Overview

overview

10

Static

static

10

VirusSign....f3.exe

windows7-x64

10

VirusSign....f3.exe

windows10-2004-x64

10

VirusSign....ff.exe

windows7-x64

7

VirusSign....ff.exe

windows10-2004-x64

7

VirusSign....2d.exe

windows7-x64

1

VirusSign....2d.exe

windows10-2004-x64

1

VirusSign....31.exe

windows7-x64

VirusSign....31.exe

windows10-2004-x64

VirusSign....67.exe

windows7-x64

1

VirusSign....67.exe

windows10-2004-x64

10

VirusSign....f9.exe

windows7-x64

10

VirusSign....f9.exe

windows10-2004-x64

10

VirusSign....76.exe

windows7-x64

10

VirusSign....76.exe

windows10-2004-x64

10

VirusSign....45.exe

windows7-x64

1

VirusSign....45.exe

windows10-2004-x64

1

VirusSign....3a.exe

windows7-x64

10

VirusSign....3a.exe

windows10-2004-x64

10

VirusSign....2b.exe

windows7-x64

7

VirusSign....2b.exe

windows10-2004-x64

7

VirusSign....74.exe

windows7-x64

1

VirusSign....74.exe

windows10-2004-x64

1

VirusSign....9e.exe

windows7-x64

7

VirusSign....9e.exe

windows10-2004-x64

7

VirusSign....22.exe

windows7-x64

7

VirusSign....22.exe

windows10-2004-x64

7

VirusSign....ef.exe

windows7-x64

7

VirusSign....ef.exe

windows10-2004-x64

7

VirusSign....f3.exe

windows7-x64

3

VirusSign....f3.exe

windows10-2004-x64

3

VirusSign....d8.exe

windows7-x64

1

VirusSign....d8.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    VirusSign.2024.02.08.7z

  • Size

    585.8MB

  • Sample

    240220-rzbm3shf8w

  • MD5

    d7c3f5afd09c79d44133a2e57e573f21

  • SHA1

    88c96f247230c93fb87a65f4b1118a118acceb32

  • SHA256

    d0051eec84e965bcc80b3d5cbcabfff3a92ad475d6a7b45d8fd2fd37cbe6bed5

  • SHA512

    3c46269ada08e63955bdeb936183ff3b519899a7ad7212f95be63167f018ec25c37e7978070baf1e8894caf31128212d80498c1aa4f811867454c5d61ec7ac9e

  • SSDEEP

    12582912:0w9FT53goUbaJVTBI5+ukeZiofv1//K6ZfAS/QTn3g/1:b9FTSNb0NUr+Ga6RA2QTny

Score
10/10
blackmoongh0stratgozikpotneconydneshtanetwirenjratremcosurelaswarzoneratxworm7716fresh01inject1byteaspackv2bankerisfbpersistencepyinstallerratspywarestealerthemidatrojanupxvmprotect

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

1.234.83.146

133.242.129.155

Extracted

Family

netwire

C2

ml.warzonedns.com:4772

185.244.31.215:4772
Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    C:\Users\Administrator\AppData\Roaming\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

7716

C2

checklist.skype.com

193.233.175.115

185.68.93.20

62.173.140.250

46.8.210.133
Attributes
  • base_path

    /drew/

  • build

    250255

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Extracted

Family

xworm

Version

5.0

C2

23.227.198.249:5555

Mutex

3OeNP1tNlyTPHkQR

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

njrat

Version

1Byte

Botnet

Inject1Byte

C2

inject1byte.com:1986

Mutex

Microsoft.Inc

Attributes
  • reg_key

    Microsoft.Inc

  • splitter

    |'|'|

Extracted

Family

remcos

Botnet

Fresh01

C2

fresh01.ddns.net:2257

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-FBBRNH

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      VirusSign.2024.02.08/036062de97522e2c40b04d1c1c0d5bf3

    • Size

      256KB

    • MD5

      036062de97522e2c40b04d1c1c0d5bf3

    • SHA1

      3e40d25904ace9399daec073d692a302777442f0

    • SHA256

      b922ab1eb695bb41d49fb10f13dd9131f8d7a42d14da8af155a746179234eb5a

    • SHA512

      5a504ecea76f5cef0d22410a338f3742d5240dc26e814a964c0dea4a90ee3070df30cffc44c8cb875a0368c353f0a1bc7b355ff7b9b54f6b5035d3ca92f0bfb6

    • SSDEEP

      6144:ITr4oGqPXuapoaCPXbo92ynnZlVrtv35CPXbo92ynnH:0VXuqFHRD

    Score
    10/10
    njratpersistencetrojan

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

    • Target

      VirusSign.2024.02.08/0366d8bc8e9bd5e64e301190356e79ff

    • Size

      166KB

    • MD5

      0366d8bc8e9bd5e64e301190356e79ff

    • SHA1

      9adedc7fc2ebda1f218ef124d7e90f0594d3ca54

    • SHA256

      b2244a1c65a5f4ce4cea6a9c9c85f7ef9dd7a9e8f4b32f62322994ffbbaaa456

    • SHA512

      a5eb7565a4b19faa08d6c1c162310f633625bd93aca8083f69daac4c1ef207b3871c87597e18f1b4e2b35f7a14b187c38fc49b766975aa829c290e2df15833bc

    • SSDEEP

      3072:ZhpAyazIlyazTUQT2y70GtgYn47tviPIVIk15lHxUv0NFxrC:hZMazDj7ltB474PIV715lHx+MDC

    Score
    7/10
    persistencespywarestealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence
    behavioral3behavioral4

    • Target

      VirusSign.2024.02.08/0372bdc19184e4dd7461170dfb052a2d

    • Size

      14KB

    • MD5

      0372bdc19184e4dd7461170dfb052a2d

    • SHA1

      d2ea2380b2e3c90e2dee186b21046faa12e2a5a7

    • SHA256

      2e3f8b8b3bdac8d18e4fc40c6dc75cfe0256006ed568321b69c7646c30b1fd58

    • SHA512

      4448a25f174b5bb7dfbe8adb994ca4485e34cf5878e8a619ee776f4cae10a6d37513e9b9a99ed99a21019a1538ce203e3d3ee61b171c1bc091006ecb26a8f925

    • SSDEEP

      192:z45JIqQ2O8hVg1hVtDKDPHyf7wwwwwwwwwwwwww6RN2VEvW2qDE045HQ4v4XozSU:cH3uDHKzyfiODE045HH4QSQSQS

    Score
    1/10
    behavioral5behavioral6

    • Target

      VirusSign.2024.02.08/038db7a1bc9f32408eb32a8b02b5cf31

    • Size

      1.0MB

    • MD5

      038db7a1bc9f32408eb32a8b02b5cf31

    • SHA1

      105ef2b7dbc5da42707b6f825eba907e54beb914

    • SHA256

      11799e79fe1e5c6acf6124bcc85e69b19662dc01b3a8d54adbcabef5c50632dc

    • SHA512

      1bdadeffd95d292a1ff757b86d23ec036fdaf9af1261a758b13f141dc03f15f7853bc50a0212c5bf3fef16017a4c064cb5532d9015d7e5f15bc01050fcf8bb1f

    • SSDEEP

      24576:zzqxG2Z9mIhQvq8wd7D7Mp0b5jQanN5us:XMmSdZX

    Score
    1/10
    behavioral7behavioral8

    • Target

      VirusSign.2024.02.08/0399febb08bcbf43227bad19576af767

    • Size

      454KB

    • MD5

      0399febb08bcbf43227bad19576af767

    • SHA1

      459789cf3623cc2913230ca823216500220b8cc0

    • SHA256

      b7aaa7af3f1f74a8e568280995303f7b2ec9fb9280dfb222c61e0e90b4f20390

    • SHA512

      a05f1ac57f38c70f80119ea80069fd1a2e37c510fa233d5d9f355078268015f986fd7550f8e5318004ac7943688f744bd4ba8e92f0c2ad97d90cc531857c9666

    • SSDEEP

      12288:n3C9uDIPh2kkkkK4kXkkkkkkkkl888888888888888888nQYu:ShPh2kkkkK4kXkkkkkkkkS5

    Score
    10/10
    blackmoonbankertrojanupx

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Detect Blackmoon payload

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral10behavioral9

    • Target

      VirusSign.2024.02.08/03a3a464ef2a1fbe54b35a8effbf54f9

    • Size

      704KB

    • MD5

      03a3a464ef2a1fbe54b35a8effbf54f9

    • SHA1

      e1d0b9a184b8237604e4aeca0617ff552a03e512

    • SHA256

      d9177637cdb5e533cbd79df70eb4c73d2a16ec7f40500c848e7ceaa850c4ed97

    • SHA512

      ebbb69912ade407817542e3ced65a32b6155f4acf338c3851726e0ba601647e6ddb9f871b098130d02be3612284f5834d95e322c556311768772255710b99e5d

    • SSDEEP

      12288:KIVttK00rQg5W/+zrWAI5KFum/+zrWAIAqWim/+zrWAI5KFHTP7rXFr/+zrWAI5b:KIK00rQg5Wm0BmmvFimm0MTP7hm0b

    Score
    10/10
    persistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral11behavioral12

    • Target

      VirusSign.2024.02.08/03a4ed0cb8c9721fc1369cc5f381fd76

    • Size

      141KB

    • MD5

      03a4ed0cb8c9721fc1369cc5f381fd76

    • SHA1

      2ecac749fe4791a39876458be83c7101b5513e71

    • SHA256

      b60ae197bb4109e48286207da2ab9eaa1642d37dda797ac6aabbe8c4dc10ae88

    • SHA512

      f495bfafce3c029fd01f55272e101f84f7e6c5be579dbca0b69dad1731ead82db10de661a9dac043bc1de2f853086644d042b6ceb6f4aa00cc5581c7ae77d832

    • SSDEEP

      3072:aSqxOrrOWl+oWxkFPwQ9bGCmBJFWpoPSkGFj/p7sW0l:aOaWFPN9bGCKJFtE/JK

    Score
    10/10
    persistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral13behavioral14

    • Target

      VirusSign.2024.02.08/03af51abe00f3c6154bc829f07f83945

    • Size

      14KB

    • MD5

      03af51abe00f3c6154bc829f07f83945

    • SHA1

      491d7f96c799de8b36f8d071f3c5ce87fe510d70

    • SHA256

      9d0ff284bdcc6621ef90d17b67ea9f9139cafb4a0875086569f6ddba5a5f70cc

    • SHA512

      097b8a5279476bdf0effac6684727a961e185a2298b86d0f7d846acbe0bbae44b0e696e54c9d0d717a20ccbf68644d7cfa419c0e442d07e87c595f2e1ac7261d

    • SSDEEP

      384:80ed5I10n7x+zeUVWbFQbFZ3AAAAAKR6aHBbDE045H:pedSq7ABoFYFZVDHBHA

    Score
    1/10
    behavioral15behavioral16

    • Target

      VirusSign.2024.02.08/03b6a8e2d209f10cce366b73bec0283a

    • Size

      392KB

    • MD5

      03b6a8e2d209f10cce366b73bec0283a

    • SHA1

      72641bc2f5627cf9ff3aac9a451f1a3883469a4d

    • SHA256

      583c10d1bb3b7be55f6147164340e8f7604613051bdd242385c7b1c186560f52

    • SHA512

      9ad94d9a4125081ca5eb3b54d4664989189459d6c873ef85858568082334e3a5b91027cc4c2cb61cea48cdad073020e6221cdb54e4324e48d302fede08bf2a3f

    • SSDEEP

      6144:Acm7ImGddX5WrXF5lpKGYV0aTk/BO0XJm4UEPOshN/xdKnvP48bmmv:m7TcJWjdpKGATTk/jYIOWN/KnnPD

    Score
    10/10
    blackmoonbankertrojanupx

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Detect Blackmoon payload

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral17behavioral18

    • Target

      VirusSign.2024.02.08/03ba9978296204d2048fb184e546932b

    • Size

      4.0MB

    • MD5

      03ba9978296204d2048fb184e546932b

    • SHA1

      63fc0f70834a1868681c1ac8bf9dca778221816c

    • SHA256

      0af366e7b4fa57f57a14aec07cd5c2991809e96b3d240c9440c1c6e59576a16e

    • SHA512

      4f6c5cb0048ae1d3a8b39c7dcd2fb3901402dac55309efe453b69b7ded5efa8085f27144e766eeddb1c9d38a857dfa7b2bf1cbd6fc52d65348dd76bb3cab3ed4

    • SSDEEP

      49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpabVz8eLFcz

    Score
    7/10
    persistencespywarestealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence
    behavioral19behavioral20

    • Target

      VirusSign.2024.02.08/03e3a2fc4bf137d68962d35b23186a74

    • Size

      676KB

    • MD5

      03e3a2fc4bf137d68962d35b23186a74

    • SHA1

      9245dc0c32927f0ec96138eb193940836bd40dfa

    • SHA256

      6c7e899ad584e9c1eab850e4723d5a551f092b150beaef0b5d163ec22de8c5b9

    • SHA512

      554c15cbec4c5acd52035e28d6040fe9266ed03987afdb3840bea76827e2a966b1d27a4f7943d4497eded74c3c8950d71c621b494444f802303eaef8baf8ce1a

    • SSDEEP

      12288:WuzMbRtKXcxe7Wp7iyAe+BjUjz7SK+nlm/t+m+XFINGkZnCl/Gr4V:lMttKXcH7iZDUd+cgdi8l8

    Score
    1/10
    behavioral21behavioral22

    • Target

      VirusSign.2024.02.08/03e8dd811ff56c2ef65a494a29601f9e

    • Size

      278KB

    • MD5

      03e8dd811ff56c2ef65a494a29601f9e

    • SHA1

      04d06be2302da7b9117f8cd57821c7a98ae919fd

    • SHA256

      bd31bf973af6b1c530482515829e2c7ec1451bf487d9d8891d42b2eb27dffbad

    • SHA512

      c9b68d104dba1e20abffd8cbd71cc650c003872f35bc6cc1a88407f79d6c284a7120155b7a760fcfdc31e26c0b335c69918249f8f1e428c86b97cfa9fee218a6

    • SSDEEP

      6144:6jluQoSFIo5R4nM/40yJoVj4QABWnmc6NGqYMeQIyi3MY9U0ht01SZ:6EQoSvqhoMZUnmcCX4Q+d9BQSZ

    Score
    7/10
    persistencespywarestealerupx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral23behavioral24

    • Target

      VirusSign.2024.02.08/03eec9b444ff21a20e84fa8592478c22

    • Size

      405KB

    • MD5

      03eec9b444ff21a20e84fa8592478c22

    • SHA1

      9b1b7ff45b73f8cb9ad8f3037c3deeb6ed2e81a5

    • SHA256

      705985fea4cbd638e8633fe77894a557420467020b2f71e35408b120df584a22

    • SHA512

      826233a9f010e523f14273f78f33c89f8f95e610c406ed4ca017eba2b64668b18eb98f4fbe9ecb2a423607effd5d2e4ed486acb21e9e7e5839b0480f6696f60a

    • SSDEEP

      6144:sy+T9tAllM7QuLYfGTLyN6Xu0g3nSnvCGbYCFafAoIhHO:sy+T9ellutLYfG3yNYlg3SvRbr2AoIh

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral25behavioral26

    • Target

      VirusSign.2024.02.08/04048340f3e175baa6bd71fcc12851ef

    • Size

      94KB

    • MD5

      04048340f3e175baa6bd71fcc12851ef

    • SHA1

      f27998da7ed97f7e4d201f6227707b84f7071895

    • SHA256

      2415878b2c2cb95defba91611407eeaab0dd01241b6d49d875eca690a7453cfb

    • SHA512

      262d9ab9e75e805d300bd3c3e73e081d1d9ed89add10fc1d0601945d2667f99cd142e418c4fe0d979c0f54f9072867af4a722209ced8bad01c26dde57485b78d

    • SSDEEP

      1536:+OYjIyeC1eUfKjkhBYJ7mTCbqODiC1ZsyHZK0FjlqsS5eHyG9LU3YG8nW:adEUfKj8BYbDiC1ZTK7sxtLUIG1

    Score
    7/10
    upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral27behavioral28

    • Target

      VirusSign.2024.02.08/0409c5c4922e4b79e2017df62f632cf3

    • Size

      109KB

    • MD5

      0409c5c4922e4b79e2017df62f632cf3

    • SHA1

      08010654c34d1089997bb40e9376cc909c590456

    • SHA256

      943776066d0dc04b383196e89a856a5114a53d48a11d76d7ee5bcd79474941c7

    • SHA512

      4044133ab5c03e4d1d742b19d700127546a337609249991b9f30fb950da1961d12ca673c9ef185fca91a624761d8da6e32608c6ec55c4221ae2f9964ea09458b

    • SSDEEP

      3072:spC1CWV2LuEjp5ErAmjzQw+hM45Fhexg+:sioLRjp5ErAmww14Exg

    Score
    3/10
    behavioral29behavioral30

    • Target

      VirusSign.2024.02.08/040dcef90aa17a406b8de190fd3330d8

    • Size

      63KB

    • MD5

      040dcef90aa17a406b8de190fd3330d8

    • SHA1

      ee3d96addda2f9657de53d28d86722c4cfdd19a9

    • SHA256

      3c91e4405f6f6f69e32e60f77ea7de991f17dc1cabb5e8b8083df3d1425d51d3

    • SHA512

      5a3bfc8fedbb52e89ba411eff763708d098a7176419b783a20d9f452440dbda07aad3b7e87e2bb3537f5a87d374a85f56282b709cd6f8639e79a373e6d2339f6

    • SSDEEP

      1536:TG8Su+eyMORudbp4+z5l0/3MGAEQDh+Kdieo8:TJZWuJpBl0PMGAEQDh+S

    Score
    7/10

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Tasks

static1

upxvmprotectratthemidaaspackv2isfb7716inject1bytepyinstallerfresh01kpotnjraturelasnetwireneshtagozineconydwarzoneratgh0stratxwormblackmoonremcos
Score
10/10

behavioral1

njratpersistencetrojan
Score
10/10

behavioral2

persistence
Score
10/10

behavioral3

persistencespywarestealer
Score
7/10

behavioral4

persistencespywarestealer
Score
7/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

blackmoonbankertrojanupx
Score
10/10

behavioral11

persistence
Score
10/10

behavioral12

persistence
Score
10/10

behavioral13

persistence
Score
10/10

behavioral14

persistence
Score
10/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

blackmoonbankertrojanupx
Score
10/10

behavioral18

blackmoonbankertrojanupx
Score
10/10

behavioral19

persistencespywarestealer
Score
7/10

behavioral20

persistencespywarestealer
Score
7/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

persistencespywarestealerupx
Score
7/10

behavioral24

persistencespywarestealerupx
Score
7/10

behavioral25

Score
7/10

behavioral26

Score
7/10

behavioral27

upx
Score
7/10

behavioral28

upx
Score
7/10

behavioral29

Score
3/10

behavioral30

Score
3/10

behavioral31

Score
1/10

behavioral32

Score
7/10