General
-
Target
231107-bz5yxsbb62_pw_infected.zip
-
Size
198.7MB
-
Sample
240107-w3ew5aceh9
-
MD5
ddcebc8ed5bf63482fa43256738ababa
-
SHA1
4d4dc2548b990fa958d4f7f6628c2e4e1d5d1bca
-
SHA256
1afe857d1b5f2c0ff48ebbd2f32abf11f9b310416b1273e77adc7ee37f001ff8
-
SHA512
6aa9b10beaead4abd9404b5cb63e7214748127ef5f3e7d89929a70b534c4d98633fee7fd6b8082feac806f540128d08d152cb763383a0bd8c2b6ab19554b2eef
-
SSDEEP
6291456:rW9ezadSq+3+rgYYQFO8G8W0a8cvsny/mvvLwpJzX0:MBs+vU8nNy/tHk
Malware Config
Extracted
raccoon
5ba094fed1175cc7d1abb03fa165c23c
http://79.137.207.53/
-
user_agent
901785252112
Extracted
privateloader
http://45.133.1.107/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
51.178.186.149
http://45.133.1.182/proxies.txt
45.133.1.60
http://37.0.10.214/proxies.txt
http://37.0.10.244/server.txt
37.0.10.237
-
payload_url
https://vipsofts.xyz/files/mega.bmp
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
Extracted
stealc
http://robertjohnson.top
-
url_path
/e9c345fc99a4e67e.php
Extracted
nullmixer
http://hsiens.xyz/
Extracted
gcleaner
ppp-gl.biz
45.9.20.13
Extracted
agenttesla
Protocol: smtp- Host:
mail.tecnosilos.com.py - Port:
587 - Username:
southmnn@tecnosilos.com.py - Password:
38q{r,bs)M;E - Email To:
pinchuu@ericbarnd.com
https://discord.com/api/webhooks/1169917901906653224/YjkyFWX_CawSIPQ02zeV3XExHGtDteoh-fLuvdqIFqL772Pb__cJUtnVv4DqDRhm0ks1
https://api.telegram.org/bot6857395601:AAEr0Ki03_UqNs4qlOxRNOhnjU8odyo6de4/
Extracted
agenttesla
Protocol: ftp- Host:
ftp://peruglobo.com - Port:
21 - Username:
freemason@peruglobo.com - Password:
YSw&oCV&c23w
Extracted
smokeloader
pub5
Extracted
redline
ANI
194.104.136.5:46013
-
auth_value
9491a1c5e11eb6097e68a4fa8627fda8
Extracted
smokeloader
2020
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
Extracted
redline
she
135.181.129.119:4805
-
auth_value
b69102cdbd4afe2d3159f88fb6dac731
Extracted
lumma
http://zamesblack.fun/api
Extracted
Protocol: smtp- Host:
mail.subvijay.com - Port:
587 - Username:
contact@subvijay.com - Password:
JaiMataDi2209
Extracted
redline
pab777
185.215.113.15:6043
Extracted
vidar
40.3
706
https://lenko349.tumblr.com/
-
profile_id
706
Targets
-
-
Target
Samples 1/0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd.exe
-
Size
5.6MB
-
MD5
a121db3e0809289a5c41c44958ff6fa0
-
SHA1
fd40bbe6eaeea4004046f65a8c647fabb35e1742
-
SHA256
0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd
-
SHA512
0e4af224ea67c07bdce0bae3b4040d900e2c011557ef55d8d0e68d596826561a8d4f3b553cc3290cf60e87ccee975deb65c1de9553fabfee5f67268935d8081f
-
SSDEEP
98304:JVw5AxSbnFouWDC50KmHeIQT8ZVK+zoN3aZdKfFEqsJtn05C5H+ZB3pjHOR:Ja5AeFeC5UH5a87/oN3aZdKNyxeCH+ZY
Score10/10-
Detect Fabookie payload
-
Fabookie
Fabookie is facebook account info stealer.
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars payload
-
OnlyLogger payload
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
-
-
Target
Samples 1/0dc8b4659b84d8d9b96e544279da980b36301253912a043b5e48c9bd7bb6e09f.exe
-
Size
349KB
-
MD5
0f3e1e309ee9dae28670d40e495566c1
-
SHA1
869988a2a32e1d83425fcf4b9ccc946368ac4768
-
SHA256
0dc8b4659b84d8d9b96e544279da980b36301253912a043b5e48c9bd7bb6e09f
-
SHA512
e25017d98af6bd527d200fcc5b0077c33b6610cfecbff68312abba21b0e0ab3dea208dd37de73705ba3210bf76cc1fd4148c943e9a64bbc05b16b8a099ff6dd9
-
SSDEEP
6144:t7s78K51VhaZ0zc9in+ZExwHNnIjKlMstZvF9w8kZelBs27dU:i8mhaqzkcxW0KmsXtTgelBs27m
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
Samples 1/1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe
-
Size
762KB
-
MD5
3e9a543b85c85a0b808902b0b6cef9b2
-
SHA1
29d589b838b4e1a5e54a6bfe52da0d5859609865
-
SHA256
1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695
-
SHA512
f212b3a2f4c25701df3f41be93c13cf9a6a84e1affd4e8b0f7b9fb5bc0689a1b3a1c55052c99fca314f540199997a8c265f9f447fe8b013a085a199a7fffb3c6
-
SSDEEP
12288:aHW7TohIU2CoLBPdV+GLBOeUjYb9qUp5jlnRLm5bvL2z4is:a27SELNdYGL8eUjYbMUp5RnRLm5LLw4
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-
-
-
Target
Samples 1/1f2a3d598734fe566de2054f3c73fd2245fc6023f0740bdbae88a076f508ebd2.exe
-
Size
3.2MB
-
MD5
f23a2c6dfaeceefb067b42df7b09c2e5
-
SHA1
77f744dc208d542f438bae3dc97398c769dffc90
-
SHA256
1f2a3d598734fe566de2054f3c73fd2245fc6023f0740bdbae88a076f508ebd2
-
SHA512
9020004b0b77aaf9ee6b6429763c19b7a2360ee06835cb5bed9a1b724241752ac5f1c9013346bf8971d6dd217495e71b59ee423830e13f3c9dc1bdb6cced6028
-
SSDEEP
98304:xQCvLUBsgjDAzKDFW/1+Y6MojWEpww/CPJs:xtLUCg4QFi/olpww/CRs
Score10/10-
Detect Fabookie payload
-
Fabookie
Fabookie is facebook account info stealer.
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
Samples 1/2a6e81706ec02af2afc1254ac19dcf89203bc0cefd6d6df5cf57cd9c70526c6c.exe
-
Size
4.9MB
-
MD5
f81a0abe9131fdd7a1d535dbab8e5451
-
SHA1
3226bdbf0df5318609c7fd03453aa5c97636d89a
-
SHA256
2a6e81706ec02af2afc1254ac19dcf89203bc0cefd6d6df5cf57cd9c70526c6c
-
SHA512
7adf59348b9846406b89a3d497a6e92e565ed5ad5fbba1af22b427fb12d76980e18f33b7b39ac0ac0c0becc28fac603795fc427dd2c2ddaca1ff736e10531f96
-
SSDEEP
98304:7hgMyAGrNbegrraSASKPZml0Vq2t0NLUgja3onb+Yi8Omh:NgMyACpDranrXUfNLtAbY4mh
Score10/10-
Detect Lumma Stealer payload V4
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
-
-
Target
Samples 1/2bee29bac294615a9d1b613ba775972cda26781938e3ae3aa60ad9737f1fbde8.exe
-
Size
253KB
-
MD5
09e6dc2b8078d3dd8f661b718bfa1b51
-
SHA1
0179a6d09224b0f764140218af8005d3d253966b
-
SHA256
2bee29bac294615a9d1b613ba775972cda26781938e3ae3aa60ad9737f1fbde8
-
SHA512
884540c36743c7488c3e117e41319e9abe48a0af708c27336550dea6a387d4d3f16970417f9b5b49d3ec11bb1872e0e7d0d2ea4a4f42af25a27995297ba6f15d
-
SSDEEP
3072:cFRNd9JnGLn/tFCmpnnbTLQ8lHVvJ+5vxjyOgPBWQeNUtlkq5X+blVEf:mRNd9tGLnlFJpnbTLQ8JWp+OQFtt+DI
Score10/10-
Stealc
Stealc is an infostealer written in C++.
-
-
-
Target
Samples 1/2c17c6ecd63459b4442629093178ca786b4754244e1d879cef8520ce3e471d4f.exe
-
Size
771KB
-
MD5
7f76661ae3b0692fb7e422b5d6094fd0
-
SHA1
0e3c626cd190ae02fc3addecc83927076a34802a
-
SHA256
2c17c6ecd63459b4442629093178ca786b4754244e1d879cef8520ce3e471d4f
-
SHA512
693a826997a6ecde662d41919a39b87cc64bef31adc06c108f61d8415fd410a1f87ad62b9cbc6e3ca223ee0f72b117fdaaa39ae6d2c067de62617a0da6162669
-
SSDEEP
24576:yCzbiITNmDIdUatqhV5OqRFJeeXYJbGEfE:Xzbi8pqhbvXYJbGs
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
Samples 1/3bb40bab103c5f34e08a2c179ea379abd37d9861d7f6ac3d56d5c0d693b4260a.exe
-
Size
39KB
-
MD5
815996cd5d7442c707261c1b30dd1042
-
SHA1
fd331e80c76444662ec0947e591441ec97ca1dfa
-
SHA256
3bb40bab103c5f34e08a2c179ea379abd37d9861d7f6ac3d56d5c0d693b4260a
-
SHA512
aedd19e77f7750b46ad847debc483c46237d83f9f96be9a5b3793c8c63eecdc49699c568dc2d4217c6762d9ad0679771cea4e730bb24c673953dbaf4342b65e7
-
SSDEEP
768:UEEmoQDj/xnMp+yptndwe/PWQtOOtEvwDpjIm8lB4dCOBy/G7:ZzFbxmLPWQMOtEvwDpj38lD/q
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
Samples 1/3c36a35096a0e4ad330d8ae5953d844db3af5d0fa1780782a6a1adf32550fda5.exe
-
Size
298KB
-
MD5
eb19ddb285085033d7b220c1feedb275
-
SHA1
ac869d17200d9bab4b0006de63aa73c099d4c4f1
-
SHA256
3c36a35096a0e4ad330d8ae5953d844db3af5d0fa1780782a6a1adf32550fda5
-
SHA512
2a75477909d93b7ff32c82a82d02811e762d163b51389d66cecd121af6becf568f0419ef1540b0c73853551cce4090ed5f0e9cbeac44716d983a93fa1602b280
-
SSDEEP
6144:HVlCXpK0gtQfDFf8834rj1MJ6/57r7q5OePseHiE3Vw9JZNE:1lCXpH7J883wZu6/lfq5OeFByJPE
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
Samples 1/3c5720111b5562bdbcef0ac01a7d4fcf47ad75af43f84220129c0a1abb5e65f4.exe
-
Size
742KB
-
MD5
6a5599535b36e8f4c9b6ee93fbac5d7b
-
SHA1
ef2d05734be03c9daa29b18aff428204770ba57c
-
SHA256
3c5720111b5562bdbcef0ac01a7d4fcf47ad75af43f84220129c0a1abb5e65f4
-
SHA512
ea8a9ee60f3160c3b55c6b2b1527b74bd36bdf50ad63cbf74d4bc83b1b45010dfa7620d73482fc55bd7ff717b90726b14fe327828c69dbdf457795630f8a6e5e
-
SSDEEP
12288:NRFk2DLWEHmW2JnRLFlTj99JkI7oyCKYJQSUlO3RmJzY3Kk0J562LAcjgSx9ilp1:7CtFJj9cIxNuXo5zAfs9u/hH9H
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
Samples 1/3d52822949346df4385fc98bf246b67f2667b4959cf15e490072ba00bbff59c3.exe
-
Size
82KB
-
MD5
8f84d63772a6cf26c6347dcf84f8152e
-
SHA1
5fd02e0feca98db01fd4a08dec8706dbf5c48645
-
SHA256
3d52822949346df4385fc98bf246b67f2667b4959cf15e490072ba00bbff59c3
-
SHA512
bba2ba53df1b2cd85f1170dd6803bdd9b05f1c046b3df116e80bfa4cee7157821a1f28e6b8d6bb5fbb3003301a3d06a11d2e31e8a9e03556bb2f8eeb6b81263d
-
SSDEEP
1536:ZzFbxmLPWQMOtEvwDpj386Sj/Rs580gizi:ZVxkGOtEvwDpjc3
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
Samples 1/3f3c3378e66bb67a7d1c45784e1d297a086abfd7591268e65d90ad10bd12d1c7.exe
-
Size
8.3MB
-
MD5
a2d3e4fd65182c4ca56f1ec78131acc5
-
SHA1
baab9ae70a2df25c3692886fe031e8d26080aeb7
-
SHA256
3f3c3378e66bb67a7d1c45784e1d297a086abfd7591268e65d90ad10bd12d1c7
-
SHA512
31726ede8167e38cf71d17107098bbf806294fb2f1c64da237f583691e2e6d35f293130c8e1ccea37fbe9af07cbd2f71379a902cc7c3e0cd80c7c0e65c5e6357
-
SSDEEP
196608:ErV67DFXZM2t60xR4UbC1m94O9A9ddFq/gnR:EkFXt/RbbCY9B9AfmYR
Score10/10-
Detect Lumma Stealer payload V4
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-
-
-
Target
Samples 1/4de3272c8195c4473cfa3c3abaaf682c7975ee0dc02f555fb5ac8588dcf3af26.exe
-
Size
751KB
-
MD5
eddf2a07df11d98e37544ea249a3d86f
-
SHA1
de40acaeb9a15ed6929f1a3cdc20fc5dac6e1690
-
SHA256
4de3272c8195c4473cfa3c3abaaf682c7975ee0dc02f555fb5ac8588dcf3af26
-
SHA512
07ab5c45cf51778bf775c317345a123cf0f79cc4ed3f39d9a39a8232d733b96bebd2ed49ed5d73eaee821e93085fc34ad55de27208a825893c9ac4c8a1fac713
-
SSDEEP
12288:URFk2rLWhFJ6pdluOcI8O2rruxS8acVKBjM9giDQTX/bZIMlPmvfdSLNifF6xWqm:wCtWcVrub2jF7ble3dSLAN6sqZ1EtD
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
Samples 1/5cc02305d7b5cb0675f2ac65422a115aa44d8f28e5a2b759470d17d6bf851a3a.exe
-
Size
940KB
-
MD5
87fadafde153ec4d73a358c4897e54e6
-
SHA1
1745ada809a9e80f80ce8a38d2bb5858378a4206
-
SHA256
5cc02305d7b5cb0675f2ac65422a115aa44d8f28e5a2b759470d17d6bf851a3a
-
SHA512
15331c1964c1abfcdd31e2c3b40a744b0e33bf7df5c9749be1047d384cf5d34e86655d16fba2601156c56178b8f0e3e90405a70bd22d2f5794ff948c16881b88
-
SSDEEP
12288:RCdOy3vVrKxR5CXbNjAOxK/j2n+4YG/6c1mFFja3mXgcjfRlgsUBgagHCZu8i7iq:RCdxte/80jYLT3U1jfsWaqeHfQ
Score1/10 -
-
-
Target
Samples 1/5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91.exe
-
Size
1.7MB
-
MD5
fee771c9a50a56880f6bce04874f6f5c
-
SHA1
e5a9f281eb91405004cd4f347db7b5f23f8d6b8f
-
SHA256
5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91
-
SHA512
e1cb760ddc11d2eeba73fd5bd3baabcebc82c7f41ed9a7cc2d7e30bf527ac6aaf3593536a57c3ac546ecf29b1521764f0412062a811645d0bbcf739ca579f422
-
SSDEEP
24576:3eHTg0cKA71b0+P7tT4o+AVDT2wEpXs+XFJP+jP2jetVS7cb6z54R7u9ud9Xu9cI:3TrTqAVm/JRX2IetVz6mRuaxt
Score10/10-
Detect Lumma Stealer payload V4
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
Samples 2/10f4e5b89953a29f22a64373ec33b585af9b406a18710fec96d3adab993cbcc4.exe
-
Size
572KB
-
MD5
83bcd5d811db9cbd752872045a6adc88
-
SHA1
2307fc3e1bfdd0b4a3bbdd675e4e069506f99d88
-
SHA256
10f4e5b89953a29f22a64373ec33b585af9b406a18710fec96d3adab993cbcc4
-
SHA512
af7c8334de95f8c5ab16baa27ec2973318a9602f622188452b614316970af753a2d031bea2e86deee90d456b831adae6e0c7bb57a3333e4045e18feee770f167
-
SSDEEP
12288:eIktQbNKU6ZUyABErB5f524FWYefpA00L4zrm7PHs:e2Z76HBR8fYIdm4/g/s
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
3Subvert Trust Controls
2Install Root Certificate
2