General
-
Target
0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455
-
Size
11KB
-
Sample
240112-2hwxssfhe3
-
MD5
d2e9696ec235cec72512dec6e9ce5935
-
SHA1
dccd11c272d2fa2e700e7b8b51fa6a9a89f9f3ea
-
SHA256
0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455
-
SHA512
573cdf5ac0ebacb05b5043c062d237c7ddf202816b04b3938ab3059f0bb5ef9979c17d04ff869cf86646a87b8df0e40f8d2f4955ba13165c8adbfc1d8b2f138a
-
SSDEEP
192:gzlJOMaLAN+QHzdV4z1ULU87glpK/b26J46667nh5:6lJOM3+qzqULU870gJEM
Static task
static1
Behavioral task
behavioral1
Sample
0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.2
Exodus
91.92.255.187:4449
ypyertvpyqfr
-
delay
1
-
install
true
-
install_file
chromeupdate.exe
-
install_folder
%AppData%
Extracted
redline
Bloomberg
194.33.191.102:21751
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.siscop.com.co - Port:
21 - Username:
pedophile@siscop.com.co - Password:
+5s48Ia2&-(t
Extracted
redline
Exodus
91.92.255.187:1334
Extracted
xworm
secure-connection.portmap.io:62391
-
Install_directory
%AppData%
-
install_file
svc.exe
Extracted
risepro
193.233.132.62:50500
195.20.16.210:50500
Extracted
formbook
4.1
he09
clhear.com
maythunguyen.com
xiongmaoaijia.com
kembangzadsloh.xyz
speedwagner.com
360bedroom.com
campereurorg.top
cwxg2.site
mcdlibre.live
globigprimecompanylimited.com
1707102023-stripe.com
xhfj5.site
mugiwaranousopp.xyz
texmasco.com
sc9999.net
lite.team
8xb898.com
cibecuetowing.top
mgplatinemlak.xyz
southwestharborkeyword.top
mil840.vip
mygovindexhtml.online
pepecasinofun.online
lindalilly.com
4da8.com
gladespringtowing.top
tinblaster.net
jpedwardscoaching.com
toursardegna.net
ngocchiluong.com
darringtontowing.top
oiuajh.xyz
nighvideos.com
15868.mom
blueblaze.app
escachifollad.store
credclub.shop
digitalfreedomhub.com
onemobileal.com
obqk8.site
kelownainsulationservices.com
skywatchnewsstores.com
neu-de-update.com
streamart.live
popla9001.com
theundraftd.com
claims.scot
bonk-token.com
iwoulddye4u.com
tenderherbschool.com
thegoodbeautypodcast.com
nahanttowing.top
moneyshift.store
relaxify.cloud
wjr3x0d.shop
churchsec.net
chromadentalclinic.com
kadeonline.com
frank-cazino.com
desixair.com
cftd4o5.com
ipodenergy.com
kravingsbykiersten.com
richmondvilletowing.top
fino-shop.store
Extracted
xworm
5.0
KspRabpn35rQf3I6
-
Install_directory
%AppData%
-
install_file
XClient.exe
-
pastebin_url
https://pastebin.com/raw/yLqnBLCS
Extracted
C:\Users\ONa9v7hKI.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Targets
-
-
Target
0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455
-
Size
11KB
-
MD5
d2e9696ec235cec72512dec6e9ce5935
-
SHA1
dccd11c272d2fa2e700e7b8b51fa6a9a89f9f3ea
-
SHA256
0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455
-
SHA512
573cdf5ac0ebacb05b5043c062d237c7ddf202816b04b3938ab3059f0bb5ef9979c17d04ff869cf86646a87b8df0e40f8d2f4955ba13165c8adbfc1d8b2f138a
-
SSDEEP
192:gzlJOMaLAN+QHzdV4z1ULU87glpK/b26J46667nh5:6lJOM3+qzqULU870gJEM
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload
-
Detect ZGRat V1
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Async RAT payload
-
Formbook payload
-
Renames multiple (171) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1