Overview

overview

10

Static

static

10

The-MALWAR...er.zip

windows7-x64

10

Resubmissions

08-02-2024 01:32

240208-bx7pqsbg96 10

27-01-2024 14:19

240127-rmwgqadhc4 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    The-MALWARE-Repo-master.zip

  • Size

    199.9MB

  • Sample

    240208-bx7pqsbg96

  • MD5

    cdf4e0a856fc08e09a62ffdf933cae54

  • SHA1

    4f148768a5083e524bf9a28cb967f936565550c4

  • SHA256

    2d9bb4e3fddfe5dc51c54cba74a1eb594c7be9d34774524d972350edd85e6499

  • SHA512

    35a7c6f3ec10eba8eb46759cbff7ff5568191e53e0d78227000b9bc9ed014920024f7b18a96ae2ae6ed4b72aaa804fcf4b5128a088723c2966023f6c3a60d1a5

  • SSDEEP

    6291456:9vTD0Y5thtdnP0If6fx++o7OTlNmP8nQhkXfW:1D0Y5thtdnPVo4+wOTlg4TPW

Score
10/10
cerbercryptolockerdarkcometdharmamodiloadernjratremcosrevengeratwipelockgeforceguesthostaspackv2discoveryevasionmacromacro_on_actionpersistenceransomwarespywarestealerupx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Geforce

C2

startitit2-23969.portmap.host:1604

Mutex

b9584a316aeb9ca9b31edd4db18381f5

Attributes
  • reg_key

    b9584a316aeb9ca9b31edd4db18381f5

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

nickman12-46565.portmap.io:46565

nickman12-46565.portmap.io:1735
Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    Userdata.exe

  • copy_folder

    Userdata

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %WinDir%\System32

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %WinDir%\System32

  • mouse_option

    false

  • mutex

    remcos_vcexssuhap

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

revengerat

Botnet

Guest

C2

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Path

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\_R_E_A_D___T_H_I_S___SKIVERP_.txt

Family

cerber

Ransom Note
Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/3129-A647-E9B4-0098-B41D Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/3129-A647-E9B4-0098-B41D 2. http://xpcx6erilkjced3j.19kdeh.top/3129-A647-E9B4-0098-B41D 3. http://xpcx6erilkjced3j.1mpsnr.top/3129-A647-E9B4-0098-B41D 4. http://xpcx6erilkjced3j.18ey8e.top/3129-A647-E9B4-0098-B41D 5. http://xpcx6erilkjced3j.17gcun.top/3129-A647-E9B4-0098-B41D ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://xpcx6erilkjced3j.onion/3129-A647-E9B4-0098-B41D

http://xpcx6erilkjced3j.1n5mod.top/3129-A647-E9B4-0098-B41D

http://xpcx6erilkjced3j.19kdeh.top/3129-A647-E9B4-0098-B41D

http://xpcx6erilkjced3j.1mpsnr.top/3129-A647-E9B4-0098-B41D

http://xpcx6erilkjced3j.18ey8e.top/3129-A647-E9B4-0098-B41D

http://xpcx6erilkjced3j.17gcun.top/3129-A647-E9B4-0098-B41D

Targets

    • Target

      The-MALWARE-Repo-master.zip

    • Size

      199.9MB

    • MD5

      cdf4e0a856fc08e09a62ffdf933cae54

    • SHA1

      4f148768a5083e524bf9a28cb967f936565550c4

    • SHA256

      2d9bb4e3fddfe5dc51c54cba74a1eb594c7be9d34774524d972350edd85e6499

    • SHA512

      35a7c6f3ec10eba8eb46759cbff7ff5568191e53e0d78227000b9bc9ed014920024f7b18a96ae2ae6ed4b72aaa804fcf4b5128a088723c2966023f6c3a60d1a5

    • SSDEEP

      6291456:9vTD0Y5thtdnP0If6fx++o7OTlNmP8nQhkXfW:1D0Y5thtdnPVo4+wOTlg4TPW

    Score
    10/10
    cerbercryptolockerdharmadiscoveryevasionpersistenceransomwarespywarestealerupx

    • Cerber

      Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

      ransomwarecerber

    • CryptoLocker

      Ransomware family with multiple variants.

      ransomwarecryptolocker

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (62) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Contacts a large (1092) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

3
T1112

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Network Service Discovery

1
T1046

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Remote System Discovery

1
T1018

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Resource Development

Reconnaissance

Tasks