Overview

overview

10

Static

static

3

4363463463...63.exe

windows7-x64

10

4363463463...63.exe

windows10-1703-x64

10

4363463463...63.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4363463463464363463463463.bin.zip

  • Size

    4KB

  • Sample

    231226-cgymkagaa3

  • MD5

    68a36562972ca1b9360fc31fede207c2

  • SHA1

    e4e4ecc7fd9a72a63da9fb650075d29c93f6808a

  • SHA256

    7db7d06dc769693ddfc84db1cefd6b32f432bc2c72144c3d8358820d29e273a7

  • SHA512

    0967bd97c5f3bf7c3419a86bc7ccd78518023ca08c12b7cd2aaaf5478cba1bddf4eca28167023e3da0f1dc03ba83477b0d9606678c30804e0abcec427891ebdb

  • SSDEEP

    96:IoI+slkUZ37/1bEHZVUIEc6h7boUFWBQRtb6X6wxsHA:IoItkS/CUIj+boUFaQzwxsg

Score
10/10
agentteslaallcomeamadeydcratgluptebametasploitparallaxredlinesmokeloadervidarxworm1827@ssmvw2up3aspackv2backdoorbootkitdiscoverydropperevasioninfostealerkeyloggerloaderpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

allcome

C2

http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php?cf6zrlhn=Fate1337

Wallets

DKqTfjWcxULLMPhvUyKdtReRtNEZ4HSAgD

r3bB4NXmog8ozTuJpPBjYpPMH6XKa9QTY5

0x379844563B2947bCf8Ee7660d674E91704ba85cc

Xbd8YLpgw4ozYe6B8t4KF7oFmEgFCaeR2F

TVkpWWHjd2ddXYVGw8E7YsowfbYaCizwrY

t1SH4jS9wURQMDhEvyAAQSfYDC8hEawBdrK

GCCFDFVYXWTUSB3JIA6NBJNVYTMBD2MYTNVHF3G7QMQXY3PYSXMYGNKF

45vYBVpWhcrBu98FM2dXZUbXBhywVsck6Vba7PKY86ms6QJ185FFWuhR41cCyr8pfJbNNS5EbDPVkaJPByxUHuFxCsL9iBu

qqxm73rvrlh7zxhhlkalwadsqgte9d7lfc072hn2ra

12CmRkqqDVeA1sd5um6eKosttoPPZktLnm

0x675585AcFb13A721f00Da26cB61d31210C6eE932

LfWNvpj1q8ULhaEN4MhSQRhKQqfwUvXjPV

ronin:d9b303aA47179A673FED60dD34559dAF133BC149

79241794097

+79889916188

+79889916188

https://steamcommunity.com/tradeoffer/new/?partner=896820235&token=FIQwFTT8

LP1oSHdQ3kdgrWnPvB5XtuBLZaMq9JMoWt

ltc1qpdwhnnvrankvmksa98dpswkfe825yfd8690jfe

bc1qngt9pchlwak6rzc37ez05sfhzr8dnyupu7e769

Extracted

Family

agenttesla

Credentials

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

@ssmvw2

C2

45.15.156.167:80

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

127.0.0.1:12346

Extracted

Family

vidar

Version

55.7

Botnet

1827

C2

https://t.me/deadftx

https://www.ultimate-guitar.com/u/smbfupkuhrgc1

http://116.202.2.1:80
Attributes
  • profile_id

    1827

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

193.117.208.148:7800

Targets

    • Target

      4363463463464363463463463.bin

    • Size

      10KB

    • MD5

      2a94f3960c58c6e70826495f76d00b85

    • SHA1

      e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

    • SHA256

      2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

    • SHA512

      fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

    • SSDEEP

      192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

    Score
    10/10
    agentteslaallcomedcratgluptebasmokeloaderxwormup3backdoordiscoverydropperevasioninfostealerkeyloggerloaderratspywarestealertrojanupxamadeymetasploitparallaxredlinevidar1827@ssmvw2aspackv2bootkitpersistence

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Allcome

      A clipbanker that supports stealing different cryptocurrency wallets and payment forms.

      stealerallcome

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

      evasion

    • Detect Xworm Payload

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies security service

      evasion

    • ParallaxRat

      ParallaxRat is a multipurpose RAT written in MASM.

      ratparallax

    • ParallaxRat payload

      Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Modifies boot configuration data using bcdedit

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

      evasion

    • Stops running service(s)

      evasion

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

Scripting

1
T1064

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

3
T1562

Modify Registry

3
T1112

Virtualization/Sandbox Evasion

1
T1497

File and Directory Permissions Modification

1
T1222

Scripting

1
T1064

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

5
T1082

Network Service Discovery

1
T1046

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks