18ddf44998661758e77b

    • SSDEEP

      1536:IMEnIDSuPXCzWBNLmgSZSjud1Mb+KR0Nc8QsJq39:fEnI7/uWBNLmgSTDe0Nc8QsC9

    Score
    10/10
    metasploitbackdoortrojan

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit
    behavioral17behavioral18

    • Target

      1106-10-Windigo.exe

    • Size

      5.6MB

    • MD5

      234e9a1bfe944725b486cf427de79e2f

    • SHA1

      d3a288ca7f4c091196d02f016bec0c65a8111f3b

    • SHA256

      b9d6814aa587a9002abba3889d316ab407ecb2090b9e4561a43d56b755b7bb44

    • SHA512

      7c3b28170d9a411c3f7617645f52f71d890d6e1c64e6ab9cc1bba155bf15243cdc4532cd2fcf47892291dcf95641c06bd6afdb88ccffe87cd2ecceacfd938bf6

    • SSDEEP

      98304:iiRmxZFsM4kxzDcT+GcY437KvDwEHuujlsaSzsC0p43MpQdZ9nc+fsCb+oSBAON6:HRm1syxacY48eda2TMpQdZ9nc+fyhNjG

    Score
    7/10
    discovery

    • Executes dropped EXE

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral19behavioral20

    • Target

      1106-11-Njrat.exe

    • Size

      2.7MB

    • MD5

      f6e3aee1f90ebd9fd2035d95cfb1572a

    • SHA1

      9e3f5dd7421c68ed101a21678056a0d03a145d1a

    • SHA256

      0b4d4ccbb9bef35964350e889dd87d2f5b0cd4e0fdc281af1f11adfbce994209

    • SHA512

      437a0a1a485cc07567e149a5de503b2d2312925695824c002d25ad51a7015cfd78c03c962bbcd808793387d7cb3b4008602c70909a067ca29ac18827c5360035

    • SSDEEP

      49152:rBZ6v3/0HTj169yWEY969K22VwFHITeeAwxkA:rWv3/0HTj169yWEY969r2VeH

    Score
    10/10
    njratzgrathi can you give moneypersistencerattrojan

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      1106-12-Gh0st.dll

    • Size

      51KB

    • MD5

      ab865d38d71c556abf1540dc7b60976c

    • SHA1

      0bd5aa27ca3f2e0e071746854c793cf27931595e

    • SHA256

      35c37a88b8a9076e7bd6f793719650e25cccffa121ee547f807239cc7b8fca72

    • SHA512

      589e063e73f17a375f33ae3785673a09ad67d3e5594f99b81a8097608c5cf8a88799e26a36ad619bc14d137ff0171549a65b1d89d104b0bd65476a5bd1c51e93

    • SSDEEP

      1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoLbJYH5:1dWubF3n9S91BF3fbo3JYH5

    Score
    1/10
    behavioral23behavioral24

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

3
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

5
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

8
T1012

System Information Discovery

8
T1082

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

4
T1005

Command and Control

Exfiltration

Impact

Tasks

static1

zgratblankgrabbermetasploitgh0strat
Score
10/10

behavioral1

redlinediscoveryinfostealerspywarestealer
Score
10/10

behavioral2

redlinemicrosoftinfostealerphishing
Score
10/10

behavioral3

stealcdiscoveryspywarestealer
Score
10/10

behavioral4

stealcdiscoveryspywarestealer
Score
10/10

behavioral5

agentteslakeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral6

agentteslakeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral7

warzoneratinfostealerrat
Score
10/10

behavioral8

warzoneratinfostealerrat
Score
10/10

behavioral9

discovery
Score
7/10

behavioral10

discovery
Score
7/10

behavioral11

zgratrat
Score
10/10

behavioral12

zgratevasionratspywarethemidatrojan
Score
10/10

behavioral13

upx
Score
7/10

behavioral14

upx
Score
7/10

behavioral15

gluptebadiscoverydropperevasionloaderpersistencerootkittrojanupx
Score
10/10

behavioral16

gluptebadiscoverydropperevasionloaderpersistencerootkitupx
Score
10/10

behavioral17

metasploitbackdoortrojan
Score
10/10

behavioral18

metasploitbackdoortrojan
Score
10/10

behavioral19

discovery
Score
7/10

behavioral20

discovery
Score
7/10

behavioral21

njratzgrathi can you give moneypersistencerattrojan
Score
10/10

behavioral22

njratzgrathi can you give moneypersistencerattrojan
Score
10/10

behavioral23

Score
1/10

behavioral24

Score
1/10