Overview

overview

10

Static

static

7

gemme ya b...fo.zip

windows7-x64

1

gemme ya b...fo.zip

windows10-2004-x64

10

Resubmissions

11-04-2024 05:25

240411-f4bm4agc8t 10

11-04-2024 01:54

240411-cbjw8acd6x 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    gemme ya booty.zip

  • Size

    3.4MB

  • Sample

    240411-cbjw8acd6x

  • MD5

    22facc5af6e2d7a420d80f92e2cffcb3

  • SHA1

    8036cfa1c553d4421329f5a50bb3f3343816dbde

  • SHA256

    6b189ad141b75544c1ab7cf29db7d5bb4d570d045d0b99556bc3e742dc0a3a37

  • SHA512

    6f139b25a3057ac3698b058274b80807597536b805948fd840201a149822f747a7f8b49db39b56c486156b7ac51b59fee632246784a073e3a9e6b0693695514c

  • SSDEEP

    98304:hnOdKjVchU1ZBWlvKlgl8zyxcuoFMJgzS8tB:MvhUnayiSzgeFMJgzS8T

Score
10/10
discoverypersistencevmprotect

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    43.240.31.217
  • Port:
    21
  • Username:
    administrator
  • Password:
    123qwe

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    67.199.66.69
  • Port:
    21
  • Username:
    admin
  • Password:
    lol123

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    76.243.14.131
  • Port:
    21
  • Username:
    root
  • Password:
    aaaaaa

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    216.172.184.39
  • Port:
    21
  • Username:
    administrator
  • Password:
    football

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    121.126.60.78
  • Port:
    21
  • Username:
    admin
  • Password:
    abcd1234

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    107.180.9.240
  • Port:
    21
  • Username:
    root
  • Password:
    gino

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    80.178.100.183
  • Port:
    21
  • Username:
    administrator
  • Password:
    Test123

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    88.30.0.169
  • Port:
    21
  • Username:
    root
  • Password:
    iloveyou

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    27.34.151.87
  • Port:
    21
  • Username:
    admin
  • Password:
    1234

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    23.225.155.235
  • Port:
    21
  • Username:
    root
  • Password:
    000000

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    156.248.38.233
  • Port:
    21
  • Username:
    administrator
  • Password:
    1q2w3e4r

Targets

    • Target

      gemme ya booty/info.zip

    • Size

      1KB

    • MD5

      8604e0f263922501f749cfca447b041a

    • SHA1

      85c712bdeaceb78e2785e1f63811b0c4a50f952d

    • SHA256

      52ec3ba075a507e62bb6e3272fb13b30a8ddc0f62c4ea194311d558b338eb5ed

    • SHA512

      496d7a1b8b55d28387dad3f1c43e164bb567259c4cac21dd632ccd450dfbf28d431330c27ea72a5a8034979c325d19ff3fd8a3f7fc12b1122f67ef595630d5b2

    Score
    10/10
    discoverypersistencevmprotect

    • Contacts a large (5131) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Adds Run key to start application

      persistence

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks