Resubmissions

09-04-2024 08:32

240409-kfg77aaf85 10

09-04-2024 08:32

240409-kfglnaaf84 10

09-04-2024 08:32

240409-kffz5aea2y 10

09-04-2024 08:32

240409-kffpcsaf79 10

11-03-2024 08:03

240311-jxm94afe6y 10

10-03-2024 15:15

240310-snee9sfd3y 10

General

  • Target

    FUCKER.exe

  • Size

    10KB

  • Sample

    240311-jxm94afe6y

  • MD5

    2a94f3960c58c6e70826495f76d00b85

  • SHA1

    e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

  • SHA256

    2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

  • SHA512

    fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

  • SSDEEP

    192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

mylobot

C2

pqrqtaz.ru:9879

pickcas.ru:6464

quwkbin.ru:3496

rkbupij.ru:6653

pcqmayq.ru:3629

mmuliwe.ru:3541

stoizji.ru:5189

sfdfrhh.ru:3511

ynciazz.ru:4127

mkglhnw.ru:1946

njeeili.ru:9987

dldzeoo.ru:7525

tkbiqjq.ru:5145

uenosbl.ru:2935

faayshc.ru:9865

nttfazc.ru:6761

nfwsyog.ru:7172

uyfusxm.ru:7372

hxkclwx.ru:1294

zgoysam.ru:2338

Targets

    • Target

      FUCKER.exe

    • Size

      10KB

    • MD5

      2a94f3960c58c6e70826495f76d00b85

    • SHA1

      e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

    • SHA256

      2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

    • SHA512

      fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

    • SSDEEP

      192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

    • Detect ZGRat V1

    • Mylobot

      Botnet which first appeared in 2017 written in C++.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • UAC bypass

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks