Overview

overview

10

Static

static

3

4363463463...63.exe

windows10-1703-x64

10

4363463463...63.exe

windows11-21h2-x64

10

Resubmissions

29-01-2024 12:18

240129-pg3mqsbaap 10

21-01-2024 16:07

240121-tkz38sefc2 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4363463463464363463463463.bin.zip

  • Size

    4KB

  • Sample

    240121-tkz38sefc2

  • MD5

    4631cbe175fad05910b1139561fc91ea

  • SHA1

    73a34a73b513af9aed3447e60f1800cb1f3659d0

  • SHA256

    1dfb7d09daa0bece4197d998a72acac7deebaf2ff54b4461667495a41240d0e8

  • SHA512

    d0f99552dc38a334111756828d6bea33c3c02f856b2a7158fecba21d334965f009678fb6696ef955edbdd9d4c8c31eaba5e99933060c2f6139b8bf88ccb5f5c7

  • SSDEEP

    96:m+oAmv2DIQNrEXStcOxJRvOy1pf8iyOo6CH8ecxeZJeK3SSmjHIge:Ntmv2DjNrEX+PxLub6CceckZJeKh2HU

Score
10/10
asyncratdcratriseprosectopratsmokeloaderzgratdefaultpub1backdoordiscoveryevasioninfostealerratstealertrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

risepro

C2

185.149.146.75:50500

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

127.0.0.1:1604

185.169.180.209:1604
Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      4363463463464363463463463.bin

    • Size

      10KB

    • MD5

      2a94f3960c58c6e70826495f76d00b85

    • SHA1

      e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

    • SHA256

      2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

    • SHA512

      fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

    • SSDEEP

      192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

    Score
    10/10
    smokeloaderpub1backdoortrojanasyncratdcratriseprosectopratzgratdefaultdiscoveryevasioninfostealerratstealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detect ZGRat V1

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Async RAT payload

      rat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks