Resubmissions

11-02-2024 08:10

240211-j212ragb47 10

11-02-2024 08:09

240211-j2kprseb2w 10

09-02-2024 18:28

240209-w4c4xsde9t 10

02-02-2024 12:52

240202-p4dxwsgfej 10

02-02-2024 12:45

240202-pzapnsgdbp 10

16-01-2024 15:29

240116-sw8dbaehh3 10

10-01-2024 14:41

240110-r2wq2ahchl 10

10-01-2024 13:29

240110-qrqatshbg3 10

22-12-2023 08:48

231222-kqp1sadghq 10

General

  • Target

    4363463463464363463463463.bin.zip

  • Size

    4KB

  • Sample

    240110-r2wq2ahchl

  • MD5

    4204f7bcb4ce002240de2af9fc5f4264

  • SHA1

    83fb5688b0cffa93b06719d0fc5b62f70af460c5

  • SHA256

    0c951f58a23cd2c9bdccb727d41e33e740344af36d91419907ce016977b2a62d

  • SHA512

    75a636889904293bb493957af9fecf5ad044ff44bb82c07b550473e6af45931ece7f2e72b53891a90c4045f8d816752414c560d2486f055824f069e6573bf103

  • SSDEEP

    96:fq6yIIHV+fWsPpulzlC8luqtW5idkvRmb/DLr2OtWtvJAsO13uhy5RKd9Wj:BIHV8WN5lu4iiTD/COtSvJAF1Gy5RKdC

Malware Config

Extracted

Family

smokeloader

Botnet

lab

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

cheat

C2

103.173.227.25:12664

Extracted

Family

redline

Botnet

kent

C2

89.23.98.143:11627

Attributes
  • auth_value

    24d164ebaf8f462b9dc88d186199283b

Extracted

Family

amadey

Version

4.15

C2

http://5.42.66.0

Attributes
  • install_dir

    2154552ab1

  • install_file

    Dctooux.exe

  • strings_key

    6336764a2dd0b02921ade5383944a3f8

  • url_paths

    /f7Vkbh7X/index.php

rc4.plain

Targets

    • Target

      4363463463464363463463463.bin

    • Size

      10KB

    • MD5

      2a94f3960c58c6e70826495f76d00b85

    • SHA1

      e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

    • SHA256

      2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

    • SHA512

      fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

    • SSDEEP

      192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • BetaBot

      Beta Bot is a Trojan that infects computers and disables Antivirus.

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Socks5Systemz Payload

    • Detect ZGRat V1

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Modifies firewall policy service

    • Modifies security service

    • Modifies visiblity of hidden/system files in Explorer

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socks5Systemz

      Socks5Systemz is a botnet written in C++.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • UAC bypass

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • XMRig Miner payload

    • Disables taskbar notifications via registry modification

    • Disables use of System Restore points

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Looks for VMWare services registry key.

    • Modifies Windows Firewall

    • Sets file execution options in registry

    • Sets service image path in registry

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks