Resubmissions

30-04-2024 21:32

240430-1dsh5sgb5w 10

26-12-2023 17:34

231226-v5wrzsabgn 10

13-12-2023 16:11

231213-tmycesfacp 10

General

  • Target

    13478994921.zip

  • Size

    44.4MB

  • MD5

    44d3f87708aba8171f36a82a9093de63

  • SHA1

    e6649e277bd431283237a69358e2d8224f08901f

  • SHA256

    f3312ae135274af9cb757246376d2309f6feedf27476099d7b987b78bd61bca7

  • SHA512

    929e839104a46651958fd0c9c88a6de6545200c27cdc4ed61276e8b2ae561fb8d28d830916cae03c8285b1e09c4245fe94c36c70dbfdefd946a57ddc1f353bf1

  • SSDEEP

    786432:dqQIaM8wVO5gcEk9GzTTps9KLP0HIzyB1tsxkYYSM0HoqegVFKKaxTIC:dBIEfT9GTpMKL8HFBYYSMsSx

Malware Config

Extracted

Family

icedid

Extracted

Family

metasploit

Version

windows/reverse_nonx_tcp

C2

10.10.1.21:4444

Signatures

  • 888rat family
  • Android 888 RAT payload 1 IoCs
  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detected LegionLocker ransomware 1 IoCs

    Sample contains strings associated with the LegionLocker family.

  • Detected TEARDROP fileless dropper 1 IoCs

    TEARDROP is a memory-only dropper which can read files/registry keys, decode an embedded payload, and load it directly into memory.

  • EvilNum C# Component 1 IoCs
  • Evilnum family
  • Growtopia family
  • Guloader family
  • Guloader payload 1 IoCs
  • IcedID First Stage Loader 1 IoCs
  • Icedid family
  • Legionlocker family
  • LoaderBot executable 1 IoCs
  • Loaderbot family
  • M00nD3v Logger payload 1 IoCs

    Detects M00nD3v Logger payload in memory.

  • M00nd3v_logger family
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Masslogger family
  • Matiex Main payload 1 IoCs
  • Matiex family
  • Metasploit family
  • Nanocore family
  • NetWire RAT payload 1 IoCs
  • Netwire family
  • Snake Keylogger payload 1 IoCs
  • Snakekeylogger family
  • Teardrop family
  • XMRig Miner payload 1 IoCs
  • Xmrig family
  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • HTTP links in PDF interactive object 1 IoCs

    Detects HTTP links in interactive objects within PDF files.

  • Unsigned PE 1 IoCs

    Checks for missing Authenticode signature.

  • Office document contains embedded OLE objects 1 IoCs

    Detected embedded OLE objects in Office documents.

Files

  • 13478994921.zip
    .zip

    Password: infected

  • be240429f6a9f67df22429d9fac5c22c887a65dae26f0af0b705ada8b61060c0
    .dll windows:5 windows x64 arch:x64

    Password: infected


    Headers

    Sections