Resubmissions

09-04-2024 13:27

240409-qqa5hsbd5t 10

09-04-2024 13:27

240409-qp978abd5s 10

09-04-2024 13:27

240409-qp9lpabd4y 10

09-04-2024 13:27

240409-qp9axsgb32 10

18-11-2023 14:44

231118-r4d9rsef94 10

General

  • Target

    New Text Document.exe

  • Size

    4KB

  • Sample

    240409-qp9lpabd4y

  • MD5

    a239a27c2169af388d4f5be6b52f272c

  • SHA1

    0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c

  • SHA256

    98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc

  • SHA512

    f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da

  • SSDEEP

    48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt

Malware Config

Extracted

Family

redline

Botnet

6077866846

C2

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

stealc

C2

http://52.143.157.84

http://185.172.128.209

Attributes
  • url_path

    /c73eed764cc59dcb.php

Extracted

Family

xworm

C2

94.156.8.213:58002

127.0.0.1:18356

t-brave.gl.at.ply.gg:18356

Attributes
  • Install_directory

    %Public%

  • install_file

    svchost.exe

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.siscop.com.co
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    +5s48Ia2&-(t

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

194.147.140.157:3361

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    msdtc.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

socks5systemz

C2

http://ckztaox.net/search/?q=67e28dd8685af379125bfd4e7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f271ea771795af8e05c645db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ffd17c7ee93983d

http://ckztaox.net/search/?q=67e28dd8685af379125bfd4e7c27d78406abdd88be4b12eab517aa5c96bd86e8978249835a8bbc896c58e713bc90c91c36b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52bee348ee4c2b14a82966836f23d7f210c7ee979c3ccc699410

http://booyojd.com/search/?q=67e28dd86c09f220490efa1c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ae8889b5e4fa9281ae978fe71ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffd17c7ee93983e

http://booyojd.com/search/?q=67e28dd86c09f220490efa1c7c27d78406abdd88be4b12eab517aa5c96bd86ec94824d895a8bbc896c58e713bc90c91f36b5281fc235a925ed3e5dd6bd974a95129070b616e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee979c3ccc699413

Extracted

Family

lumma

C2

https://appliedgrandyjuiw.shop/api

https://birdpenallitysydw.shop/api

https://cinemaclinicttanwk.shop/api

https://disagreemenywyws.shop/api

https://speedparticipatewo.shop/api

https://fixturewordbakewos.shop/api

https://colorprioritytubbew.shop/api

https://abuselinenaidwjuew.shop/api

https://methodgreenglassdatw.shop/api

https://affordcharmcropwo.shop/api

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

https://diskretainvigorousiw.shop/api

https://communicationgenerwo.shop/api

https://pillowbrocccolipe.shop/api

Extracted

Family

redline

Botnet

50502

C2

2.58.56.216:38382

Extracted

Family

redline

Botnet

@OLEH_PSP

C2

185.172.128.33:8970

Extracted

Family

remcos

Botnet

RemoteHost

C2

shgoini.com:30902

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-7XHN5V

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      New Text Document.exe

    • Size

      4KB

    • MD5

      a239a27c2169af388d4f5be6b52f272c

    • SHA1

      0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c

    • SHA256

      98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc

    • SHA512

      f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da

    • SSDEEP

      48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Xworm Payload

    • Detect ZGRat V1

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • Socks5Systemz

      Socks5Systemz is a botnet written in C++.

    • Stealc

      Stealc is an infostealer written in C++.

    • UAC bypass

    • Xworm

      Xworm is a remote access trojan written in C#.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Renames multiple (122) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Blocklisted process makes network request

    • Creates new service(s)

    • Downloads MZ/PE file

    • Modifies Installed Components in the registry

    • Stops running service(s)

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks