Resubmissions

07-11-2023 02:17

231107-cqv8sshh7z 10

07-11-2023 02:13

231107-cnqwasbe42 10

07-11-2023 02:00

231107-cfgbwshg4s 10

07-11-2023 01:50

231107-b9b4lahf6t 10

07-11-2023 01:35

231107-bz5yxsbb62 10

General

  • Target

    Divided Threats.zip

  • Size

    198MB

  • Sample

    231107-bz5yxsbb62

  • MD5

    f6fed4cd5f732c98e95cb2d633b6b88f

  • SHA1

    bd61e60312f1e0ec86b24196f44e8f9275de6cf1

  • SHA256

    42f6ed3f3f25e52787a9e43dec53306eb63e581d87882f3fbc4756685714e39a

  • SHA512

    0bf8b62091061100fb81e8a328e738bce4e3ba733a2a47f808b4b3e44f519441883c72752f654c217b7c354c99894515ed8db92c647587a415d1dfc4d96d68f8

  • SSDEEP

    3145728:BHVJkRpdd5SZKO1E2AH57+eBlBtqVJncR6nl4DpAlAR8bpwBZkzxQxqi:9AddkHedtqbAYob0I+1C

Malware Config

Extracted

Family

raccoon

Botnet

5ba094fed1175cc7d1abb03fa165c23c

C2

http://79.137.207.53/

Attributes
  • user_agent

    901785252112

xor.plain

Extracted

Family

privateloader

C2

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

http://45.133.1.182/proxies.txt

45.133.1.60

Attributes
  • payload_url

    https://vipsofts.xyz/files/mega.bmp

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

Extracted

Family

stealc

C2

http://robertjohnson.top

Attributes
  • url_path

    /e9c345fc99a4e67e.php

rc4.plain

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    peruglobo.com
  • Port:
    21
  • Username:
    freemason@peruglobo.com
  • Password:
    YSw&oCV&c23w

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.hhipune.com
  • Port:
    587
  • Username:
    credit@hhipune.com
  • Password:
    c@c1r2e3

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.alualuminium.com.my
  • Port:
    587
  • Username:
    admin@alualuminium.com.my
  • Password:
    U8G4S13#8Zk$

Extracted

Family

redline

Botnet

pab777

C2

185.215.113.15:6043

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://peruglobo.com
  • Port:
    21
  • Username:
    freemason@peruglobo.com
  • Password:
    YSw&oCV&c23w

Targets

    • Target

      Divided Threats.zip

    • Size

      198MB

    • MD5

      f6fed4cd5f732c98e95cb2d633b6b88f

    • SHA1

      bd61e60312f1e0ec86b24196f44e8f9275de6cf1

    • SHA256

      42f6ed3f3f25e52787a9e43dec53306eb63e581d87882f3fbc4756685714e39a

    • SHA512

      0bf8b62091061100fb81e8a328e738bce4e3ba733a2a47f808b4b3e44f519441883c72752f654c217b7c354c99894515ed8db92c647587a415d1dfc4d96d68f8

    • SSDEEP

      3145728:BHVJkRpdd5SZKO1E2AH57+eBlBtqVJncR6nl4DpAlAR8bpwBZkzxQxqi:9AddkHedtqbAYob0I+1C

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scripting

1
T1064

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Scripting

1
T1064

Discovery

System Information Discovery

4
T1082

Query Registry

4
T1012

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Command and Control

Web Service

1
T1102

Tasks