Resubmissions

07-11-2023 02:17

231107-cqv8sshh7z 10

07-11-2023 02:13

231107-cnqwasbe42 10

07-11-2023 02:00

231107-cfgbwshg4s 10

07-11-2023 01:50

231107-b9b4lahf6t 10

07-11-2023 01:35

231107-bz5yxsbb62 10

General

  • Target

    Divided Threats.zip

  • Size

    198MB

  • Sample

    231107-b9b4lahf6t

  • MD5

    f6fed4cd5f732c98e95cb2d633b6b88f

  • SHA1

    bd61e60312f1e0ec86b24196f44e8f9275de6cf1

  • SHA256

    42f6ed3f3f25e52787a9e43dec53306eb63e581d87882f3fbc4756685714e39a

  • SHA512

    0bf8b62091061100fb81e8a328e738bce4e3ba733a2a47f808b4b3e44f519441883c72752f654c217b7c354c99894515ed8db92c647587a415d1dfc4d96d68f8

  • SSDEEP

    3145728:BHVJkRpdd5SZKO1E2AH57+eBlBtqVJncR6nl4DpAlAR8bpwBZkzxQxqi:9AddkHedtqbAYob0I+1C

Malware Config

Extracted

Family

raccoon

Botnet

5ba094fed1175cc7d1abb03fa165c23c

C2

http://79.137.207.53/

Attributes
  • user_agent

    901785252112

xor.plain

Extracted

Family

privateloader

C2

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

http://45.133.1.182/proxies.txt

45.133.1.60

Attributes
  • payload_url

    https://vipsofts.xyz/files/mega.bmp

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

Extracted

Family

stealc

C2

http://robertjohnson.top

Attributes
  • url_path

    /e9c345fc99a4e67e.php

rc4.plain

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.daipro.com.mx
  • Port:
    587
  • Username:
    soco.pulido@daipro.com.mx
  • Password:
    DAIpro123*

Targets

    • Target

      Divided Threats.zip

    • Size

      198MB

    • MD5

      f6fed4cd5f732c98e95cb2d633b6b88f

    • SHA1

      bd61e60312f1e0ec86b24196f44e8f9275de6cf1

    • SHA256

      42f6ed3f3f25e52787a9e43dec53306eb63e581d87882f3fbc4756685714e39a

    • SHA512

      0bf8b62091061100fb81e8a328e738bce4e3ba733a2a47f808b4b3e44f519441883c72752f654c217b7c354c99894515ed8db92c647587a415d1dfc4d96d68f8

    • SSDEEP

      3145728:BHVJkRpdd5SZKO1E2AH57+eBlBtqVJncR6nl4DpAlAR8bpwBZkzxQxqi:9AddkHedtqbAYob0I+1C

    • Detect ZGRat V1

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

MITRE ATT&CK Matrix ATT&CK v13

Discovery

Query Registry

4
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Command and Control

Web Service

1
T1102

Tasks