General
-
Target
Random file mystery pot Suprise.zip
-
Size
7.8MB
-
Sample
231220-b48wdafacn
-
MD5
4304c66e786cd42c4bb09c6f6766fe49
-
SHA1
e48d47e5e689ef4dcb73e278b9b6be0407cf2147
-
SHA256
052e54df0b86483f84bbff6504e202c36e7bc25885e369e830dd7086fb7c7562
-
SHA512
711b5e410f283a64887e6e2857967a905a9ddc9762bf974b228c3ef951fa475bed3c0ea23fd4cdadfcac6e54e59cba9b5a87ab0d32401242d90024a174bf3812
-
SSDEEP
196608:NhViVR5xBwoRAmd60/n1pn5OOiS+WV7ytaNVW/0WDqC:N7idwO80fvLW0Wj
Malware Config
Extracted
redline
@esaymane
91.142.79.218:26878
-
auth_value
78723e767811c55bea193f76621d6be1
Extracted
predatorstealer
http://193.142.59.66/L9/
Extracted
http://bratiop.ru/asdfg.exe
http://bratiop.ru/asdfg.exe
Targets
-
-
Target
076be2c09b944ec56381f42405728f7f657d2597b6e27191354568fb70170b29.exe
-
Size
5.4MB
-
MD5
fbbeef748d1a778d15265c1b78a0f5f2
-
SHA1
d81baf14bf5d2f017a1a7bfd9e75d03ca7621b8a
-
SHA256
076be2c09b944ec56381f42405728f7f657d2597b6e27191354568fb70170b29
-
SHA512
dceb3004fb5018552d26051e32ebdbf9aa85e62f0ef14d7897e797e2bbc6b12381ce320b53361f199c6e24fef0d7a37ce96899357c9165a815d79045e7d78c2a
-
SSDEEP
49152:rpQDkXmuSP9y8X1hMUR/kMC3WpP7MqRyBxpt+yyQ6ihi04raAWK3+M2lkXy1YweG:
Score10/10-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe
-
Size
210KB
-
MD5
8e84fa4f3e50e2bdc357c348b923a8b4
-
SHA1
8ccc6b05df9cd2ab9275e2848a997176b3cd41c8
-
SHA256
0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1
-
SHA512
cab0b936c6834068a94d55a7c3172b3b27766ddd41d5422ec2e4b1f2c0f39fa12f1258c4dc5483f061b635976ce398b91d274fbab812b64657ea3eb06e5dc81c
-
SSDEEP
3072:NWEv+PTBTYm7BsOzKSU2pr1RJoutgYdNC1W:NWEvMlTb7GyrLJoShdNn
Score10/10-
Detect ZGRat V1
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of SetThreadContext
-
-
-
Target
131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe
-
Size
305KB
-
MD5
4309f4b4bb455f998d1fdf310cd83484
-
SHA1
4ee10072d4dff28efcd64d8dcd631760868d644b
-
SHA256
131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1
-
SHA512
3d730ec6e3b385a69fa62634f4776e98327bc8f5da6330b109d3de5b37339dcb97cf9bf489c548de23f6ff71b115e921d5179cf2606eba61783851462ba807bf
-
SSDEEP
6144:zWmk/wokUNpuDoAVUx99rpABXHxjdgwJids6m+8suhyiP:NswuNpQv299rpAVHxJgw0dsp+dTiP
Score10/10-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
-
-
Target
1c133b9bb476879df8145370ce1069ec92f28cade85a839e0159158a3e1b1afd.exe
-
Size
262KB
-
MD5
19fc87c57a679a0d13237b98b5238494
-
SHA1
225b2955c3ef066629dfe2a6f70e6f685d361cbb
-
SHA256
1c133b9bb476879df8145370ce1069ec92f28cade85a839e0159158a3e1b1afd
-
SHA512
25802228b2ce71d52de9436ae465b79731bfe10142c22b3fb9618420c3fdf9b917a73426b3b22831f009a5db85276237d14146cfbc5cf41eaacf324f432a983e
-
SSDEEP
3072:DHWR0eTZb0s2XCO6bi9Syoe3e5MbrfgDDRIWG7Oh5y9iFzCgfsDr18IPoyvbOQ87:ovWo+eErfSB8qWz6IwyvhAthNYfsY
Score10/10-
Detect ZGRat V1
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
ZGRat
ZGRat is remote access trojan written in C#.
-
-
-
Target
30af8d3ec685a4a5669f1377bb74589772a0428d9daa214c179a795dcf4b9030.exe
-
Size
541KB
-
MD5
3f4dea6e7b8ccf697d2936176954b390
-
SHA1
4b34af92af1e22a6ec47ac36dc4b5bb5d743e01d
-
SHA256
30af8d3ec685a4a5669f1377bb74589772a0428d9daa214c179a795dcf4b9030
-
SHA512
e6d5c74048d2510a9ed8dc253158a1f531d61492832238b1c2f5c7c857da57008af1f8d3cd34d5b3077f307c1d42d61f36fd47e40567323d5cd4552fdc46256d
-
SSDEEP
12288:jmWfpP7y6eXLpjblm8wrDGXnPD5pIvJwpTrvX2Hn4Zuc374hotEwOu3LE:jmUh+LLpjblm8eDGXnPD5pIRSDXkg8io
Score10/10-
Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
-
-
Target
41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe
-
Size
815KB
-
MD5
706368098593b234bde3727366651281
-
SHA1
81a56cd69bf00ec1fd79543423c59d5ce16c1a45
-
SHA256
41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5
-
SHA512
b1ba031351ec99df11f511ede7257ee4aa9b43472532d1d3e6ff36101b7f489a11fa356421759d08a83f663877b09029f15ccce25501e51e489429a1f0aece60
-
SSDEEP
24576:em8RI+emRlQIjDlzzTlQ8LmcEd40X0zjnXU9PR1t7drlSpnHuGE5:bzghxO
Score10/10-
Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
-
Kutaki Executable
-
Drops startup file
-
Executes dropped EXE
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
-
-
Target
5a0daa24b5748d81ba0bb78d7f2b50eb4c387ffe679c92c1462f7dec586adb1f.exe
-
Size
101KB
-
MD5
5b77966a255cfa2e01887717058ef272
-
SHA1
7bce007c34add6b16a0bb594cbcde285aed0ac74
-
SHA256
5a0daa24b5748d81ba0bb78d7f2b50eb4c387ffe679c92c1462f7dec586adb1f
-
SHA512
011367d48ea5bbfb63edae20e4051de9ca32623fbff91d315c1067ab6fb31863f15338d50b07ad2117c55b6e0b0ecedfba42970782752f75723e9f9db3c3819a
-
SSDEEP
1536:0LFRFRFRFwmRHuEkibZnFXTeaXm0cob6KxQOb9sH8kChRpVwSMTFwdHHtVqoyyt4:u3PX6aW0coPRsqPNMTCnLqyBy9tF9
Score1/10 -
-
-
Target
630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
-
Size
278KB
-
MD5
66a3124fe4ed45fae20e2bd4ee33c626
-
SHA1
fc5ef4caf4d8a51a340f6fd98ac525debcff8f30
-
SHA256
630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad
-
SHA512
569bc064f465c32fd11fdd67896106778f13094e20adc739d8824f9e02508701b712bd3cfdab48782421b35acebe16bb5b0e97543db869ecaec5c1b87902b872
-
SSDEEP
6144:sU0sd0bzy1GOgofaePZ3e5fv+vc6X+olz:XzHGOgovPwcXbl
Score10/10-
PredatorStealer
Predator is a modular stealer written in C#.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
651bc82076659431e06327aeb3aacef2c30bf3cfd43ae4f9bc6b4222f15bb673.exe
-
Size
223KB
-
MD5
405bb24ade435693b11af1d81e2bb279
-
SHA1
2584f1119c65ffd0936e2916b285389404b942c9
-
SHA256
651bc82076659431e06327aeb3aacef2c30bf3cfd43ae4f9bc6b4222f15bb673
-
SHA512
b23649b9c7f86dd5a5cd18caa7c33072639f3f43f68131e6aa3b02de8267fb8891090e524d238244f87737167e09b89a4704d30b8973e1b742db08abb0783a32
-
SSDEEP
6144:voIzJOivKYT1+LdCWc9mhxG/ZfZHcr8qr:3vH1EjxGxfC
Score1/10 -
-
-
Target
677bea9e71aa3a56fe62a20580eb0786431a4789cb340a7294eb243054191c58.exe
-
Size
113KB
-
MD5
37048e548f18aba300bafd7822296928
-
SHA1
40a258430ebe9297db33a248566a89e163286f3c
-
SHA256
677bea9e71aa3a56fe62a20580eb0786431a4789cb340a7294eb243054191c58
-
SHA512
625b3b4615ae9bd6676bdb67059e0208d6785dc7e165f65386ab3c315c577df8fecf711ed95179f7bce9c41b9e2a90192aa8bca6922702ff2792ab92160b8a57
-
SSDEEP
1536:4FHdbTaUxSClJgXZhIHqlHrJRIDbMuL63gFvyTFdAnYPrzGEiZRC7U:4ZdqWSCUZhI0+q3g1ypCuHBkRC7U
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
-
-
Target
7afefba65e72f42925ba76fae9ea98286eff7d0d01dcccd07c6117384858b6bb.exe
-
Size
381KB
-
MD5
db78b6b4e4ace66632b1b7d746f1d716
-
SHA1
8e2c19b9247bb799a2f0191af144cdf2e85db099
-
SHA256
7afefba65e72f42925ba76fae9ea98286eff7d0d01dcccd07c6117384858b6bb
-
SHA512
957ec989a52790550c15b030d0352baf714e36e9c5956eed6d9626b046a59b1bcf30d5bc283eb72c692df7494e8ecf8a1e0d3aea922118f52edcbf9f90879df1
-
SSDEEP
6144:8qprONykLCWtRm2YXSO6UBN+k2LaAa4TbuS0TLCK:LpaNyk2WHm2u2U8aAa4T6SECK
Score3/10 -
-
-
Target
817c226e42f5c503325288fd8273bc03b326590f457e7a589eb34c2792d0a5db.exe
-
Size
2.6MB
-
MD5
fea3a5c2bafa878b95e7084b5a5cb192
-
SHA1
bc2bd62464ab420e677753ada67f3bb345cf5080
-
SHA256
817c226e42f5c503325288fd8273bc03b326590f457e7a589eb34c2792d0a5db
-
SHA512
00d281f0d02619afa27e29faa8cd80ef48a449628308baa31c239c4930a8f3c031dadbb95ba194c3b0e00dba95a33ddd6715991ba9ab4a2daf06b430915c513a
-
SSDEEP
49152:sVSjcGsSEt3UQjAuD5Pa8G/5Dh+TNbtFs98e:sVYcwOJP67a
Score8/10-
Blocklisted process makes network request
-
-
-
Target
a925fc1289573f01bb86482e38340f0fe431269aa7500d776713c71091c49142.exe
-
Size
101KB
-
MD5
9618523352c980cc2fdb2533e16d7b08
-
SHA1
c518747935e16bfa8b7e8bedb38fc37d7afa386d
-
SHA256
a925fc1289573f01bb86482e38340f0fe431269aa7500d776713c71091c49142
-
SHA512
cb68601b5f3a808b6a8a2f90b386293ba21b13ac15981ea20abd03324f2d6cb1922b2425d5fa4b66a0ab5603843dc73ee14b62c1f8206bd58569a0441a097551
-
SSDEEP
1536:8uxpMqqU+NV2I8ShQEBpFiAVMS4O8gOkfDiGyIUt39p3VbWL8:8iMqqDLn8SuUKIMS42fDiGyIW9dVo8
Score7/10-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
-
-
Target
b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe
-
Size
256KB
-
MD5
18d05e20731583a22b495d0d1f107c5b
-
SHA1
2ced0e3577063ca3613b43661e7df5bc1411ab09
-
SHA256
b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae
-
SHA512
36e73454b0d74088fb39dbec77c45c4106908dc80efc6a0ac8247a538345b4224f3f5e0cf6b39cf8c1687ddcee58ac2e6f24b735c9b9e277c7d064fd82e7a65a
-
SSDEEP
3072:Cf1BDZ0kVB67Duw9AMcb6FKglbz5107+i9CUVx/kvBFi4lBV5AfeNNu0NiF:C9X0GT6FKgpF107+iNDG5l5AfeNpNs
Score10/10-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
f2923f695dc02132cea5c0241060dba9a35d317342675118f7b22288e78cee7d.exe
-
Size
252KB
-
MD5
7ee76614ffebd297cabed708980cec45
-
SHA1
64ffe23df18cd51e287fc650e871601e5cf22e01
-
SHA256
f2923f695dc02132cea5c0241060dba9a35d317342675118f7b22288e78cee7d
-
SHA512
d07fdb7e5c914f5dc1b24448c06b12b84636259abfc686dd2440375c3877e5769ad196a9934293d3723009292f837efd98fb123c823fd77a0dae8592a02f1d41
-
SSDEEP
3072:1En24jTXQKXWhFby1OdlyP8fmgvI7mgnkzR4gMzMXamrL7hybkRYW5:1ERjrQKX2rlDtIyskzCPzMKmM7
Score10/10-
PredatorStealer
Predator is a modular stealer written in C#.
-
CoreCCC Packer
Detects CoreCCC packer used to load .NET malware.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-
-
-
Target
f58d2071a2fdaea27d814e788e002fe5da63843546f22c255eceade162323ce1.exe
-
Size
1.2MB
-
MD5
03fa2aa90ad1ce098de68893d83f701d
-
SHA1
915306065ac728701614ed4fe03a03168d95bb84
-
SHA256
f58d2071a2fdaea27d814e788e002fe5da63843546f22c255eceade162323ce1
-
SHA512
db96240a0f996b82ce29e9c0d3da50fd5c26a4cc799ad85e8cc362e6f931fee643a6f3dc452f8000b38f0e4969b8181b51225ccf749c17febbb3afd15d3deac4
-
SSDEEP
12288:e5EzeaAcdXmZM1KNrtTCXSnny5doEqXfei/ElljPFnF42s2Bx0teS:0244/gPHoIuS
Score7/10-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1