Overview

overview

10

Static

static

3

9bb0954a71...40.exe

windows7-x64

7

9bb0954a71...40.exe

windows7-x64

7

9bb0954a71...40.exe

windows10-1703-x64

8

9bb0954a71...40.exe

windows10-2004-x64

7

9bb0954a71...40.exe

windows11-21h2-x64

10

Resubmissions

26-04-2024 07:51

240426-jp4xwacb3v 10

26-04-2024 07:51

240426-jp4l4scb3t 10

26-04-2024 07:51

240426-jp31kscb53 8

26-04-2024 07:51

240426-jpwaqscb47 10

26-04-2024 07:51

240426-jpvn7scb2x 7

25-04-2024 12:59

240425-p8jzpsba43 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40

  • Size

    1.9MB

  • Sample

    240426-jp4xwacb3v

  • MD5

    1457ef90efde49a7ee83080ce051d6f7

  • SHA1

    8ca6d983fe2997fa7009458383b84e0d1edeb279

  • SHA256

    9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40

  • SHA512

    582628e02510812e0ed06cc05a1bfb98e96f019935efb71d23dd94745a0c5db12771bf0c81579dd7ad4f44b90e7192b95d5d2ed4a6649adc00b486c28df643d0

  • SSDEEP

    49152:Vbe6aahW7iaBUHvG+vxz90ChL0WF+UIGDDS/NL:vaaA7iYb+dtQWFZvSR

Score
10/10
discoverymotwpersistencephishingupx

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    gsbstb.apphost.in
  • Port:
    21
  • Username:
    24121206901@gsbstb.apphost.in
  • Password:
    Yatingr8

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    gsbstb.apphost.in
  • Port:
    21
  • Username:
    24121206901
  • Password:
    Yatingr8

Targets

    • Target

      9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40

    • Size

      1.9MB

    • MD5

      1457ef90efde49a7ee83080ce051d6f7

    • SHA1

      8ca6d983fe2997fa7009458383b84e0d1edeb279

    • SHA256

      9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40

    • SHA512

      582628e02510812e0ed06cc05a1bfb98e96f019935efb71d23dd94745a0c5db12771bf0c81579dd7ad4f44b90e7192b95d5d2ed4a6649adc00b486c28df643d0

    • SSDEEP

      49152:Vbe6aahW7iaBUHvG+vxz90ChL0WF+UIGDDS/NL:vaaA7iYb+dtQWFZvSR

    Score
    10/10
    discoverypersistenceupxmotwphishing

    • Contacts a large (798) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

      phishingmotw

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3behavioral4behavioral5

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Network Service Discovery

2
T1046

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks