Resubmissions

11-02-2024 08:10

240211-j212ragb47 10

11-02-2024 08:09

240211-j2kprseb2w 10

09-02-2024 18:28

240209-w4c4xsde9t 10

02-02-2024 12:52

240202-p4dxwsgfej 10

02-02-2024 12:45

240202-pzapnsgdbp 10

16-01-2024 15:29

240116-sw8dbaehh3 10

10-01-2024 14:41

240110-r2wq2ahchl 10

10-01-2024 13:29

240110-qrqatshbg3 10

22-12-2023 08:48

231222-kqp1sadghq 10

General

  • Target

    4363463463464363463463463.bin.zip

  • Size

    4KB

  • Sample

    240202-p4dxwsgfej

  • MD5

    4204f7bcb4ce002240de2af9fc5f4264

  • SHA1

    83fb5688b0cffa93b06719d0fc5b62f70af460c5

  • SHA256

    0c951f58a23cd2c9bdccb727d41e33e740344af36d91419907ce016977b2a62d

  • SHA512

    75a636889904293bb493957af9fecf5ad044ff44bb82c07b550473e6af45931ece7f2e72b53891a90c4045f8d816752414c560d2486f055824f069e6573bf103

  • SSDEEP

    96:fq6yIIHV+fWsPpulzlC8luqtW5idkvRmb/DLr2OtWtvJAsO13uhy5RKd9Wj:BIHV8WN5lu4iiTD/COtSvJAF1Gy5RKdC

Malware Config

Extracted

Family

redline

Botnet

@oni912

C2

45.15.156.209:40481

Extracted

Family

stealc

C2

http://185.172.128.79

Attributes
  • url_path

    /3886d2276f6914c4.php

rc4.plain

Extracted

Family

formbook

Version

4.1

Campaign

jn85

Decoy

106c6423c3.com

vittoriospumpherston.co.uk

furniture-best.com

employersfindme.online

colegioagustinruiz.com

fuziservice.com

differentlokal.com

azzfasst.com

kerncereus.online

johnschottllc.com

disembark-burgeoned.click

cabliviwarranty.com

justzionism.com

diplomy-ua.top

cloudadonis.com

vaalepoxies.africa

ky2088.vip

gsportal.africa

alphastrength-us.com

homerams.com

Targets

    • Target

      4363463463464363463463463.bin

    • Size

      10KB

    • MD5

      2a94f3960c58c6e70826495f76d00b85

    • SHA1

      e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

    • SHA256

      2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

    • SHA512

      fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

    • SSDEEP

      192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Stealc

      Stealc is an infostealer written in C++.

    • Formbook payload

    • Downloads MZ/PE file

    • Stops running service(s)

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks