Overview

overview

10

Static

static

3

4363463463...63.exe

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4363463463464363463463463.bin.zip

  • Size

    4KB

  • Sample

    240215-jfld6sce53

  • MD5

    e55c3f47b162b80d5f851348f45e63ac

  • SHA1

    ec9da8e071440f4c4d60e86df0ec65b70aa46699

  • SHA256

    9903e40c6539a1777411cedac1a7eccaa7d816d1971edab3c50328eaa627e14d

  • SHA512

    cb54af488f79dabb5b4daa14d40896299ee05c911eca0aa2d88c626a56908f450d8d55a3040cc33ab202a10d656c0303dd6cdfa372ceaa441db11960eb9820a3

  • SSDEEP

    96:zhsqnSq3YMQpGe4+oXXt+4MduEExtos8ssye69zjO8Mc1PuEdVUe5+lD9:zqqSA7QpGeCXXt+4MIEEToFH69fOhsmt

Score
10/10
asyncratdcratneshtaposhc2smokeloaderxmrigzgratdefaultpub2backdoordropperevasioninfostealerminerpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://maxximbrasil.com/themes/config_20.ps1

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

91.193.75.132:9191

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    images.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      4363463463464363463463463.bin

    • Size

      10KB

    • MD5

      2a94f3960c58c6e70826495f76d00b85

    • SHA1

      e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

    • SHA256

      2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

    • SHA512

      fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

    • SSDEEP

      192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

    Score
    10/10
    asyncratdcratneshtaposhc2smokeloaderxmrigzgratdefaultpub2backdoordropperevasioninfostealerminerpersistenceratspywarestealertrojanupx

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detect Neshta payload

    • Detect ZGRat V1

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • PoshC2

      Penetration testers toolkit for redteam.

      trojandropperposhc2

    • PoshC2 binary

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • XMRig Miner payload

      miner

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

1
T1562

Scripting

1
T1064

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

System Information Discovery

1
T1082

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks