Overview

overview

10

Static

static

3

New Text Document.zip

windows10-2004-x64

10

Resubmissions

28-11-2023 00:20

231128-amwztadh9v 10

25-11-2023 22:53

231125-2t11wsdf6v 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New Text Document.zip

  • Size

    1KB

  • Sample

    231125-2t11wsdf6v

  • MD5

    3c8b819becd177edcbab3aaa436f1038

  • SHA1

    191e32ee0095c03ed38fb0cf656830eed585e53d

  • SHA256

    f5091b65f748236c24c4f1d289cfafe78236dfea4768929a1f1fa91b2e5d0779

  • SHA512

    a26c1b88243c14aad3e5d3cbddd63dcdd0ff00b0fa790db592ac89b3207220784cd77e861098448bc158816f8d352c139f7b1569441e4058170797ea3d0f0112

Score
10/10
amadeydcratformbooknetwirenjratprivateloaderquasarriseprostealcxwormhackedoffice05tb8ibotnetevasioninfostealerloaderpersistenceratspywarestealerthemidatrojanupx

Malware Config

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Family

xworm

Version

3.1

C2

needforrat.hopto.org:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

needforrat.hopto.org:7772

Mutex

47b887645f4457386c0b55e0a170685a

Attributes
  • reg_key

    47b887645f4457386c0b55e0a170685a

  • splitter

    |'|'|

Extracted

Family

formbook

Version

4.1

Campaign

tb8i

Decoy

097jz.com

physium.net

sherwoodsubnet.com

scbaya.fun

us2048.top

danlclmn.com

starsyx.com

foxbox-digi.store

thefishermanhouse.com

salvanandcie.com

rykuruh.cfd

gelaoguan.net

petar-gojun.com

coandcompanyboutique.com

decentralizedcryptos.com

ecuajet.net

livbythebeach.com

cleaning-services-33235.bond

free-webbuilder.today

pussypower.net

Extracted

Family

quasar

Version

1.4.0

Botnet

Office05

C2

needforrat.hopto.org:7771

Mutex

d70dba78-082d-4d62-9d71-b4a1c6961022

Attributes
  • encryption_key

    110272D9471BA005C613D451E07D98ABB8403AED

  • install_name

    Client1.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Defender

  • subdirectory

    SubDir

Extracted

Family

netwire

C2

needforrat.hopto.org:3360

needforrat.hopto.org:7777
Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    qRhguWXi

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    true

  • startup_name

    Crack_Windows

  • use_mutex

    true

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:8888

93.123.85.68:8888
Attributes
  • Install_directory

    %ProgramData%

  • install_file

    WinRar.exe

  • telegram

    https://api.telegram.org/bot5831501082:AAELkQ6xM7p_N7x74e8Xrku-_ibYekoBMcY

Extracted

Family

stealc

C2

http://finnmanninger.icu

http://raphaelbischoff.icu
Attributes
  • url_path

    /40d570f44e84a454.php

rc4.plain
rc4.plain

Extracted

Family

amadey

Version

4.13

C2

http://65.108.99.238

http://brodoyouevenlift.co.za
Attributes
  • strings_key

    bda044f544861e32e95f5d49b3939bcc

  • url_paths

    /yXNwKVfkS28Y/index.php

    /g5ddWs/index.php

    /pOVxaw24d/index.php

rc4.plain

Targets

    • Target

      New Text Document.zip

    • Size

      1KB

    • MD5

      3c8b819becd177edcbab3aaa436f1038

    • SHA1

      191e32ee0095c03ed38fb0cf656830eed585e53d

    • SHA256

      f5091b65f748236c24c4f1d289cfafe78236dfea4768929a1f1fa91b2e5d0779

    • SHA512

      a26c1b88243c14aad3e5d3cbddd63dcdd0ff00b0fa790db592ac89b3207220784cd77e861098448bc158816f8d352c139f7b1569441e4058170797ea3d0f0112

    Score
    10/10
    amadeydcratformbooknetwirenjratprivateloaderquasarriseprostealcxwormhackedoffice05tb8ibotnetevasioninfostealerloaderpersistenceratspywarestealerthemidatrojanupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detect Xworm Payload

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Formbook payload

      rat

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

1
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

4
T1012

Remote System Discovery

1
T1018

System Information Discovery

4
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks