General
-
Target
Viruses.zip
-
Size
5.8MB
-
Sample
231220-vm3sksbbhm
-
MD5
21622a9eb2855103a8e0c64ba9cd224e
-
SHA1
bd9a37f5e34614ec827542519d74f6017621e96b
-
SHA256
5eed9da22cceaf06a6a5f344c2bc6fd262566b8cb5b905eec21fe5fb28747055
-
SHA512
6e73ab24ec2de95bbc36b51ff0c2852875e2f4b68d75d44008b4b6f25914215aa138637cc40ff9d64142ac7258143c8acd03cf9d851ffbf0b30db545eb55fe6c
-
SSDEEP
98304:LiF4wOg0vSuZprOkSiNkP9LZSjMMLZ3H3P3EHe0zw0xMWD1suZFgxnutpCwzyi+X:LiU5kNZPO9fIe0P1vFgxnutpCwzy3r
Malware Config
Extracted
quasar
1.4.1
LH用户
222.211.73.134:5766
9038eedc-27cc-4d33-89ee-58d63663290c
-
encryption_key
7ACC9A3244425C97D532F4AEAF9D3C292992E14D
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Svchost
-
subdirectory
DismLHYH
Extracted
njrat
0.7d
Lammer
0.tcp.sa.ngrok.io:10977
6dc42ff4b8c2f3659d94a8780ccc2575
-
reg_key
6dc42ff4b8c2f3659d94a8780ccc2575
-
splitter
|'|'|
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.codiis.com - Port:
587 - Username:
manoj.sharma@codiis.com - Password:
AAaa2@@4 - Email To:
manoj.sharma@codiis.com
Targets
-
-
Target
63e601878d77aeba4ba671307f870285.exe
-
Size
351KB
-
MD5
63e601878d77aeba4ba671307f870285
-
SHA1
655c06920e5f737b0a83018acbab4235b9933733
-
SHA256
ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29
-
SHA512
577f0d63afe96cf38110e04d5a27a205973e273243c6875a8cc78b52c36614ad58b549acb73a1e5a31141dd0246f058f7c2cfc78fc5c4c3c053de65b34552ef3
-
SSDEEP
6144:jyH7xOc6H5c6HcT66vlmr641MkjVxvb1UeRUqptyH7xOc6H5c6HcT66vlmr3UeRw:jaPkPOezaXe/aXek
Score10/10-
Detect Neshta payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Modifies system executable filetype association
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
-
-
Target
896f1eaa7dc457642682f569e4ffbc21.exe
-
Size
799KB
-
MD5
896f1eaa7dc457642682f569e4ffbc21
-
SHA1
1d65bfd8b10dcdfe5cccfd9a654556a78d4d6c76
-
SHA256
657ab2e0b548b6d45d54b284682a382e33a1ae822194b1d6e17c47ae5e0a115c
-
SHA512
585bf0eddab8a9cc2b86527f584d40f3251535ab90ff5e3c388b6c3c1a371fa76aaf3614b3d0a2770f6a0bbf684c76aab3eea49fc4b7fd4bf1652c197a74c39c
-
SSDEEP
6144:wTVjYQSQ2GhNq2GhNLe4BoFPi84iYuoyOYuWiiv12KsoLAWFrtTTDdCNYXKyxkcx:wNt2iNq2iNNixAyv1TsJWHTTxmG9x
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
DesktopInfo.exe
-
Size
478KB
-
MD5
1dffc8aac34ee4fb6887b82cf16b8b6c
-
SHA1
9c3694157ff387f6b88c79ff66e2300cffb133d9
-
SHA256
59efbfaecb352ef55541257cdc189bb4908e5fc0ba3342748283f64dd1a88a39
-
SHA512
c5e63a1eb6a59b487bed9ec31634ee8177ce0562f50458749a633d0522a0682fcb1ad91943216f580d6f24b6ed0d1a31b21d8178cd578dddd43090eb60328e08
-
SSDEEP
12288:SeVfBdWvVpRY0pXbJ/zgRuVpr0575hdtP:SsaV7zgR+r05Ld
Score1/10 -
-
-
Target
F486525A68BB238B6BF1CB38ABDC4B6D.exe
-
Size
3.1MB
-
MD5
f486525a68bb238b6bf1cb38abdc4b6d
-
SHA1
6d8fb002cd762815e7f2c5bd8894bb3ebaf1803a
-
SHA256
3309f416d4a2e161d05575e4e37b1575d3da3a935bca942f08af5ee1a2d3ed5e
-
SHA512
25cfd7b6dfa6a41d7fe0f9cc1a2884bcb20327df23ff1df2f1fec2b6493746f0e7e6db28f186d40a37a7f0dc97de507191b8b5d15cccbcc38b069b0e75613da9
-
SSDEEP
49152:mvAt62XlaSFNWPjljiFa2RoUYIsJRJ60bR3LoGdI5aTHHB72eh2NT:mvs62XlaSFNWPjljiFXRoUYIsJRJ6+
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Executes dropped EXE
-
-
-
Target
SecuriteInfo.com.Trojan.StartPage.53620.1452.20896.exe
-
Size
772KB
-
MD5
536a0256ae89cec7cc7daa46919c2b40
-
SHA1
a1fa27de963f504218a17f25dce22d185d5f3e6e
-
SHA256
1f92234634ad222b7b1b043beb71944f0f2d3c1e623282ee6047f68061e08abb
-
SHA512
a88f186ccdb4d558336e5bf317e0e3d42d5641ac7de8dc4fdb5a1772d3b0efdbaf8df9c23f033a00cc68a3ed1cfd12bcb687c5ff47707cdaef584fbbcb4958a9
-
SSDEEP
12288:kdZHu1fgy0TjHzjhR6TBPlrvfqveirO4F:kEoyYHXhR6tQveirO4F
Score1/10 -
-
-
Target
aa202ce0c8f108d0a633d5acfd5059c4.exe
-
Size
23KB
-
MD5
aa202ce0c8f108d0a633d5acfd5059c4
-
SHA1
13262010d714b2eaf6e4a360543811285957e69c
-
SHA256
b21ad9fd00a171f448646277bf44b6ae551ec37d154acd6f73de6bd4566c0995
-
SHA512
78860014d6c7202ae49f05a71349170dbc711fdf8312b21dfe61a159b26f22783de7340c6fc1d812455730f71cbd86262415c6c4168f47219ca02de9da9d5c19
-
SSDEEP
384:0+n2650N3qZbATcjRGC5Eo9D46BgnqUhay1ZmRvR6JZlbw8hqIusZzZSg:Dm+71d5XRpcnuU
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
hmpalert pre-patched.exe
-
Size
5.6MB
-
MD5
2c0257680feb1b4b177f3dde415769b7
-
SHA1
82a79696bfac4b92c364910d21e056310689982e
-
SHA256
62aafb3198a54b53fef94605b1dc1eeb6141ef78fc5f5b3bc7326b6f59211cb2
-
SHA512
eb590e1dd19aa0d3654f847ac006552a6a05fed184e773194325cc4982d85890e20642e247f28f82ea01c41c632785a2448ec9967a62f949a50859e069b22c61
-
SSDEEP
98304:129LO3/tcOfzmdoVMWiQ+jJtPPlBU43ki8/Fks51Ku/pwHNMf9kebgg:129LkdMw+dBUi8D1jpwHNMf9keb
Score8/10-
Drops file in Drivers directory
-
Sets file execution options in registry
-
Registers COM server for autorun
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
2Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3