Overview

overview

10

Static

static

3

bee5a87940...d8.exe

windows7-x64

7

bee5a87940...d8.exe

windows10-1703-x64

8

bee5a87940...d8.exe

windows10-2004-x64

7

bee5a87940...d8.exe

windows11-21h2-x64

10

Resubmissions

12-04-2024 14:24

240412-rq4mhabb49 10

12-04-2024 14:23

240412-rqj8vseb6x 10

12-04-2024 14:23

240412-rqhp2abb46 8

12-04-2024 14:23

240412-rqhd9seb6w 8

12-04-2024 14:23

240412-rqgsqseb6v 8

09-04-2024 07:30

240409-jb97qsch3w 10

09-04-2024 07:30

240409-jb2wcshe88 10

09-04-2024 07:29

240409-jba3mscg9s 10

09-04-2024 07:28

240409-ja2h7she62 7

29-03-2024 02:37

240329-c4jf6aga87 9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe

  • Size

    1.9MB

  • Sample

    240412-rqj8vseb6x

  • MD5

    bab406ad3b0603a45625755ffbccce49

  • SHA1

    7ce0bd31c68c5b54854098acad195b7a8d804939

  • SHA256

    bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8

  • SHA512

    a85ca2bc5ab42f8d32856a87c665b66df7d8e1c1ebbb143015d06fcc1bddba1faf684e2ee1d2a572f5ed04edf3a061837c293b5c1e3d2214864b90d8a68d25cc

  • SSDEEP

    49152:hgWDef4IXn7EvfNf+x83OeG5ztpAEq2pe2n9SCtQV:hvo49fk83ONztiEqz2nA

Score
10/10
discoverymotwpersistencephishingupx

Malware Config

Extracted

Credentials

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    sipeges.it
  • Port:
    21
  • Username:
    eventi
  • Password:
    2022M

Targets

    • Target

      bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe

    • Size

      1.9MB

    • MD5

      bab406ad3b0603a45625755ffbccce49

    • SHA1

      7ce0bd31c68c5b54854098acad195b7a8d804939

    • SHA256

      bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8

    • SHA512

      a85ca2bc5ab42f8d32856a87c665b66df7d8e1c1ebbb143015d06fcc1bddba1faf684e2ee1d2a572f5ed04edf3a061837c293b5c1e3d2214864b90d8a68d25cc

    • SSDEEP

      49152:hgWDef4IXn7EvfNf+x83OeG5ztpAEq2pe2n9SCtQV:hvo49fk83ONztiEqz2nA

    Score
    10/10
    discoverypersistenceupxmotwphishing

    • Contacts a large (714) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

      phishingmotw

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Network Service Discovery

2
T1046

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks