Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://samples.vx-u...

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2020.09.7z

  • Sample

    240424-t8jq6add32

Score
10/10
agentteslaemotetlokibotmassloggermodiloadernjratsystembczgratepoch1epoch3bankercollectionevasionkeyloggermacromacro_on_actionpersistenceratspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.drivehq.com
  • Port:
    21
  • Username:
    donatopizza

Extracted

Family

modiloader

C2

https://cdn.discordapp.com/attachments/753549570230976536/754626602951770172/Dpgibbn

Extracted

Family

emotet

Botnet

Epoch3

C2

118.2.218.1:80

51.254.140.91:7080

5.9.227.244:8080

51.75.163.68:7080

75.127.14.170:8080

101.50.232.218:80

175.139.144.229:8080

139.59.12.63:8080

2.144.244.204:443

175.29.183.2:80

86.98.143.163:80

210.1.219.238:80

73.84.105.76:80

185.208.226.142:8080

91.75.75.46:80

188.251.213.180:443

88.249.181.198:443

77.74.78.80:443

181.137.229.1:80

190.136.179.102:80
rsa_pubkey.plain

Extracted

Family

emotet

Botnet

Epoch1

C2

128.92.203.42:80

37.187.161.206:8080

202.29.239.162:443

80.87.201.221:7080

190.188.245.242:80

12.163.208.58:80

213.197.182.158:8080

201.213.177.139:80

62.84.75.50:80

45.33.77.42:8080

185.183.16.47:80

78.249.119.122:80

177.129.17.170:443

51.15.7.189:80

152.169.22.67:80

119.106.216.84:80

109.169.12.78:80

51.15.7.145:80

219.92.13.25:80

190.117.79.209:80
rsa_pubkey.plain

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    tt.swift@yandex.com
  • Password:
    Sages101*

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.gautengelectrical.co.za
  • Port:
    587
  • Username:
    sales@gautengelectrical.co.za
  • Password:
    *2wo)L6EXH7%
  • Email To:
    clerf@keithwilliamgroup.com

Extracted

Family

systembc

C2

knock0909.monster:4035

knock0909.xyz:4035

Targets

    • Target

      https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2020.09.7z

    Score
    10/10
    agentteslaemotetlokibotmassloggermodiloadernjratsystembczgratepoch1epoch3bankercollectionevasionkeyloggermacromacro_on_actionpersistenceratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect ZGRat V1

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

      stealerspywaremasslogger

    • MassLogger Main payload

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

      trojansystembc

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • AgentTesla payload

    • Emotet payload

      Detects Emotet payload in memory.

      trojanbanker

    • ModiLoader First Stage

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Office macro that triggers on suspicious action

      Office document macro which triggers in special circumstances - often malicious.

      macromacro_on_action

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Uses Tor communications

      Malware can proxy its traffic through Tor for more anonymity.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Proxy

1
T1090

Impact

Resource Development

Reconnaissance

Tasks