6b232f1c2c79c4e701fa0cff8d9459badb912447df00bd7467a89ff6b2b17e0d

Target

6b232f1c2c79c4e701fa0cff8d9459badb912447df00bd7467a89ff6b2b17e0d_JC.exe
Size

1.9MB
Sample

240409-je2d1ahf76
MD5

3bf670e5e1c152674b1a6f0fd3ed67f1
SHA1

11c6df477c1d8b95d7c6313f05cd759df34cdc4e
SHA256

6b232f1c2c79c4e701fa0cff8d9459badb912447df00bd7467a89ff6b2b17e0d
SHA512

3cae3752e25a268842a91e87d7dc721f9aee7059e06bcd3e7d6aa90ec6d1b2fe59cad62963f452bbe850af31a2710dd429bad436e10756857ec90fa21bdbb968
SSDEEP

49152:/jdg0nPwhegnBrxZPlH/+ui3T4Ga0e0MTDD4yfYyHs8Xu3/:720nPcnZxZPZgeccD4yfnn+/

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
karaoke-soft.com
Port:
21
Username:
[email protected]
Password:
2111021110

Extracted

Credentials

Protocol: ftp
Host:
picaxeforum.co.uk
Port:
21
Username:
[email protected]
Password:
facebook12

Extracted

Credentials

Protocol: ftp
Host:
picaxeforum.co.uk
Port:
21
Username:
goodworkmen
Password:
facebook12

Extracted

Credentials

Protocol: ftp
Host:
picaxeforum.co.uk
Port:
21
Username:
admin
Password:
facebook12

Targets

- Target
  
  6b232f1c2c79c4e701fa0cff8d9459badb912447df00bd7467a89ff6b2b17e0d_JC.exe
- Size
  
  1.9MB
- MD5
  
  3bf670e5e1c152674b1a6f0fd3ed67f1
- SHA1
  
  11c6df477c1d8b95d7c6313f05cd759df34cdc4e
- SHA256
  
  6b232f1c2c79c4e701fa0cff8d9459badb912447df00bd7467a89ff6b2b17e0d
- SHA512
  
  3cae3752e25a268842a91e87d7dc721f9aee7059e06bcd3e7d6aa90ec6d1b2fe59cad62963f452bbe850af31a2710dd429bad436e10756857ec90fa21bdbb968
- SSDEEP
  
  49152:/jdg0nPwhegnBrxZPlH/+ui3T4Ga0e0MTDD4yfYyHs8Xu3/:720nPcnZxZPZgeccD4yfnn+/
Score

10^/10

persistence upx discovery
- Contacts a large (902) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Contacts a large (902) amount of remote hosts

UPX packed file

Adds Run key to start application

Creates a large amount of network flows

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4