General
-
Target
4363463463464363463463463.bin.zip
-
Size
4KB
-
Sample
240215-jfld6sce53
-
MD5
e55c3f47b162b80d5f851348f45e63ac
-
SHA1
ec9da8e071440f4c4d60e86df0ec65b70aa46699
-
SHA256
9903e40c6539a1777411cedac1a7eccaa7d816d1971edab3c50328eaa627e14d
-
SHA512
cb54af488f79dabb5b4daa14d40896299ee05c911eca0aa2d88c626a56908f450d8d55a3040cc33ab202a10d656c0303dd6cdfa372ceaa441db11960eb9820a3
-
SSDEEP
96:zhsqnSq3YMQpGe4+oXXt+4MduEExtos8ssye69zjO8Mc1PuEdVUe5+lD9:zqqSA7QpGeCXXt+4MIEEToFH69fOhsmt
Static task
static1
Malware Config
Extracted
https://maxximbrasil.com/themes/config_20.ps1
Extracted
smokeloader
pub2
Extracted
asyncrat
0.5.7B
Default
91.193.75.132:9191
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
images.exe
-
install_folder
%AppData%
Targets
-
-
Target
4363463463464363463463463.bin
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Neshta payload
-
Detect ZGRat V1
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
PoshC2 binary
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
XMRig Miner payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Stops running service(s)
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Scripting
1Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Hide Artifacts
1Hidden Files and Directories
1