Overview

overview

10

Static

static

10

VoidFiles4.zip

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    VoidFiles4.zip

  • Size

    661.1MB

  • Sample

    231227-s1r7wsaga4

  • MD5

    e03ec64a5d231195443ac83b2001b954

  • SHA1

    48d7873114da7e67a1e90146d6dcdf79157ce29c

  • SHA256

    98287b8ebb776856273aee94a611b02d31b3f645c7c88bfa44779883d01020a6

  • SHA512

    02c733532f941cfb8ce3343a433b13547cf0fac60b827003bc4a7bf71b7a55d8235f38e0cef0c13b10814c9d6a293c69dab16f2dd9aa3bf92377b37ac3314fa9

  • SSDEEP

    12582912:OC62QueGfBSPQ8ihONgrdAqFBjxU1ZIOU09mJjK5W19ITTCC7DIreyElxIDr1Li3:OZ3kSPQ8GOQPBjxU1vdAOK9SeCCQe31I

Score
10/10
asyncratcrealstealerredlinexwormnewguysmicrosoftdiscoveryinfostealerpersistencephishingpyinstallerratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

46.105.147.140:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

newguys

C2

46.105.147.140:1602

Mutex

exjdbhvmrzsekzqd

Attributes
  • delay

    1

  • install

    false

  • install_file

    svchost

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      VoidFiles4.zip

    • Size

      661.1MB

    • MD5

      e03ec64a5d231195443ac83b2001b954

    • SHA1

      48d7873114da7e67a1e90146d6dcdf79157ce29c

    • SHA256

      98287b8ebb776856273aee94a611b02d31b3f645c7c88bfa44779883d01020a6

    • SHA512

      02c733532f941cfb8ce3343a433b13547cf0fac60b827003bc4a7bf71b7a55d8235f38e0cef0c13b10814c9d6a293c69dab16f2dd9aa3bf92377b37ac3314fa9

    • SSDEEP

      12582912:OC62QueGfBSPQ8ihONgrdAqFBjxU1ZIOU09mJjK5W19ITTCC7DIreyElxIDr1Li3:OZ3kSPQ8GOQPBjxU1vdAOK9SeCCQe31I

    Score
    10/10
    asyncratredlinexwormnewguysmicrosoftdiscoveryinfostealerpersistencephishingratspywarestealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detect Xworm Payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Async RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Detected potential entity reuse from brand microsoft.

      phishingmicrosoft

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks