Resubmissions

09-04-2024 13:37

240409-qwz1tsbf5w 7

09-04-2024 13:37

240409-qwzp3abf5v 7

09-04-2024 13:37

240409-qwy4jabf5t 9

09-04-2024 13:37

240409-qwyg1abf4z 8

05-03-2024 02:32

240305-c1nlpsch53 9

General

  • Target

    92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe

  • Size

    1.8MB

  • Sample

    240414-mmbebsfh93

  • MD5

    f41c9e6ca239395e71bcf027987282dc

  • SHA1

    560a973e308f20e0dbe64a38eaeaa22285ced049

  • SHA256

    92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b

  • SHA512

    cbf99c0e43b3a314ee6681f8655a269c0d51e4d40c10ea9c8571be30c5d69c0287c57be5b13e4fa7aecad7095efb4a741f1839dc9089251f41fa96f35011764a

  • SSDEEP

    24576:h7OEqlRKCYqoxOMto8enhtiQkbx6zWXXfKfzZn00Eze2aP4sjagjotkEz4RaZMjM:h7B50L7fiQ26zEXfId0vFaQgMh4pj

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    aisboard.org
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    201650643040691$

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    aisboard.org
  • Port:
    21
  • Username:
    rvps
  • Password:
    201650643040691$

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    aisboard.org
  • Port:
    21
  • Username:
    admin
  • Password:
    201650643040691$

Targets

    • Target

      92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe

    • Size

      1.8MB

    • MD5

      f41c9e6ca239395e71bcf027987282dc

    • SHA1

      560a973e308f20e0dbe64a38eaeaa22285ced049

    • SHA256

      92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b

    • SHA512

      cbf99c0e43b3a314ee6681f8655a269c0d51e4d40c10ea9c8571be30c5d69c0287c57be5b13e4fa7aecad7095efb4a741f1839dc9089251f41fa96f35011764a

    • SSDEEP

      24576:h7OEqlRKCYqoxOMto8enhtiQkbx6zWXXfKfzZn00Eze2aP4sjagjotkEz4RaZMjM:h7B50L7fiQ26zEXfId0vFaQgMh4pj

    • Contacts a large (772) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

Network Service Discovery

2
T1046

System Information Discovery

1
T1082

Tasks