Resubmissions

22-04-2024 22:02

240422-1xtwbagh68 10

22-04-2024 19:25

240422-x42b7afa68 10

19-04-2024 03:02

240419-djmthsfh8w 10

General

  • Target

    7d69e0d82e74059115486fae5dd5ac6463c7fccd91dbbcaa9587117c7d201ddb

  • Size

    289.5MB

  • Sample

    240422-1xtwbagh68

  • MD5

    405394c381ca2000e01428e79d03cecb

  • SHA1

    cb41f1d9e06c1b783378a43486c7d997a3635b68

  • SHA256

    7d69e0d82e74059115486fae5dd5ac6463c7fccd91dbbcaa9587117c7d201ddb

  • SHA512

    40266c79a3d2c010882cfc4b237c6d27989dc385fd23d8bafe89e4ff329a181fed4ba44dac91187ffd2698d51af44454917e901375aa0dc87624ec956f12f80d

  • SSDEEP

    6291456:BN08aneiYsmfO6eRtz+WmPn4auzQgHDXuDFHVfuc1Fyn6RQuj3jN31S:j08aneo2eTTI2NHDXuDjxPyn6zj3jN3M

Malware Config

Extracted

Family

gafgyt

C2

94.156.64.4:42516

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

blacknet

Botnet

HacKed

C2

http://botnetera.pagekite.me/

Mutex

BN[pjClIrDI-2470224]

Attributes
  • antivm

    true

  • elevate_uac

    true

  • install_name

    WindowsUpdate.exe

  • splitter

    |BN|

  • start_name

    35dcbc7eb742dd4f1edfbccf7826c724

  • startup

    false

  • usb_spread

    false

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

xworm

C2

involved-hurt.gl.at.ply.gg:35238

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    WindowsHealthSystem.exe

Extracted

Family

redline

Botnet

cheat

C2

0.tcp.eu.ngrok.io:18950

Extracted

Family

mirai

C2

hoiiaz.iaz.coby

Extracted

Family

redline

Botnet

tg

C2

163.5.112.53:51523

Extracted

Family

stealc

C2

http://185.216.70.109

Attributes
  • url_path

    /eb488f9cb9d466ca.php

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

mirai

Botnet

MIRAI

C2

client.orxy.space

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

lumma

C2

https://interferencesandyshiw.shop/api

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

https://affordcharmcropwo.shop/api

https://diskretainvigorousiw.shop/api

https://communicationgenerwo.shop/api

https://pillowbrocccolipe.shop/api

Extracted

Family

mirai

Botnet

SORA

Targets

    • Target

      0490e8427ac66951389e11dbd990c19cb1ee43102c33935b12db6a4eca7717c7.elf

    • Size

      115KB

    • MD5

      864bda0dc36b639210f886e6968394b7

    • SHA1

      6e5d6d3cfeae7f5b0cb4987ea35fbfc4ea100527

    • SHA256

      0490e8427ac66951389e11dbd990c19cb1ee43102c33935b12db6a4eca7717c7

    • SHA512

      37cfcf70855ad24970cd76e911d39ddd788090f1e0bb8815b8d41af00b38dd66e6bcd57ab3102cac3a2e896c135ea7a9f3b1ed50839373056b3037261d80a87b

    • SSDEEP

      3072:6oLEcVdOAnowHfbEqyas7J3UPwenmvI0PDGnSQNER:6oLEcPOAnowLyaoJ3ajnmvI0PDGnSQNM

    Score
    1/10
    • Target

      068428a4acb65807251b3b4c0aee2101519fdaebf6db5376863da5add3471f26.exe

    • Size

      2.7MB

    • MD5

      853a9918a66c6de88c9d8577726f2605

    • SHA1

      36b6e43bcd91cdb0ca35c48a3b8644ba0d51f305

    • SHA256

      068428a4acb65807251b3b4c0aee2101519fdaebf6db5376863da5add3471f26

    • SHA512

      7980da87d70698ea26bf2109174cdbad041ff1c35ef19beb29985fa6a9ffeaa17df920b7ad9331700863cf7cc7b492e06fa1b9ff06a35e14779b742559d04489

    • SSDEEP

      24576:W0FRFbz9JmGF6uabHxZ2/AVWcE1+APcSs+x4HRjcKx+Afz0bRK+m4pGAhiBLqx7I:Wc5/mGJae/AJcBPcRjcA+AYDZLx7acT

    Score
    8/10
    • Blocklisted process makes network request

    • Suspicious use of SetThreadContext

    • Target

      087421ac222e935579dfd3b7a5120451fd9d9a663d3d1872c04b6154b238c894.elf

    • Size

      29KB

    • MD5

      caa62fc5426fda5bb51dd6dcfc804b5b

    • SHA1

      c1648ab78484ea318efa729b41f0fff80772a8b3

    • SHA256

      087421ac222e935579dfd3b7a5120451fd9d9a663d3d1872c04b6154b238c894

    • SHA512

      5b6678cc985a4e180032c2ef9ecc094b22ea2c7de3ab2cc9bfa265ef444c13582bcb3183125ab1193d9f5a45ceee46ff49d5773532242f8821d8ba845b39a460

    • SSDEEP

      768:Mqa+lipfbBFUDuQZHAOrvWj6rRjrM1u2BYiQnUWsx:0bB2aQZJvWjyhL2BY7nix

    Score
    10/10
    • Mirai

      Mirai is a prevalent Linux malware infecting exposed network devices.

    • Target

      0c4791a6b47491a0c43cea0ba54357e391a3c8b23aa28025489bbe43bb9ea6ea.elf

    • Size

      50KB

    • MD5

      386982ad3916c76d79d706af4d8639fc

    • SHA1

      9b4e80785492dbbfc8c585587851bce3844f48a2

    • SHA256

      0c4791a6b47491a0c43cea0ba54357e391a3c8b23aa28025489bbe43bb9ea6ea

    • SHA512

      24ba01f9473a9fd5d5e8e0056952147f5ac2a9b166552dfc25fccf36b3b82e2eb608f0fc6994a92546617586cba82ef9469e9785d48e7f8d4875d2492c90ea1f

    • SSDEEP

      1536:EFE+30g4zbPVfqnB+1F5WfLKSMdD6elLB:0E+3szbtP13sL6h9BB

    Score
    1/10
    • Target

      0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe

    • Size

      725KB

    • MD5

      4b0a935fbc037ea00bf17468d4cf5b85

    • SHA1

      169cd19c1d29bebd2c7fe5a8de25b1429f8f2aed

    • SHA256

      0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea

    • SHA512

      0bee469d0188505772af1fd9af4a6710c201475340045b97024102a63aaba14f940e6ee36d118d338e836b4ee7ba03387001ce81724c4f4433123f5b9d83dd4f

    • SSDEEP

      12288:w6Wq4aaE6KwyF5L0Y2D1PqL5C38Lua13KVsrOQW60Ztsmhv3:GthEVaPqL58F2rBjmB3

    Score
    7/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Target

      0fa00d4f4f8e8449883aef7f0459a0fb754d57d55af2b41f5e445f867000fa70.exe

    • Size

      149KB

    • MD5

      d466c92a9ed1b0dd7a9789d24182b387

    • SHA1

      619c3496cb1494bcabbae38bf78bceb501608a7a

    • SHA256

      0fa00d4f4f8e8449883aef7f0459a0fb754d57d55af2b41f5e445f867000fa70

    • SHA512

      2fe67183a79118853f89b97bc0e43b74ce02692be8e5fa4e79e45fb09010d599b961191913c3836652536b2382321d8a5191921965aeea85616127ba2e6ac6bb

    • SSDEEP

      3072:cs2t+jk/d1uce+aD7UKg6THMGANMemOI:E7ufgKg6TsvI

    Score
    1/10
    • Target

      10de02fec8ac3edbf1398e6dd43ddec95a89e0499e1e865a7d9e5289fb2b31d1.bat

    • Size

      1.1MB

    • MD5

      4030841f8cd4b3ac37ab0a0b9332f3a5

    • SHA1

      6d05584de372399fbadd59a1e6a1eefee90f8725

    • SHA256

      10de02fec8ac3edbf1398e6dd43ddec95a89e0499e1e865a7d9e5289fb2b31d1

    • SHA512

      a8c40c3fa3f7f9ba47eed94a55a2562719073fd568d4aa96a081a46ce150e0b068b453e812eaef3fe15cafae3b66127e23ed4d72669173c8c254ba58d32534c0

    • SSDEEP

      24576:+NAwcGqisVN8rXpLOnM+YCftp99Jj9Pgxp1QrKDI:+NKVVsxmt9j

    Score
    8/10
    • Blocklisted process makes network request

    • Target

      11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe

    • Size

      14.4MB

    • MD5

      ecaa6f88c3b6594914a8ffde04fd5d84

    • SHA1

      885e4370299d369f7285ba5f2c544cbcd70a5fd0

    • SHA256

      11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432

    • SHA512

      94712c9ceddc1e2abd7ec19dc39bf2cbea54d3430f66887e2e0861c2cdb4c4ee24c39d3140c9374e826049516b814c3fcfcf4c49402bc5c2335d87bc0ee67f83

    • SSDEEP

      393216:hp8QGQCKH9iqYCfy8tW5MrYR0aioa4CMRmrrCZRBkyQzy:v8QGrK5GXR9ioaJMRmrrdysy

    Score
    10/10
    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • Target

      16e81343ecea6082d76bf1ab26818c3bf56929c92468fae8837c6384b62d05a5.exe

    • Size

      6.9MB

    • MD5

      755c6c74f65a7eb6fac438c71232090b

    • SHA1

      ecd899ca1c4764a57a8a15f7ac41624196f1a4e7

    • SHA256

      16e81343ecea6082d76bf1ab26818c3bf56929c92468fae8837c6384b62d05a5

    • SHA512

      f0dcf9c4d84708a6dd665c53d0d8b72209de79cd571836a496d9cf3dbdc757f82a69e6788b2037484720fa6e966ff5c6719be4f7faa36486561856b1f7e6379c

    • SSDEEP

      3072:MNA/391UUU35AkH+wWtailGlIQZboLRM9ua/aHyvZRVed2idrTj4i4MzNrpFFbmO:MNALUU4T7sGlVbAP//zNCbuIQ

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      17691f0962027e7110f727ae997f8af5885dd783674d1db023d467ec478515b7.elf

    • Size

      177KB

    • MD5

      a34eeacb65f86c57bdea56175af169ef

    • SHA1

      6f474269c97412679d64187a3e99eec1707b4200

    • SHA256

      17691f0962027e7110f727ae997f8af5885dd783674d1db023d467ec478515b7

    • SHA512

      7e763bec443a758df9c6f322087a07cf12406a5b46ba6049ddf3fd33c780f1bbe32cd7dd7e7fb19f9a43bd4d168984de1df925c525304099e6f8cd44947da432

    • SSDEEP

      3072:Mwoe3s52Zt9nQiX/GpO1SMRpp6NWJdWQwi:MnSskZDQiX/2ObRWoDWf

    Score
    6/10
    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Target

      17c24104e8e5350eeb7e2a162dec3f6a4d6c70f3f0849e6346fd383d998dcc12.exe

    • Size

      4.6MB

    • MD5

      8ceb3a5e7da3309b307a2407298a7cee

    • SHA1

      c7b571e5020866e068c8b780782be72cf5f8df3f

    • SHA256

      17c24104e8e5350eeb7e2a162dec3f6a4d6c70f3f0849e6346fd383d998dcc12

    • SHA512

      80a5cd2d600cee52ac02dd2534c7415a714e41d403486dac3e181706f5ea1a63f610c46b09c46035d60462f2b20bc5fdaf8e4ca1aafaa0ffaadd9430ea3b7277

    • SSDEEP

      98304:jf3t4BNLhoAfN/BKhtrW4+UbTRS2S6A4nzSHkKZkWKR/J7gyTT:jf3t4zNoAFYhdW4ZJzfOkCkWu/dgO

    Score
    3/10
    • Target

      1816cd993ddda970b791b090e6ecb501ef923bdcc0cc5f4a99e18dcdb7093228.exe

    • Size

      1.7MB

    • MD5

      74a37bb794ed287696eac4495ffae13f

    • SHA1

      0097bc646687e8441db0079c3f85320be39e4a13

    • SHA256

      1816cd993ddda970b791b090e6ecb501ef923bdcc0cc5f4a99e18dcdb7093228

    • SHA512

      17770d69d3792f1663d58d2d5c1b1cbcac04ac9ef85c0416bb4f69ca3410b710953f384039999e8719a798bf4cd751226a2282affb7f959197eeccb782126950

    • SSDEEP

      24576:s7FUDowAyrTVE3U5F/9GqKVKic6QL3E2vVsjECUAQT45deRV9RZ:sBuZrEUwzKIy029s4C1eH93

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      1b8cda768ba75d723b2b0b34cf955f7ec9469b4e33c6fde6494eefd60a139d8a.elf

    • Size

      142KB

    • MD5

      95917209bb8848eae1a1c23bc9f1d408

    • SHA1

      6a1d24d516661a8ce45621215d567005504abdee

    • SHA256

      1b8cda768ba75d723b2b0b34cf955f7ec9469b4e33c6fde6494eefd60a139d8a

    • SHA512

      a210dd4775612be960fbb2850f7a4f13680e40386b37ca05605434f9670e70d535fab839df9dd5b013910056a0cd8f32f163208af9ce890af789e485fab3a480

    • SSDEEP

      3072:PccxTBU5zIUJXXxhtn/aZ6OVCRLCSpO8BC:PciBy7JXhht/anmXpO8BC

    Score
    1/10
    • Target

      1df6acbc1106e17265fde3ab54b2a83fa8f6f39656d7c55481b2dbd66f1114b7.elf

    • Size

      115KB

    • MD5

      d465f896ac0fa592fd84f65824c424f2

    • SHA1

      307e056622700b43eebb6bb43080708fcd6e7990

    • SHA256

      1df6acbc1106e17265fde3ab54b2a83fa8f6f39656d7c55481b2dbd66f1114b7

    • SHA512

      7034166cf7c3e05f9555c4356b31c1ab9d1abb3b68f3483448bf1983a3fdad5adf5f38c1f32ee5de069a8b59c5b43e48b0f4abf776ab1246265bcfa1a434794b

    • SSDEEP

      3072:L+YUpmc5hIof5UM7XgYjykKdYmm/QcuLB126DNb:LwU1of5UMPyk2Ymm/QcuLB126DNb

    • AdWind

      A Java-based RAT family operated as malware-as-a-service.

    • Class file contains resources related to AdWind

    • DCrat

      DarkCrystalrat.

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect ZGRat V1

    • Detected Gafgyt variant

    • Gafgyt/Bashlite

      IoT botnet with numerous variants first seen in 2014.

    • Irata

      Irata is an Iranian remote access trojan Android malware first seen in August 2022.

    • Irata payload

    • Mirai

      Mirai is a prevalent Linux malware infecting exposed network devices.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Requests dangerous framework permissions

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Target

      1e7706ed0492572474cd866f13778cc66c42b614b3d0b1d9af35727c051a50b0.elf

    • Size

      61KB

    • MD5

      013c472aa24c1a90c7d3d9f7cb429acf

    • SHA1

      c2d2332e6ae7896feb69591968752431656fac40

    • SHA256

      1e7706ed0492572474cd866f13778cc66c42b614b3d0b1d9af35727c051a50b0

    • SHA512

      0fc535975b93d62f32e54993413093b236d64aedb8fd76822d66988e85d9649833dca3479159b8e16dc92645a26c36b92ae9b422e642c94dacfd1c212184dd1c

    • SSDEEP

      768:WV8SNmQEPAPJD7E9NsB8UI8t/PMJTjKxVnjDbwqctNcjvwRgIP:WhNgPE7As8x8t/ETjKx9jDbDSGKP

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks

static1

upxbackdoorsoramiraihackedratcheattgpyinstallergafgytmiraixzutilblacknettriadadcratzgratxwormasyncratredlinesectopratsocks5systemziratastealcadwind
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
8/10

behavioral7

miraisorabotnet
Score
10/10

behavioral8

Score
1/10

behavioral9

upx
Score
7/10

behavioral10

upx
Score
7/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
8/10

behavioral15

Score
7/10

behavioral16

lummastealer
Score
10/10

behavioral17

collectionspywarestealer
Score
7/10

behavioral18

collectionspywarestealer
Score
7/10

behavioral19

Score
6/10

behavioral20

Score
3/10

behavioral21

Score
3/10

behavioral22

Score
7/10

behavioral23

Score
7/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

adwinddcratgafgytiratamirairedlinesectopratstealczgratmiraisoratgbotnetinfostealerpyinstallerratstealertrojanupx
Score
10/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

Score
1/10