General
-
Target
5dcfac410a8ac5371ec25cbf19002209f1d52c7429ea992e2efd965ff55d4fa9
-
Size
285.1MB
-
Sample
240223-ea6qpsaf9t
-
MD5
be703c491575eecc60d4cbd09c3205e3
-
SHA1
69aad609e9e6621bd83881d116adeeba72f77249
-
SHA256
5dcfac410a8ac5371ec25cbf19002209f1d52c7429ea992e2efd965ff55d4fa9
-
SHA512
610f0c81ea41b8ab884a27a30374ed6642e2e07d59b575f8c10b94b360f61437b7e1b1b2b853dce12351dd83d9d6f45a900605dada6c35521ea9c8e9655955ae
-
SSDEEP
6291456:ELXxkOxmKeHhrX/CNQMH5QeV1ubbxbuRi2zer2FoIxIlPUHDIy:gpxDeB8F5QhHx72zeUoI6q0y
Malware Config
Extracted
mirai
UNSTABLE
unratio.funpass.services
scamanje.stresserit.pro
Extracted
mirai
WICKED
Extracted
agenttesla
https://api.telegram.org/bot7013847015:AAGJ9U6sgMmsBCQ0DNkHT8DYuslAtpiqCbA/
Extracted
gafgyt
185.91.127.233:23
103.82.20.7:42516
93.123.39.166:671
Extracted
mirai
UNSTABLE
unratio.funpass.services
scamanje.stresserit.pro
Extracted
mirai
scan.rebirthltd.dev
love.booter.cat
Extracted
mirai
WICKED
Extracted
mirai
BOTNET
scan.rebirthltd.dev
194.169.175.31
Extracted
mirai
MIRAI
Extracted
mirai
UNST
Extracted
njrat
im523
Hacked
0.tcp.eu.ngrok.io:19599
3a8ee47129614a8ed745ed44d22e4759
-
reg_key
3a8ee47129614a8ed745ed44d22e4759
-
splitter
|'|'|
Extracted
mirai
UNSTABLE
unratio.funpass.services
scamanje.stresserit.pro
Extracted
mirai
MIRAI
Extracted
mirai
UNSTABLE
unratio.funpass.services
scamanje.stresserit.pro
Extracted
revengerat
NyanCatRevenge
marcelotatuape.ddns.net:333
13b150f8ef23499092
Extracted
mirai
WICKED
Extracted
mirai
scamanje.stresserit.pro
Extracted
mirai
WICKED
Extracted
njrat
0.7NC
NYAN CAT
patria.duckdns.org:1998
85f10a8a09aa4
-
reg_key
85f10a8a09aa4
-
splitter
@!#&^%$
Extracted
mirai
WICKED
Extracted
mirai
MIRAI
Extracted
mirai
UNSTABLE
unratio.funpass.services
scamanje.stresserit.pro
Extracted
mirai
UNSTABLE
unratio.funpass.services
scamanje.stresserit.pro
Extracted
mirai
WICKED
Extracted
nanocore
1.2.2.0
0.tcp.ngrok.io:18237
127.0.0.1:18237
25d94285-e644-4394-8a59-361d828035f4
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2023-11-29T08:14:25.249811736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
3988
-
connection_port
18237
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
25d94285-e644-4394-8a59-361d828035f4
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
0.tcp.ngrok.io
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
amadey
4.18
http://147.45.47.35
-
install_dir
0a25b59f74
-
install_file
Dctooux.exe
-
strings_key
57658e7aa84093060e0ebefa5ad4aa45
-
url_paths
/bDjkb2xSd/index.php
Extracted
mirai
LZRD
Extracted
njrat
0.7d
Hacked
amma.myftp.biz:1177
5067798511594293a736c9b0b92fa333
-
reg_key
5067798511594293a736c9b0b92fa333
-
splitter
|'|'|
Extracted
mirai
SORA
Extracted
mirai
SORA
Extracted
amadey
4.18
http://147.45.47.35
-
strings_key
57658e7aa84093060e0ebefa5ad4aa45
-
url_paths
/bDjkb2xSd/index.php
Extracted
njrat
im523
Лошок
5.tcp.eu.ngrok.io:13326
1c7d94c93e29463dd3914e19ee6714b6
-
reg_key
1c7d94c93e29463dd3914e19ee6714b6
-
splitter
|'|'|
Extracted
mirai
LZRD
Extracted
mirai
BOTNET
scan.rebirthltd.dev
194.169.175.31
Extracted
risepro
193.233.132.62
193.233.132.62:50500
Extracted
snakekeylogger
Protocol: smtp- Host:
valleycountysar.org - Port:
25 - Username:
county@valleycountysar.org - Password:
iU0Ta!$K8L51
Targets
-
-
Target
e0324f9407031cdea025049097bf0d30a80f02eeb6e04a5d1d4a21eb8d703bc3.exe
-
Size
2.2MB
-
MD5
b1c4be84e40e10b9ff3eb14074b402af
-
SHA1
c792a0dc991474d0d5feba031983f67e6efc35fd
-
SHA256
e0324f9407031cdea025049097bf0d30a80f02eeb6e04a5d1d4a21eb8d703bc3
-
SHA512
32da555bb9ba29f0b7762407732b5e9a4c4d815aac8e7c4bc97c4a5dc07b6b5b26d63db605fca971c5321fde52a48b4c4fd868cf0711f055af6810f6a5302a2b
-
SSDEEP
49152:oipYE7O1mpoToQJQnE+R2tXBsahaBIWRbLJJZj9W8bQY5ezjYsU:IIpolJQfRmXB9oLxJTj9WNY5e4J
Score10/10-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe
-
Size
4.3MB
-
MD5
ae2b1b79c7579bb64b1640303f88c05f
-
SHA1
aca79755589eaaaffb9d8beb477b0d3df50982c4
-
SHA256
e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f
-
SHA512
b5bad1bb105f85edb7389d1e2914e54468e7871aa46baf8395f985cbe2e8d9cda1da24dc2245c4bcf6de28ca8fc176b35be6af4a489c8f2cef4c4cb1b595aa27
-
SSDEEP
98304:oHj/GBkxFCBLVvr/jsfLy+y/rk3zw/EZk9oaE9AyiR2BWoA:w/ciFQVvXsOqdZydH20oA
Score10/10-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
e226857f5c5f9a274825a537fe84a8d636b5d920368f20206089a99b56d7de7f.elf
-
Size
123KB
-
MD5
b7c3e42502fb69b7ae243db09b36a53d
-
SHA1
f8a6584152eb3eccb579f92b91d5379c21fc369c
-
SHA256
e226857f5c5f9a274825a537fe84a8d636b5d920368f20206089a99b56d7de7f
-
SHA512
eda6aa89e2a6eb61d76621feaac93de248551e36c8ede80c2891bf2af1c453dd1dabafa8008b51588846741cec705fc7ab0ebd324042d299b0b98a7d8347c47e
-
SSDEEP
1536:yEsksTuVY80FkbkgcQBkrBN95rxtgKR83tchphak2yEmsEt9/skYEP/UDjSQrD/R:nFgrBNProKhphak2Mr9/nYEP/UnSQf/R
Score1/10 -
-
-
Target
e268df66fb92ff6e5b2719279c5bee5383d56a4b97add2c7dc0ede45d2aec175.exe
-
Size
1.4MB
-
MD5
032cc19c2a356047c9d6a952c55f593b
-
SHA1
d9be0c3c31ab6bce38157fb15609a6bd1a1c4d76
-
SHA256
e268df66fb92ff6e5b2719279c5bee5383d56a4b97add2c7dc0ede45d2aec175
-
SHA512
b61d312d0a4c45b6eb7c4a1353ffc2377d04341fc60c5b0ea67e19a5dc8d2fa283e03e51621f8e6513986b3d078f2d38c3fd7652bd2b85f9e8b44d501587268e
-
SSDEEP
24576:KXhgAcwd+KW2+Cuv6XWBFLB6Acwcr394SuAHisP3SH6CoffrF:Kmpw51+CuvrrQw0N4DACsPAoff
Score10/10-
Detect ZGRat V1
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
e4499912964280ec3adc3131a12d5415a577bcd29d7259a38e928ba87ad6c03a.vbs
-
Size
25KB
-
MD5
1551bbfea2c142e2bd5ecd100015a9e4
-
SHA1
bfb829ed539f0a34d80ef70d13a82163b6823075
-
SHA256
e4499912964280ec3adc3131a12d5415a577bcd29d7259a38e928ba87ad6c03a
-
SHA512
e5cd1e9365d2555de804268dab3b38aed02bbe2a767a43a2712cecbc9e25e7cd3fcd7c7fdd71759f446da93c2d61bdfcbd295f71950f9916ff6befd64b11440d
-
SSDEEP
384:MviwoXl26mMYhPD5nvjaO8b/29/Bk+TZdR5X8nMPoa/pDF63NXEltOp:twonmBhPNraOo/29/N7nX+ioA63ubw
Score8/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
e4dafea0263823affefe445b40ea002c5f63b785cb3b18270b045b86b22ba682.elf
-
Size
38KB
-
MD5
f8367535fe42a1822bb5086fc51afc59
-
SHA1
aac3818015d307214de117eb99c95282bd9b3243
-
SHA256
e4dafea0263823affefe445b40ea002c5f63b785cb3b18270b045b86b22ba682
-
SHA512
f1af6462e31a7672c78b4380072cf9427d3396b2d03dc12aaf479357c0d7362de1aa3956b9ae292bc5cd6d013cb4d1bd0133d78db342699e542186328a3c2855
-
SSDEEP
768:IUq+7GXJHnlBJxdpiVpwDNE5a5GOQKod7ufLOTh6kN6t0QZX7jWd3uWPlxi2l0O7:rJ6XJ3Jx0pwDNERKkCol6tlLjWd3rl0E
Score10/10-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
-
-
Target
e500b83db91a16021dc5f38a5cfacd4262a43c34bba5fa7211409e0ace06c85a.exe
-
Size
1.0MB
-
MD5
c97fe137ae1f90eff1e269cee50bbd03
-
SHA1
6bbd3375183ae7165bebfe4ed911a7436c518ae4
-
SHA256
e500b83db91a16021dc5f38a5cfacd4262a43c34bba5fa7211409e0ace06c85a
-
SHA512
13808cd71f267d6328c617f561c5aa120c65877ca3e6f936ac992099eb7a28649b67a0fb6e19f31ccf217e6a0d80dcb191d4a62bdddd11fbaccefe7b076f30c7
-
SSDEEP
24576:+iUmSB/o5d1ubcvi32l/pvcOa0mqL5mPAjZy:+/mU/ohubcvNlhZ5mPgZ
Score7/10-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
-
-
Target
e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15.exe
-
Size
3.4MB
-
MD5
4ee27e2086f3bae24a65d677185a98de
-
SHA1
8586cba64216c10301b82fea8a90637b574c0540
-
SHA256
e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15
-
SHA512
bfeb2fab32ff3c6a8e27d2fcb342dc0fc840975a88efcf4d23585e2a289fc3c8f87e176a8d22eb800d3db889c719d20b549b51f7f6f65dd6477c5e534a5cb7bd
-
SSDEEP
98304:pQGxD61kWfdBnwZrU2j7A6F+eRvSQCKZUxR:SGxABwZ5/Aq+eHhZUxR
Score10/10-
Detected google phishing page
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
e5b92c64269cc60d8db665c2a71cf0b7c917bb0585d833324f6e8c3a1d22025a.exe
-
Size
1.3MB
-
MD5
adcf943ca9a3cfaacc9eb925fac63a90
-
SHA1
86b1c5c717ca333cec5dba3ee3162e304bf0ae32
-
SHA256
e5b92c64269cc60d8db665c2a71cf0b7c917bb0585d833324f6e8c3a1d22025a
-
SHA512
0fecbf7f4e7392f5dc576ad86d7c86fa9209bf866be586c9b0355b5982bc9090de7ed0835d71ee7019333b20e711ae9559fa394073fac587d06d79caf097251e
-
SSDEEP
24576:FqDEvCTbMWu7rQYlBQcBiT6rprG8ad8QnGDLRWHz0Mogq0x2Pj:FTvC/MTQYxsWR7aaQnGDLRWHYMo8
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
e6152cc4702000546accc8d72aed7cb2a17381fbfed6b2dae32a336e15440549.exe
-
Size
2.2MB
-
MD5
1129a9368fb37bebc17280be6a0585a2
-
SHA1
32745b44b02d59149c2dbf0a71ea20d443bca7c0
-
SHA256
e6152cc4702000546accc8d72aed7cb2a17381fbfed6b2dae32a336e15440549
-
SHA512
7bfa721677e3fd238aa4e94be7db2535caa087567133f30184f739d495b77e5afa71ae1b412d51b9c530642b097d48d60ab968354e567730bbb39c29e25bc1bf
-
SSDEEP
49152:CIu+1zq/WAw1GnD1OfE7X9pEDxDy9LMU9YDrg/:CIP1elwIDwpO3o2
Score10/10-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
e7757fdf8b8e6b584cab959c54383e10065ba2aceb5dd653dd0566d4cbce1ec8.exe
-
Size
696KB
-
MD5
c4218b58d2302e31d13f88661f66c64b
-
SHA1
169b29b77b3e30db3a883762159b45856c421590
-
SHA256
e7757fdf8b8e6b584cab959c54383e10065ba2aceb5dd653dd0566d4cbce1ec8
-
SHA512
3de50ca942275f9ec40599691e06e6c0011a25199706f3dcab696158daefa6e627ffac4b0b777295d3dfb3fdb1137b274c81ae4cf04828db61c635894a2e4cf0
-
SSDEEP
12288:/k3jw7WkDA0CjZxYZ56i3ToFKlEsHj1Iiu+vht:M3jw7i0Cjc56YOK9vv
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
e8028be583b1ea12a054ac8ae37abb2356e37f7c0aeff0ee40c17c9ac219973f.exe
-
Size
541KB
-
MD5
cca2004ec5d0ef164296b5d46f9ee868
-
SHA1
70f15c2aa1af1413b1d4be5268ab22d05be0146d
-
SHA256
e8028be583b1ea12a054ac8ae37abb2356e37f7c0aeff0ee40c17c9ac219973f
-
SHA512
b0104e137b1145b30a62a008cca1e493d16e55517a7e08154a5419a51f25a23150f4eb960fe77e8715d609136ae872fbff2ba1a32a19feab15526a2ad7750124
-
SSDEEP
12288:iRz7Z6olbSsCYBR2a/FtyG83sHYOZf+wTFaMdrroBPc2E:YkolbSsCmHOG88Z2yBdt
Score7/10-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
e8ba4a43b8c03e1ea3ab83bed7c1c415cd17a289293a1e0e351da3ba85683eab.exe
-
Size
653KB
-
MD5
82a2300f5ac9771aac618047c1581dfc
-
SHA1
8caf25f2fd8ce3415998874a801e7f89f162c3af
-
SHA256
e8ba4a43b8c03e1ea3ab83bed7c1c415cd17a289293a1e0e351da3ba85683eab
-
SHA512
aa110a9dd610790af8dd94f17089cad127cf2d7887e862b84549befcb16a0cd45ee832ff2a3ed7d54bee51bdc8e7f713aa24266d70c16f84bec83a97fb30385a
-
SSDEEP
12288:vq8YtMZXW/3iR+Ge6aW3r19jn/yMVqdyDzRgSe26xeQazTtoz6I3LwL0Z6I:L2MZG/3iRJdhDz/y21RgSe2WPUTtMD3n
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
eac1ffc2d94146ca2f9ae011468a19552430c78fc5c306dcf2d98edaf5273ead.elf
-
Size
65KB
-
MD5
74b8a568e27d1800ecdd098ecb6bd7cb
-
SHA1
25adf87d1ec2ac976007757b4adc1aba17ede704
-
SHA256
eac1ffc2d94146ca2f9ae011468a19552430c78fc5c306dcf2d98edaf5273ead
-
SHA512
757ba8595690ee646c4dd40c24a3147c35e27d3b3bfe7bfc907d20be8ba10db85ea0e1a5a8507b603f9a64b01da9dcaab255efc2bfbcebb437eba1b119ec42d1
-
SSDEEP
1536:ufOTQML/a+SoqOix4ku4qnYV1/n4xqEA8M3Cyi:38W/1SoqlxgnNqEbM3
Score1/10 -
-
-
Target
ec291f72135b5826eae935f229e4c1bc2bc14d3671c9001452be407fc130ca3b.exe
-
Size
2.2MB
-
MD5
879185bab33bfd8f52e1958155093bd2
-
SHA1
865d0dd25f9988da461328ec8eef160a31a57811
-
SHA256
ec291f72135b5826eae935f229e4c1bc2bc14d3671c9001452be407fc130ca3b
-
SHA512
010b6182ba5dd446c2a7ecfc72d97dd1257438e74923d7c96223e34c56064be392394402e848e163fb2bfb9022665f544903e7ab3819fd733b60e792b021a999
-
SSDEEP
49152:TsL6RlKy19ek1DOJ3aiXV1sawoef9QncLD8W7m9CNR6oOYdAojKahnLR1ybYqT:T86rK29P12L7saTMqnap7m9+dLjRhnLs
Score10/10-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Credential Access
Unsecured Credentials
8Credentials In Files
7Credentials in Registry
1