Overview

overview

10

Static

static

3

92eb323e02...5b.exe

windows7-x64

7

92eb323e02...5b.exe

windows10-1703-x64

10

92eb323e02...5b.exe

windows10-2004-x64

7

92eb323e02...5b.exe

windows11-21h2-x64

7

Resubmissions

09-04-2024 13:37

240409-qwz1tsbf5w 7

09-04-2024 13:37

240409-qwzp3abf5v 7

09-04-2024 13:37

240409-qwy4jabf5t 9

09-04-2024 13:37

240409-qwyg1abf4z 8

05-03-2024 02:32

240305-c1nlpsch53 9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe

  • Size

    1.8MB

  • Sample

    240414-mmbebsfh93

  • MD5

    f41c9e6ca239395e71bcf027987282dc

  • SHA1

    560a973e308f20e0dbe64a38eaeaa22285ced049

  • SHA256

    92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b

  • SHA512

    cbf99c0e43b3a314ee6681f8655a269c0d51e4d40c10ea9c8571be30c5d69c0287c57be5b13e4fa7aecad7095efb4a741f1839dc9089251f41fa96f35011764a

  • SSDEEP

    24576:h7OEqlRKCYqoxOMto8enhtiQkbx6zWXXfKfzZn00Eze2aP4sjagjotkEz4RaZMjM:h7B50L7fiQ26zEXfId0vFaQgMh4pj

Score
10/10
discoverymotwpersistencephishingupx

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    aisboard.org
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    201650643040691$

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    aisboard.org
  • Port:
    21
  • Username:
    rvps
  • Password:
    201650643040691$

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    aisboard.org
  • Port:
    21
  • Username:
    admin
  • Password:
    201650643040691$

Targets

    • Target

      92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe

    • Size

      1.8MB

    • MD5

      f41c9e6ca239395e71bcf027987282dc

    • SHA1

      560a973e308f20e0dbe64a38eaeaa22285ced049

    • SHA256

      92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b

    • SHA512

      cbf99c0e43b3a314ee6681f8655a269c0d51e4d40c10ea9c8571be30c5d69c0287c57be5b13e4fa7aecad7095efb4a741f1839dc9089251f41fa96f35011764a

    • SSDEEP

      24576:h7OEqlRKCYqoxOMto8enhtiQkbx6zWXXfKfzZn00Eze2aP4sjagjotkEz4RaZMjM:h7B50L7fiQ26zEXfId0vFaQgMh4pj

    Score
    10/10
    motwpersistencephishingupxdiscovery

    • Contacts a large (772) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

      phishingmotw

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Network Service Discovery

2
T1046

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks