Resubmissions

22-04-2024 22:02

240422-1xtwbagh68 10

22-04-2024 19:25

240422-x42b7afa68 10

19-04-2024 03:02

240419-djmthsfh8w 10

General

  • Target

    7d69e0d82e74059115486fae5dd5ac6463c7fccd91dbbcaa9587117c7d201ddb

  • Size

    289.5MB

  • Sample

    240419-djmthsfh8w

  • MD5

    405394c381ca2000e01428e79d03cecb

  • SHA1

    cb41f1d9e06c1b783378a43486c7d997a3635b68

  • SHA256

    7d69e0d82e74059115486fae5dd5ac6463c7fccd91dbbcaa9587117c7d201ddb

  • SHA512

    40266c79a3d2c010882cfc4b237c6d27989dc385fd23d8bafe89e4ff329a181fed4ba44dac91187ffd2698d51af44454917e901375aa0dc87624ec956f12f80d

  • SSDEEP

    6291456:BN08aneiYsmfO6eRtz+WmPn4auzQgHDXuDFHVfuc1Fyn6RQuj3jN31S:j08aneo2eTTI2NHDXuDjxPyn6zj3jN3M

Malware Config

Extracted

Family

gafgyt

C2

94.156.64.4:42516

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

blacknet

Botnet

HacKed

C2

http://botnetera.pagekite.me/

Mutex

BN[pjClIrDI-2470224]

Attributes
  • antivm

    true

  • elevate_uac

    true

  • install_name

    WindowsUpdate.exe

  • splitter

    |BN|

  • start_name

    35dcbc7eb742dd4f1edfbccf7826c724

  • startup

    false

  • usb_spread

    false

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

xworm

C2

involved-hurt.gl.at.ply.gg:35238

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    WindowsHealthSystem.exe

Extracted

Family

redline

Botnet

cheat

C2

0.tcp.eu.ngrok.io:18950

Extracted

Family

mirai

C2

hoiiaz.iaz.coby

Extracted

Family

redline

Botnet

tg

C2

163.5.112.53:51523

Extracted

Family

stealc

C2

http://185.216.70.109

Attributes
  • url_path

    /eb488f9cb9d466ca.php

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

mirai

Botnet

MIRAI

C2

client.orxy.space

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

lumma

C2

https://interferencesandyshiw.shop/api

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

https://affordcharmcropwo.shop/api

https://diskretainvigorousiw.shop/api

https://communicationgenerwo.shop/api

https://pillowbrocccolipe.shop/api

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

snakekeylogger

C2

https://scratchdreams.tk

Targets

    • Target

      0490e8427ac66951389e11dbd990c19cb1ee43102c33935b12db6a4eca7717c7.elf

    • Size

      115KB

    • MD5

      864bda0dc36b639210f886e6968394b7

    • SHA1

      6e5d6d3cfeae7f5b0cb4987ea35fbfc4ea100527

    • SHA256

      0490e8427ac66951389e11dbd990c19cb1ee43102c33935b12db6a4eca7717c7

    • SHA512

      37cfcf70855ad24970cd76e911d39ddd788090f1e0bb8815b8d41af00b38dd66e6bcd57ab3102cac3a2e896c135ea7a9f3b1ed50839373056b3037261d80a87b

    • SSDEEP

      3072:6oLEcVdOAnowHfbEqyas7J3UPwenmvI0PDGnSQNER:6oLEcPOAnowLyaoJ3ajnmvI0PDGnSQNM

    Score
    1/10
    • Target

      068428a4acb65807251b3b4c0aee2101519fdaebf6db5376863da5add3471f26.exe

    • Size

      2.7MB

    • MD5

      853a9918a66c6de88c9d8577726f2605

    • SHA1

      36b6e43bcd91cdb0ca35c48a3b8644ba0d51f305

    • SHA256

      068428a4acb65807251b3b4c0aee2101519fdaebf6db5376863da5add3471f26

    • SHA512

      7980da87d70698ea26bf2109174cdbad041ff1c35ef19beb29985fa6a9ffeaa17df920b7ad9331700863cf7cc7b492e06fa1b9ff06a35e14779b742559d04489

    • SSDEEP

      24576:W0FRFbz9JmGF6uabHxZ2/AVWcE1+APcSs+x4HRjcKx+Afz0bRK+m4pGAhiBLqx7I:Wc5/mGJae/AJcBPcRjcA+AYDZLx7acT

    Score
    1/10
    • Target

      087421ac222e935579dfd3b7a5120451fd9d9a663d3d1872c04b6154b238c894.elf

    • Size

      29KB

    • MD5

      caa62fc5426fda5bb51dd6dcfc804b5b

    • SHA1

      c1648ab78484ea318efa729b41f0fff80772a8b3

    • SHA256

      087421ac222e935579dfd3b7a5120451fd9d9a663d3d1872c04b6154b238c894

    • SHA512

      5b6678cc985a4e180032c2ef9ecc094b22ea2c7de3ab2cc9bfa265ef444c13582bcb3183125ab1193d9f5a45ceee46ff49d5773532242f8821d8ba845b39a460

    • SSDEEP

      768:Mqa+lipfbBFUDuQZHAOrvWj6rRjrM1u2BYiQnUWsx:0bB2aQZJvWjyhL2BY7nix

    • AdWind

      A Java-based RAT family operated as malware-as-a-service.

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Class file contains resources related to AdWind

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Xworm Payload

    • Detect ZGRat V1

    • Detected Gafgyt variant

    • Gafgyt/Bashlite

      IoT botnet with numerous variants first seen in 2014.

    • Mirai

      Mirai is a prevalent Linux malware infecting exposed network devices.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Async RAT payload

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      0c4791a6b47491a0c43cea0ba54357e391a3c8b23aa28025489bbe43bb9ea6ea.elf

    • Size

      50KB

    • MD5

      386982ad3916c76d79d706af4d8639fc

    • SHA1

      9b4e80785492dbbfc8c585587851bce3844f48a2

    • SHA256

      0c4791a6b47491a0c43cea0ba54357e391a3c8b23aa28025489bbe43bb9ea6ea

    • SHA512

      24ba01f9473a9fd5d5e8e0056952147f5ac2a9b166552dfc25fccf36b3b82e2eb608f0fc6994a92546617586cba82ef9469e9785d48e7f8d4875d2492c90ea1f

    • SSDEEP

      1536:EFE+30g4zbPVfqnB+1F5WfLKSMdD6elLB:0E+3szbtP13sL6h9BB

    Score
    10/10
    • Mirai

      Mirai is a prevalent Linux malware infecting exposed network devices.

    • Target

      0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe

    • Size

      725KB

    • MD5

      4b0a935fbc037ea00bf17468d4cf5b85

    • SHA1

      169cd19c1d29bebd2c7fe5a8de25b1429f8f2aed

    • SHA256

      0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea

    • SHA512

      0bee469d0188505772af1fd9af4a6710c201475340045b97024102a63aaba14f940e6ee36d118d338e836b4ee7ba03387001ce81724c4f4433123f5b9d83dd4f

    • SSDEEP

      12288:w6Wq4aaE6KwyF5L0Y2D1PqL5C38Lua13KVsrOQW60Ztsmhv3:GthEVaPqL58F2rBjmB3

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    • Target

      0fa00d4f4f8e8449883aef7f0459a0fb754d57d55af2b41f5e445f867000fa70.exe

    • Size

      149KB

    • MD5

      d466c92a9ed1b0dd7a9789d24182b387

    • SHA1

      619c3496cb1494bcabbae38bf78bceb501608a7a

    • SHA256

      0fa00d4f4f8e8449883aef7f0459a0fb754d57d55af2b41f5e445f867000fa70

    • SHA512

      2fe67183a79118853f89b97bc0e43b74ce02692be8e5fa4e79e45fb09010d599b961191913c3836652536b2382321d8a5191921965aeea85616127ba2e6ac6bb

    • SSDEEP

      3072:cs2t+jk/d1uce+aD7UKg6THMGANMemOI:E7ufgKg6TsvI

    Score
    1/10
    • Target

      10de02fec8ac3edbf1398e6dd43ddec95a89e0499e1e865a7d9e5289fb2b31d1.bat

    • Size

      1.1MB

    • MD5

      4030841f8cd4b3ac37ab0a0b9332f3a5

    • SHA1

      6d05584de372399fbadd59a1e6a1eefee90f8725

    • SHA256

      10de02fec8ac3edbf1398e6dd43ddec95a89e0499e1e865a7d9e5289fb2b31d1

    • SHA512

      a8c40c3fa3f7f9ba47eed94a55a2562719073fd568d4aa96a081a46ce150e0b068b453e812eaef3fe15cafae3b66127e23ed4d72669173c8c254ba58d32534c0

    • SSDEEP

      24576:+NAwcGqisVN8rXpLOnM+YCftp99Jj9Pgxp1QrKDI:+NKVVsxmt9j

    Score
    8/10
    • Blocklisted process makes network request

    • Target

      11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe

    • Size

      14.4MB

    • MD5

      ecaa6f88c3b6594914a8ffde04fd5d84

    • SHA1

      885e4370299d369f7285ba5f2c544cbcd70a5fd0

    • SHA256

      11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432

    • SHA512

      94712c9ceddc1e2abd7ec19dc39bf2cbea54d3430f66887e2e0861c2cdb4c4ee24c39d3140c9374e826049516b814c3fcfcf4c49402bc5c2335d87bc0ee67f83

    • SSDEEP

      393216:hp8QGQCKH9iqYCfy8tW5MrYR0aioa4CMRmrrCZRBkyQzy:v8QGrK5GXR9ioaJMRmrrdysy

    Score
    10/10
    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • Target

      16e81343ecea6082d76bf1ab26818c3bf56929c92468fae8837c6384b62d05a5.exe

    • Size

      6.9MB

    • MD5

      755c6c74f65a7eb6fac438c71232090b

    • SHA1

      ecd899ca1c4764a57a8a15f7ac41624196f1a4e7

    • SHA256

      16e81343ecea6082d76bf1ab26818c3bf56929c92468fae8837c6384b62d05a5

    • SHA512

      f0dcf9c4d84708a6dd665c53d0d8b72209de79cd571836a496d9cf3dbdc757f82a69e6788b2037484720fa6e966ff5c6719be4f7faa36486561856b1f7e6379c

    • SSDEEP

      3072:MNA/391UUU35AkH+wWtailGlIQZboLRM9ua/aHyvZRVed2idrTj4i4MzNrpFFbmO:MNALUU4T7sGlVbAP//zNCbuIQ

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      17691f0962027e7110f727ae997f8af5885dd783674d1db023d467ec478515b7.elf

    • Size

      177KB

    • MD5

      a34eeacb65f86c57bdea56175af169ef

    • SHA1

      6f474269c97412679d64187a3e99eec1707b4200

    • SHA256

      17691f0962027e7110f727ae997f8af5885dd783674d1db023d467ec478515b7

    • SHA512

      7e763bec443a758df9c6f322087a07cf12406a5b46ba6049ddf3fd33c780f1bbe32cd7dd7e7fb19f9a43bd4d168984de1df925c525304099e6f8cd44947da432

    • SSDEEP

      3072:Mwoe3s52Zt9nQiX/GpO1SMRpp6NWJdWQwi:MnSskZDQiX/2ObRWoDWf

    Score
    7/10
    • Changes its process name

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Target

      17c24104e8e5350eeb7e2a162dec3f6a4d6c70f3f0849e6346fd383d998dcc12.exe

    • Size

      4.6MB

    • MD5

      8ceb3a5e7da3309b307a2407298a7cee

    • SHA1

      c7b571e5020866e068c8b780782be72cf5f8df3f

    • SHA256

      17c24104e8e5350eeb7e2a162dec3f6a4d6c70f3f0849e6346fd383d998dcc12

    • SHA512

      80a5cd2d600cee52ac02dd2534c7415a714e41d403486dac3e181706f5ea1a63f610c46b09c46035d60462f2b20bc5fdaf8e4ca1aafaa0ffaadd9430ea3b7277

    • SSDEEP

      98304:jf3t4BNLhoAfN/BKhtrW4+UbTRS2S6A4nzSHkKZkWKR/J7gyTT:jf3t4zNoAFYhdW4ZJzfOkCkWu/dgO

    Score
    3/10
    • Target

      $PLUGINSDIR/AccessControl.dll

    • Size

      15KB

    • MD5

      d74bb4447af48da081c7d9b499f3a023

    • SHA1

      dadf6e140e6fd8e49a1851cc144bb022e0adb185

    • SHA256

      5fd5d8aec97cffaad9b7df6371b348d436cf1401e86fab614dc4cb8575428e52

    • SHA512

      9a15de5c6b08914f5e5bbc1c318fb0e84da28a316cf51ccddca8dfb64cd67b7ad06acac307b41d5086a0740055d327007ff890807d6853bb2e767179a3b3d758

    • SSDEEP

      192:0hdGZ2E0hm+Gc7ROMzCPvXWROt086dXHGrEKcDDi0b5ZsgMgiCXyo1Fp01eLLuIt:0hdGZ2E0YWV2908oj21ILud8

    Score
    3/10
    • Target

      $PLUGINSDIR/nsProcess.dll

    • Size

      4KB

    • MD5

      faa7f034b38e729a983965c04cc70fc1

    • SHA1

      df8bda55b498976ea47d25d8a77539b049dab55e

    • SHA256

      579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf

    • SHA512

      7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

    • SSDEEP

      48:iYXzAm8HGJLvwM8GJFd6I7W4JtT2bxNNAa4GsNf+CJ8aYqmtlKdgAtgma1QvtCSJ:lz2mJkpGR6GY74GQ1YqmstgGCtR

    Score
    3/10
    • Target

      CommandPost.exe

    • Size

      7.9MB

    • MD5

      cb97105462eb022605c2b6d434c30aba

    • SHA1

      c3b2e2b94aecfda319b5b97d92580d20abdafe58

    • SHA256

      f27af6504285706f0a32470955a45c9b6f6f860cd73580b7074aa2277d033388

    • SHA512

      74b0959ca537d780ded779a45f4ed5198f563d63fa742badfd05f7a03caf9271cb6649ccbd6a16eee92bfd2026629e9d4658680bd1fe150df86f6de506df6eb9

    • SSDEEP

      196608:u5BKd5QJ+ENE7qXlfvpkSIR5sTyC6M/+3rb:u/KwtJvpkS/yC8

    Score
    3/10
    • Target

      Uninstall.exe

    • Size

      79KB

    • MD5

      c35f0cb2adc35c19ef16e847d81cf2fd

    • SHA1

      4b327c5296fcccc72b0e55e923cb2a9d4049beef

    • SHA256

      9a2f76a40341a4ede271813c27e8da28da3108709b6c99f22abde151f60793e8

    • SHA512

      44bc72732bc66ca23cc3ff0c30a57eb7fe2e3f2cf78f35eea5699cc571bde12e54da73aeebecd8ff4524f7e397dc86865034e03b25b3af366a88a3e091b0c6e8

    • SSDEEP

      1536:JmsAYBdTU9fEAIS2PEtuLgjiLrGAv00ef3a:IfY/TU9fE9PEtuL+arGAK/a

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      $PLUGINSDIR/nsProcess.dll

    • Size

      4KB

    • MD5

      faa7f034b38e729a983965c04cc70fc1

    • SHA1

      df8bda55b498976ea47d25d8a77539b049dab55e

    • SHA256

      579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf

    • SHA512

      7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

    • SSDEEP

      48:iYXzAm8HGJLvwM8GJFd6I7W4JtT2bxNNAa4GsNf+CJ8aYqmtlKdgAtgma1QvtCSJ:lz2mJkpGR6GY74GQ1YqmstgGCtR

    Score
    3/10
    • Target

      1816cd993ddda970b791b090e6ecb501ef923bdcc0cc5f4a99e18dcdb7093228.exe

    • Size

      1.7MB

    • MD5

      74a37bb794ed287696eac4495ffae13f

    • SHA1

      0097bc646687e8441db0079c3f85320be39e4a13

    • SHA256

      1816cd993ddda970b791b090e6ecb501ef923bdcc0cc5f4a99e18dcdb7093228

    • SHA512

      17770d69d3792f1663d58d2d5c1b1cbcac04ac9ef85c0416bb4f69ca3410b710953f384039999e8719a798bf4cd751226a2282affb7f959197eeccb782126950

    • SSDEEP

      24576:s7FUDowAyrTVE3U5F/9GqKVKic6QL3E2vVsjECUAQT45deRV9RZ:sBuZrEUwzKIy029s4C1eH93

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks

static1

upxbackdoorsoramiraihackedratcheattgpyinstallergafgytmiraixzutilblacknettriadadcratzgratxwormasyncratredlinesectopratsocks5systemziratastealcadwind
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

adwindasyncratdcratgafgytmirairedlinesectopratxwormzgratcheatmiraisorabotnetinfostealerrattrojanupx
Score
10/10

behavioral8

miraisorabotnet
Score
10/10

behavioral9

snakekeyloggercollectionkeyloggerstealerupx
Score
10/10

behavioral10

upx
Score
7/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
8/10

behavioral15

Score
7/10

behavioral16

lummastealer
Score
10/10

behavioral17

collectionspywarestealer
Score
7/10

behavioral18

collectionspywarestealer
Score
7/10

behavioral19

Score
7/10

behavioral20

Score
3/10

behavioral21

Score
3/10

behavioral22

Score
3/10

behavioral23

Score
3/10

behavioral24

Score
3/10

behavioral25

Score
3/10

behavioral26

Score
3/10

behavioral27

Score
3/10

behavioral28

Score
7/10

behavioral29

Score
7/10

behavioral30

Score
3/10

behavioral31

Score
3/10

behavioral32

Score
7/10