Overview

overview

10

Static

static

7

gemme ya b...01.exe

windows7-x64

8

gemme ya b...01.exe

windows10-2004-x64

8

$PLUGINSDI...os.dll

windows7-x64

3

$PLUGINSDI...os.dll

windows10-2004-x64

3

$PLUGINSDIR/inetc.dll

windows7-x64

3

$PLUGINSDIR/inetc.dll

windows10-2004-x64

3

$R9/NsCpuC...32.exe

windows7-x64

7

$R9/NsCpuC...32.exe

windows10-2004-x64

7

$R9/NsCpuC...64.exe

windows7-x64

7

$R9/NsCpuC...64.exe

windows10-2004-x64

7

$R9/Plugin...os.dll

windows7-x64

3

$R9/Plugin...os.dll

windows10-2004-x64

3

$R9/Plugins/inetc.dll

windows7-x64

3

$R9/Plugins/inetc.dll

windows10-2004-x64

3

info.vbe

windows7-x64

8

info.vbe

windows10-2004-x64

8

$R9/Plugins/tftp.exe

windows7-x64

8

$R9/Plugins/tftp.exe

windows10-2004-x64

10

$R9/Stubs/bzip2.exe

windows7-x64

3

$R9/Stubs/bzip2.exe

windows10-2004-x64

3

$R9/Stubs/...id.exe

windows7-x64

3

$R9/Stubs/...id.exe

windows10-2004-x64

3

$R9/Stubs/lzma.exe

windows7-x64

3

$R9/Stubs/lzma.exe

windows10-2004-x64

3

$R9/Stubs/zlib.exe

windows7-x64

3

$R9/Stubs/zlib.exe

windows10-2004-x64

3

$R9/makensis.exe

windows7-x64

1

$R9/makensis.exe

windows10-2004-x64

1

$TEMP/tftp.exe

windows7-x64

10

$TEMP/tftp.exe

windows10-2004-x64

10

gemme ya booty/c.sh

windows7-x64

3

gemme ya booty/c.sh

windows10-2004-x64

3

Resubmissions

11/04/2024, 05:25

240411-f4bm4agc8t 10

11/04/2024, 01:54

240411-cbjw8acd6x 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    gemme ya booty.zip

  • Size

    3.4MB

  • Sample

    240411-f4bm4agc8t

  • MD5

    22facc5af6e2d7a420d80f92e2cffcb3

  • SHA1

    8036cfa1c553d4421329f5a50bb3f3343816dbde

  • SHA256

    6b189ad141b75544c1ab7cf29db7d5bb4d570d045d0b99556bc3e742dc0a3a37

  • SHA512

    6f139b25a3057ac3698b058274b80807597536b805948fd840201a149822f747a7f8b49db39b56c486156b7ac51b59fee632246784a073e3a9e6b0693695514c

  • SSDEEP

    98304:hnOdKjVchU1ZBWlvKlgl8zyxcuoFMJgzS8tB:MvhUnayiSzgeFMJgzS8T

Score
10/10
discoverypersistencevmprotect

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    43.134.66.228
  • Port:
    21
  • Username:
    administrator
  • Password:
    killer

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    37.251.150.88
  • Port:
    21
  • Username:
    administrator
  • Password:
    pass

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    151.80.164.131
  • Port:
    21
  • Username:
    root
  • Password:
    0000

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    35.214.143.230
  • Port:
    21
  • Username:
    admin
  • Password:
    andrew

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    103.8.25.150
  • Port:
    21
  • Username:
    admin
  • Password:
    123456789

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    62.109.26.179
  • Port:
    21
  • Username:
    admin
  • Password:
    windows

Targets

    • Target

      gemme ya booty/IMG001.exe

    • Size

      3.4MB

    • MD5

      908bb37015af1c863e8e73bb76fdb127

    • SHA1

      da3c0542e7223d9a1caf327164a1d54597afa59b

    • SHA256

      ff2787534a0da486583ac6aabed1f30b9af3d0c7ac2390771c167a60f2dd266c

    • SHA512

      e96de2faa86c70361a9e15397e01b73e1126f6f97c195fa06d1ad491f874376f0a1b3a45518639e8eb594640048126bc73b924b8f2dce961dabf364dabad0155

    • SSDEEP

      98304:MmVPnq1y5tQOM33ZNqCtBixHl54Oyjes1bof:zVPq1yLanrqTr43eSQ

    Score
    8/10
    discoverypersistence

    • Contacts a large (888) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/ExecDos.dll

    • Size

      6KB

    • MD5

      d7b975049ec3aba50e4b7cc654a28214

    • SHA1

      25f2578945ebc9ac037fef7b7f94c5d48e42388b

    • SHA256

      42422d912b9c626ad93eb8c036ad82ee67cfa48cf75259c20c327eddd4cc376f

    • SHA512

      f95f7875aeab586d42ee48029f7feed6e2fd8a7d106671e225ff5cf9ad83375f0ec3b8b288177c5d48b4c51eeddde687d67e7b07ad324e24059cff0a6516c270

    • SSDEEP

      96:31pNOe2w5QbJHsBiyw4uM4jEFVliuOtac32FOeSMV7WhWD:dj5Qb1sBPuijiu6avTyhW

    Score
    3/10
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/inetc.dll

    • Size

      21KB

    • MD5

      d7a3fa6a6c738b4a3c40d5602af20b08

    • SHA1

      34fc75d97f640609cb6cadb001da2cb2c0b3538a

    • SHA256

      67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

    • SHA512

      75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

    • SSDEEP

      384:oW4gLK82JvtosNCPhXKJ18hcEP1+f+pvMPbkdTg1Zahzs60Ac9khYLMkIX0+Gbyk:oW4i/2JloB5IQ9AhkwZaKRu

    Score
    3/10
    behavioral5behavioral6

    • Target

      $R9/NsCpuCNMiner32.exe

    • Size

      1.4MB

    • MD5

      3afeb8e9af02a33ff71bf2f6751cae3a

    • SHA1

      fd358cfe41c7aa3aa9e4cf62f832d8ae6baa8107

    • SHA256

      a0eba3fda0d7b22a5d694105ec700df7c7012ddc4ae611c3071ef858e2c69f08

    • SHA512

      11a2c12d7384d2743d25b9e28fc4ea0c3e2771aca92875fd3350f457df66c66827d175f67108f1a56d958f3b1163f3a89eedb8919bf7973d037241a1e59231d5

    • SSDEEP

      24576:gWKqa4hnzP3w7L3rmZmpk7FSQFW2iJ+N07/TwYV1CdZdQ+4lT+iFgiGTtswAtdz:gSrwf3aZmpOFU2iQNIUc1LxGTtswgd

    Score
    7/10
    vmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral7behavioral8

    • Target

      $R9/NsCpuCNMiner64.exe

    • Size

      1.5MB

    • MD5

      eedb9d86ae8abc65fa7ac7c6323d4e8f

    • SHA1

      ce1fbf382e89146ea5a22ae551b68198c45f40e4

    • SHA256

      d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078

    • SHA512

      9de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5

    • SSDEEP

      24576:Mf79KQimeoyEgM8dSGDeCAQ4GYwEkYEDI3BiiVzKJo23bvH5xh8wtDzgClYAdC51:b3EciPG9E/LBVeJo2Vsw57lYAA51

    Score
    7/10
    vmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral10behavioral9

    • Target

      $R9/Plugins/ExecDos.dll

    • Size

      6KB

    • MD5

      d7b975049ec3aba50e4b7cc654a28214

    • SHA1

      25f2578945ebc9ac037fef7b7f94c5d48e42388b

    • SHA256

      42422d912b9c626ad93eb8c036ad82ee67cfa48cf75259c20c327eddd4cc376f

    • SHA512

      f95f7875aeab586d42ee48029f7feed6e2fd8a7d106671e225ff5cf9ad83375f0ec3b8b288177c5d48b4c51eeddde687d67e7b07ad324e24059cff0a6516c270

    • SSDEEP

      96:31pNOe2w5QbJHsBiyw4uM4jEFVliuOtac32FOeSMV7WhWD:dj5Qb1sBPuijiu6avTyhW

    Score
    3/10
    behavioral11behavioral12

    • Target

      $R9/Plugins/inetc.dll

    • Size

      21KB

    • MD5

      d7a3fa6a6c738b4a3c40d5602af20b08

    • SHA1

      34fc75d97f640609cb6cadb001da2cb2c0b3538a

    • SHA256

      67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

    • SHA512

      75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

    • SSDEEP

      384:oW4gLK82JvtosNCPhXKJ18hcEP1+f+pvMPbkdTg1Zahzs60Ac9khYLMkIX0+Gbyk:oW4i/2JloB5IQ9AhkwZaKRu

    Score
    3/10
    behavioral13behavioral14

    • Target

      info.vbe

    • Size

      1KB

    • MD5

      e9ffdb716af3d355b25096a8ed4de8ef

    • SHA1

      66e2b15ba4dbfa127c3ec86abce666870a4a168a

    • SHA256

      30daba44a4a25ff5750508613f897057a55337458f19b562e2ed1172c77e626b

    • SHA512

      f157dc99dfd4c1bec37deba85ed5250f70e169ab2d21b2c75d7d94b4463608c3c74ed9ab773e1359735cb95cb1f38333887d3c8e65c80c0cdfeee8bcb0d019f3

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral15behavioral16

    • Target

      $R9/Plugins/tftp.exe

    • Size

      92KB

    • MD5

      c9869112b8ea084c76f34dbba826f828

    • SHA1

      e209c404bb404ec87b0b1cfd4577999f0064eb25

    • SHA256

      bd2a4c80801303a763c0ed0ca329744fa4d514ecedd635703108c034a62a6cea

    • SHA512

      474c113a2bb7c544027fe6fc433bbeae9616098248af4a62a1e470daa54ec97b023e72ed2cdc2eddcfbd967525b44b57f9508ec8543892bed9ab0982d2491bdc

    • SSDEEP

      1536:SOiJzywynfnJ0t1Pv2DURV0Q6aoxPxNUqwGI7Uns:4fyfJ0f2wR1VUns

    Score
    10/10
    discovery

    • Contacts a large (1068) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery
    behavioral17behavioral18

    • Target

      $R9/Stubs/bzip2

    • Size

      34KB

    • MD5

      7ac2315d458a6c78f81f7167b164ef37

    • SHA1

      f501956f346fe7ac49454f5eae54907eeb247f1d

    • SHA256

      a32a41c520aa1d08d8e5cbc18c1994f92d47bede5cb8d3aca761579d242d249d

    • SHA512

      00802299e1161ac3a3849678a0515e2ed4548a9c1397635fb546683a525f2dbaab8b90875d81821bc66b76c6669a309922284e818f510fb0d81d0c317458919b

    • SSDEEP

      768:FqVnDX38+t1ehxQ7unyskUplx3tUeLTjWfgeOVGM4jjfS3XJvai:kjs+t1ehxQuntkULceeM4sXJz

    Score
    3/10
    behavioral19behavioral20

    • Target

      $R9/Stubs/bzip2_solid

    • Size

      34KB

    • MD5

      0a108faf2f740e2b1a97d64985fdd1b4

    • SHA1

      e349e668f756ea4b9460bcb2be54504dc357d3d1

    • SHA256

      5a9ecc6d9dbd32c54507496f022ecca949e18235bb0865e1aa345eb84e6af0cf

    • SHA512

      3f27d919d40dfbd431c1516a8803178d5e699f91856e8f9616b7f3fdc755af863f25c29cf08191775ab04d1457a0db8741e1697a66bd2c84252de58942c16faf

    • SSDEEP

      768:/Jyky/Nki4Q/JRQ/RZ49ylKR2e7jbEcIKFvGmjXO3XJOai:hiki4Q/JR2RZ49A1ecjXJ+

    Score
    3/10
    behavioral21behavioral22

    • Target

      $R9/Stubs/lzma

    • Size

      33KB

    • MD5

      9557ea4608e64b857c1125eb41ba7429

    • SHA1

      d7276eccc032919c84fc05f206d3cdd0b40fe1fb

    • SHA256

      b72d402fce699b21bbf0a4a86ab9fb7f8a083aeacd4f797be7a7f6f91ef93d62

    • SHA512

      8eb238cd34668c12779553b7ef15cbeb4d8dd7aac36b5f044c680b83b04f7e2564905625e14ae5c5e06e4e9b5ccdb1663a08aa63a95e176266d59924061a6ce8

    • SSDEEP

      768:/ip/4K0wirQK33PaH81Fej4w0kGvFONg4jjfS3XJWai:6Zr0wirt3/aEecbsg4sXJW

    Score
    3/10
    behavioral23behavioral24

    • Target

      $R9/Stubs/zlib

    • Size

      35KB

    • MD5

      346d3c8665f307a06aba85f8745360e8

    • SHA1

      de87ba7e2553f0efd531d30d6a5997dab9a6bc2f

    • SHA256

      c96383fe97a213140741bf5df71f322753200c094cb22db634e050d2be744a4f

    • SHA512

      6d9910251618226bfd94c94661b86db0b6c07d5dbc5445cbd0ae7bd34fc42e0b2af53fbd14b57969cda9deb747dae7837209eb4c61b4b130b0170f584b839aa2

    • SSDEEP

      768:x0gFJMBrbxJQJFiXDYwQ5NTdKqP5sCOfZ7jrG0D3cjfS3XJQai:xfYBrbzmFizYwUK1G0DRXJQ

    Score
    3/10
    behavioral25behavioral26

    • Target

      $R9/makensis.exe

    • Size

      484KB

    • MD5

      e79833cb0d7b2573819ded2122b57bdd

    • SHA1

      71ead8cd4a95704a0cade630bb3ce280af7e028e

    • SHA256

      572a6f9cb5b37b6eec13b578d346c2568ce3ec88bb711d75dac9e82fc01c8860

    • SHA512

      4b023e60392ead0691621a1306286fda6cdc4c447f164c8f249c59db2500d8b98514d93c7a7e8d3cfd60818d2ca74e84ec24163492765b6c17fe94ea0385bd69

    • SSDEEP

      12288:LhHlj+wtKJVIo9ZoACV6sil8+eSycI+Tt0XCyzLHWj:Lxl+0KJVpneV6siy+I+TtcCyzLHW

    Score
    1/10
    behavioral27behavioral28

    • Target

      $TEMP/tftp.exe

    • Size

      92KB

    • MD5

      c9869112b8ea084c76f34dbba826f828

    • SHA1

      e209c404bb404ec87b0b1cfd4577999f0064eb25

    • SHA256

      bd2a4c80801303a763c0ed0ca329744fa4d514ecedd635703108c034a62a6cea

    • SHA512

      474c113a2bb7c544027fe6fc433bbeae9616098248af4a62a1e470daa54ec97b023e72ed2cdc2eddcfbd967525b44b57f9508ec8543892bed9ab0982d2491bdc

    • SSDEEP

      1536:SOiJzywynfnJ0t1Pv2DURV0Q6aoxPxNUqwGI7Uns:4fyfJ0f2wR1VUns

    Score
    10/10
    discovery

    • Contacts a large (1053) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery
    behavioral29behavioral30

    • Target

      gemme ya booty/c.sh

    • Size

      996B

    • MD5

      0a746666a3c70b422673c91741cfbcbd

    • SHA1

      3f946cc6aa0ef42705c6e52c697aa6908ed3e0c0

    • SHA256

      691740332f2f6663cb2a7b774077317dedf6fc9921ee215209d4dd8f3247abad

    • SHA512

      71c8af30d205978b3847d6c149601d2d51d83b6945156017186335e28ca3114d75053f4d156a0c9a6add1a2ce132e2c96b38e671ff00665bde34d558a68259b1

    Score
    3/10
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Tasks

static1

vmprotect
Score
7/10

behavioral1

discoverypersistence
Score
8/10

behavioral2

discoverypersistence
Score
8/10

behavioral3

Score
3/10

behavioral4

Score
3/10

behavioral5

Score
3/10

behavioral6

Score
3/10

behavioral7

vmprotect
Score
7/10

behavioral8

vmprotect
Score
7/10

behavioral9

vmprotect
Score
7/10

behavioral10

vmprotect
Score
7/10

behavioral11

Score
3/10

behavioral12

Score
3/10

behavioral13

Score
3/10

behavioral14

Score
3/10

behavioral15

Score
8/10

behavioral16

Score
8/10

behavioral17

discovery
Score
8/10

behavioral18

discovery
Score
10/10

behavioral19

Score
3/10

behavioral20

Score
3/10

behavioral21

Score
3/10

behavioral22

Score
3/10

behavioral23

Score
3/10

behavioral24

Score
3/10

behavioral25

Score
3/10

behavioral26

Score
3/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

discovery
Score
10/10

behavioral30

discovery
Score
10/10

behavioral31

Score
3/10

behavioral32

Score
3/10