General
-
Target
990d1ff1ab883a9bacbbb6abcf975139d9ab359b74ffba16f1fa7a66a30e935d
-
Size
11KB
-
Sample
240417-gz9vrsff88
-
MD5
0e2ad53c884e25f969b3a575f4bb90bb
-
SHA1
81e774fe109ddc9185ad3fb68995a069ce9045e0
-
SHA256
990d1ff1ab883a9bacbbb6abcf975139d9ab359b74ffba16f1fa7a66a30e935d
-
SHA512
e1d6fd39e8a9fb63c5d1c28ada97529a5813ae27efc68655d5f58c3f65f431c5ffb4dd2169973738d32cb8ad62134d3931dff184793439b833258e94fb3264a9
-
SSDEEP
192:Gvhfn4XrNhcu214mAj+QHzdPbwPz1ULU87glpK/b26J4/2615:4fnysu2U+qzZ0ULU870gJI
Static task
static1
Behavioral task
behavioral1
Sample
990d1ff1ab883a9bacbbb6abcf975139d9ab359b74ffba16f1fa7a66a30e935d.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
990d1ff1ab883a9bacbbb6abcf975139d9ab359b74ffba16f1fa7a66a30e935d.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
990d1ff1ab883a9bacbbb6abcf975139d9ab359b74ffba16f1fa7a66a30e935d.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
990d1ff1ab883a9bacbbb6abcf975139d9ab359b74ffba16f1fa7a66a30e935d.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
990d1ff1ab883a9bacbbb6abcf975139d9ab359b74ffba16f1fa7a66a30e935d.exe
Resource
win11-20240412-en
Malware Config
Extracted
https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe
Extracted
asyncrat
AWS | 3Losh
EXDOUS
rootsaul.duckdns.org:8808
rootsaul.duckdns.org:6666
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
remcos
Quotation
bossnacarpet.com:30902
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
chrome-E5S2GX
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
redline
@cloudcosmic (https://cloudcosmic.store)
87.121.105.175:14845
Extracted
amadey
4.12
http://185.172.128.19
-
install_dir
cd1f156d67
-
install_file
Utsysc.exe
-
strings_key
0dd3e5ee91b367c60c9e575983554b30
-
url_paths
/ghsdh39s/index.php
Extracted
Protocol: smtp- Host:
smtp.gfs-ld.com - Port:
587 - Username:
origin@gfs-ld.com - Password:
@WlgG%V9
Extracted
redline
Test1234
185.215.113.67:26260
Extracted
lumma
https://pushjellysingeywus.shop/api
https://entitlementappwo.shop/api
https://economicscreateojsu.shop/api
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
viorel5000@yandex.ru - Password:
fknhxyuavrcsphhd - Email To:
viorel5000@yandex.ru
Targets
-
-
Target
990d1ff1ab883a9bacbbb6abcf975139d9ab359b74ffba16f1fa7a66a30e935d
-
Size
11KB
-
MD5
0e2ad53c884e25f969b3a575f4bb90bb
-
SHA1
81e774fe109ddc9185ad3fb68995a069ce9045e0
-
SHA256
990d1ff1ab883a9bacbbb6abcf975139d9ab359b74ffba16f1fa7a66a30e935d
-
SHA512
e1d6fd39e8a9fb63c5d1c28ada97529a5813ae27efc68655d5f58c3f65f431c5ffb4dd2169973738d32cb8ad62134d3931dff184793439b833258e94fb3264a9
-
SSDEEP
192:Gvhfn4XrNhcu214mAj+QHzdPbwPz1ULU87glpK/b26J4/2615:4fnysu2U+qzZ0ULU870gJI
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Xworm Payload
-
Detect ZGRat V1
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
StormKitty payload
-
XMRig Miner payload
-
Async RAT payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Scripting
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Modify Registry
1