General
-
Target
4363463463464363463463463.bin.zip
-
Size
4KB
-
Sample
240129-pg3mqsbaap
-
MD5
4631cbe175fad05910b1139561fc91ea
-
SHA1
73a34a73b513af9aed3447e60f1800cb1f3659d0
-
SHA256
1dfb7d09daa0bece4197d998a72acac7deebaf2ff54b4461667495a41240d0e8
-
SHA512
d0f99552dc38a334111756828d6bea33c3c02f856b2a7158fecba21d334965f009678fb6696ef955edbdd9d4c8c31eaba5e99933060c2f6139b8bf88ccb5f5c7
-
SSDEEP
96:m+oAmv2DIQNrEXStcOxJRvOy1pf8iyOo6CH8ecxeZJeK3SSmjHIge:Ntmv2DjNrEX+PxLub6CceckZJeKh2HU
Malware Config
Extracted
Protocol: ftp- Host:
apps.saintsoporte.com - Port:
21 - Username:
appftp - Password:
$ftp365284$
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
82.115.223.244:4449
fnpxcekdvtg
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
redline
@RLREBORN Cloud (TG: @FATHEROFCARDERS)
141.95.211.148:46011
Extracted
redline
Exodus
93.123.39.68:1334
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.2
Default
93.123.39.68:4449
kszghixltbdczq
-
delay
1
-
install
true
-
install_file
chromeupdate.exe
-
install_folder
%AppData%
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.cdcc
-
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0846ASdw
Extracted
xworm
91.92.249.37:9049
aMtkXNimPlkESDx9
Extracted
vidar
7.6
1b9d7ec5a25ab9d78c31777a0016a097
https://t.me/tvrugrats
https://steamcommunity.com/profiles/76561199627279110
-
profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097
Extracted
amadey
3.85
http://45.9.74.141
http://45.9.74.166
-
install_dir
c2868ed41c
-
install_file
bstyoops.exe
-
strings_key
8709db734eb892ca90360229fc73d3ae
-
url_paths
/b7djSDcPcZ/index.php
Extracted
lumma
https://gearboomchocolateowfs.site/api
Extracted
stealc
http://185.172.128.79
-
url_path
/3886d2276f6914c4.php
Extracted
amadey
4.17
http://5.42.66.29
-
install_dir
f60f0ba310
-
install_file
Dctooux.exe
-
strings_key
f34f781563773d1d56ad6459936524d1
-
url_paths
/b9djjcaSed/index.php
Extracted
asyncrat
Default
38.181.25.204:5858
ifyviyeiimfgf
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
amadey
4.15
http://185.172.128.63
-
install_dir
6187fcb526
-
install_file
Dctooux.exe
-
strings_key
cd3b2619c9009c441355ae581d53163e
-
url_paths
/v8sjh3hs8/index.php
Extracted
https://maxximbrasil.com/themes/config_20.ps1
Extracted
redline
adel
62.233.51.177:14107
-
auth_value
6ba5b78fc0fccdad3cc87ea2ca866fc2
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
metasploit
windows/reverse_tcp
193.117.208.148:7800
Extracted
redline
193.26.115.228:19267
Extracted
smokeloader
pub1
Extracted
redline
LogsDiller Cloud (Telegram: @logsdillabot)
51.210.137.6:47909
-
auth_value
c2955ed3813a798683a185a82e949f88
Extracted
redline
socicalbot
149.28.205.74:2470
-
auth_value
9c51f0d7102febd61d441fffb9c4bb47
Targets
-
-
Target
4363463463464363463463463.bin
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Lumma Stealer payload V2
-
Detect Lumma Stealer payload V4
-
Detect Neshta payload
-
Detect Vidar Stealer
-
Detect Xworm Payload
-
Detect ZGRat V1
-
Detected Djvu ransomware
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies WinLogon for persistence
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Stealc
Stealc is an infostealer written in C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
UAC bypass
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Xworm
Xworm is a remote access trojan written in C#.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Async RAT payload
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner payload
-
Blocklisted process makes network request
-
Creates new service(s)
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Stops running service(s)
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Modifies file permissions
-
Modifies system executable filetype association
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Uses the VBS compiler for execution
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Change Default File Association
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Defense Evasion
Modify Registry
9Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
1Disable or Modify System Firewall
1Virtualization/Sandbox Evasion
2File and Directory Permissions Modification
1Scripting
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1