allcome

General

Target

4363463463464363463463463.bin
Size

10KB
Sample

240205-rndnashfe8
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

@PixelsCloud

C2

94.156.67.230:13781

Extracted

Family

metasploit

Version

windows/reverse_http

C2

http://5.148.32.222:8443/A56WY

Extracted

Family

xworm

Version

5.0

C2

canadian-perspectives.gl.at.ply.gg:33203

Mutex

TLsk4Xp0P8GNpwQw

Attributes

Install_directory
%AppData%
install_file
msedge.exe

aes.plain

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

lumma

C2

https://willpoweragreebokkskiew.site/api

https://braidfadefriendklypk.site/api

Targets

- Target
  
  4363463463464363463463463.bin
- Size
  
  10KB
- MD5
  
  2a94f3960c58c6e70826495f76d00b85
- SHA1
  
  e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
- SHA256
  
  2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
- SHA512
  
  fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
- SSDEEP
  
  192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score

10^/10

fabookie metasploit redline xworm zgrat @pixelscloud backdoor infostealer rat spyware stealer trojan upx allcome formbook lumma smokeloader pub2 persistence
- Allcome
  A clipbanker that supports stealing different cryptocurrency wallets and payment forms.
  stealer allcome
- Detect Fabookie payload
- Detect Xworm Payload
- Detect ZGRat V1
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Detects Windows executables referencing non-Windows User-Agents
- Detects executables containing SQL queries to confidential data stores. Observed in infostealers
- Detects executables packed with unregistered version of .NET Reactor
- Formbook payload
  rat
- UPX dump on OEP (original entry point)
- Downloads MZ/PE file
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2