Overview

overview

10

Static

static

3

67d39d9194...12.exe

windows7-x64

7

67d39d9194...12.exe

windows10-1703-x64

8

67d39d9194...12.exe

windows10-2004-x64

10

67d39d9194...12.exe

windows11-21h2-x64

8

Resubmissions

12-04-2024 13:28

240412-qq3vjadh2z 10

12-04-2024 13:27

240412-qqg8tsag65 10

12-04-2024 13:27

240412-qqgmasag64 10

12-04-2024 13:27

240412-qqgbjaag62 8

12-04-2024 13:27

240412-qqdkmsdg9z 10

09-04-2024 04:02

240409-el73xahe9s 10

09-04-2024 04:01

240409-elk85she71 10

09-04-2024 04:01

240409-eldjasea62 10

09-04-2024 04:01

240409-ek8m2she6w 10

14-01-2024 01:31

240114-bxveeaaeh9 7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    456dad1f25fefa40f70c152a706316bc.bin

  • Size

    1.8MB

  • Sample

    240409-el73xahe9s

  • MD5

    e663743f124514279013d11584a83c3b

  • SHA1

    e277fa235b642177a3063f0ea80f6ee11b54b870

  • SHA256

    2854ef18b052f7b19e9ef1f006508e87f1ee3ed2592eef1aa9bb7d941852c3ca

  • SHA512

    1b6cb7251108382c768976dc3836a3d248bbc65186171877f5023a0c34563e31dc141e6b025c350ce109233f19aa96f3d4f7752e98b704c1f407099e9da3aa7e

  • SSDEEP

    49152:9XtCJwmA2uHowv1YvjBCD2s7KtDp+swshg0hVFe:9XtCJwmAVPilSj7KSbshg0hbe

Score
10/10
discoverymotwpersistencephishingupx

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    buzzgays.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    43ZgxwsPb3T3M

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    mail.buzzgays.com
  • Port:
    21
  • Username:
    swaygo69gmailcom
  • Password:
    43ZgxwsPb3T3M

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    www.buzzgays.com
  • Port:
    21
  • Username:
    admin
  • Password:
    43ZgxwsPb3T3M

Targets

    • Target

      67d39d9194a79f2f1aa0585b8cbc3a38a651964d72469e27692a62038ae3b412.exe

    • Size

      1.9MB

    • MD5

      456dad1f25fefa40f70c152a706316bc

    • SHA1

      c741c8e32f1510c175c6d518401f3cf4d4f6d8da

    • SHA256

      67d39d9194a79f2f1aa0585b8cbc3a38a651964d72469e27692a62038ae3b412

    • SHA512

      e51d7f476d0b92cef1d2bc012f9436aead835642381241ba6d2dd149251a3ccc09b28e0be160e1e8f62aa6da79b935a6016700e31605895042c1fe61b4ca876f

    • SSDEEP

      49152:F/MBkUJZCcifDFu/6nEkqg1kka+dW0hWk9NQXNF+9uop3biUIgYcoP:FEBkmZofDFu/6nR6SW+woVBlR

    Score
    10/10
    persistenceupxdiscoverymotwphishing

    • Contacts a large (776) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

      phishingmotw

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Network Service Discovery

2
T1046

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks