Resubmissions

14-03-2024 11:45

240314-nw4b5sbb5v 10

13-03-2024 15:01

240313-sdxtvsfh9x 10

13-03-2024 14:22

240313-rpjkyagg56 10

General

  • Target

    c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.bin

  • Size

    242KB

  • Sample

    240313-rpjkyagg56

  • MD5

    8f44c565b6605afccbab295faaf420b8

  • SHA1

    a9fc5e1ca19b7034f846b12ee2e5890d8c64f3b3

  • SHA256

    c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0

  • SHA512

    cdbf40c2def3a3dc45ac006f99ebff60d936eff53d2b16236f0424285a1749e847ee1180daa0e9e256bd86e44e76cdbc2b83d5afd1e8db1edb699d0b95900206

  • SSDEEP

    3072:sY1hNzde2qx1Y7CzY8hv2BXhssNPhslWeQYmbd/5NOVAAC:11Twx2uzYvVhsspSlWbYId

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

rc4.i32
rc4.i32

Extracted

Family

amadey

Version

4.17

C2

http://185.215.113.32

Attributes
  • install_dir

    00c07260dc

  • install_file

    explorgu.exe

  • strings_key

    461809bd97c251ba0c0c8450c7055f1d

  • url_paths

    /yandex/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

C2

http://185.215.113.32

Attributes
  • strings_key

    461809bd97c251ba0c0c8450c7055f1d

  • url_paths

    /yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

C2

20.218.68.91:7690

Extracted

Family

lumma

C2

https://resergvearyinitiani.shop/api

https://wisemassiveharmonious.shop/api

https://colorfulequalugliess.shop/api

https://relevantvoicelesskw.shop/api

https://associationokeo.shop/api

https://herdbescuitinjurywu.shop/api

Extracted

Family

socks5systemz

C2

http://eroikek.ua/search/?q=67e28dd86b5ea42a430af91a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a771ea771795af8e05c647db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608fff12c4ef959833

http://eroikek.ua/search/?q=67e28dd86b5ea42a430af91a7c27d78406abdd88be4b12eab517aa5c96bd86ee90824d815a8bbc896c58e713bc90c91936b5281fc235a925ed3e04d6bd974a95129070b614e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee95993fcd6f941e

http://bbxvoet.com/search/?q=67e28dd86b5ea42a430af91a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a771ea771795af8e05c646db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608fff12c4ef959832

http://bbxvoet.com/search/?q=67e28dd86b5ea42a430af91a7c27d78406abdd88be4b12eab517aa5c96bd86ef91854e815a8bbc896c58e713bc90c91936b5281fc235a925ed3e04d6bd974a95129070b615e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee95993fcd6f941f

http://gbwbwtg.com/search/?q=67e28dd86b5ea42a430af91a7c27d78406abdd88be4b12eab517aa5c96bd86ee90824d815a8bbc896c58e713bc90c91936b5281fc235a925ed3e04d6bd974a95129070b614e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee95993fcd6f941e

Targets

    • Target

      c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.bin

    • Size

      242KB

    • MD5

      8f44c565b6605afccbab295faaf420b8

    • SHA1

      a9fc5e1ca19b7034f846b12ee2e5890d8c64f3b3

    • SHA256

      c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0

    • SHA512

      cdbf40c2def3a3dc45ac006f99ebff60d936eff53d2b16236f0424285a1749e847ee1180daa0e9e256bd86e44e76cdbc2b83d5afd1e8db1edb699d0b95900206

    • SSDEEP

      3072:sY1hNzde2qx1Y7CzY8hv2BXhssNPhslWeQYmbd/5NOVAAC:11Twx2uzYvVhsspSlWbYId

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect ZGRat V1

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • PureLog Stealer

      PureLog Stealer is an infostealer written in C#.

    • PureLog Stealer payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socks5Systemz

      Socks5Systemz is a botnet written in C++.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks