Overview

overview

10

Static

static

3

079d3ed502...04.exe

windows10-1703-x64

8

079d3ed502...04.exe

windows7-x64

8

079d3ed502...04.exe

windows10-1703-x64

8

079d3ed502...04.exe

windows10-2004-x64

7

079d3ed502...04.exe

windows11-21h2-x64

10

Resubmissions

07-05-2024 08:45

240507-kn5nfsha6t 10

07-05-2024 08:45

240507-kn42xsbg96 10

07-05-2024 08:44

240507-knlkksbg83 10

07-05-2024 08:44

240507-knky2sbg79 10

07-05-2024 08:44

240507-knknaabg78 10

25-04-2024 13:01

240425-p9hg9sah6z 7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04

  • Size

    1.8MB

  • Sample

    240507-kn42xsbg96

  • MD5

    05e0bbeb4452eb1e90ba6e2c730519df

  • SHA1

    a231b7fc6fd2ac37f29d0c20531dba861fc3afa9

  • SHA256

    079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04

  • SHA512

    3ba2dd278cf8e6b91c8b44839e37bb47f64262de2d42341711acfa0e790491690c965cac9d39de9c76105004dfa0dee34f391ff0d01097f8bf262d94300e78f1

  • SSDEEP

    49152:/gceKimpc/OM9yeF/WRG+jFvmpQtySk5kf:/gpKBp6O8yeFIG+jVaH

Score
10/10
discoverymotwpersistencephishingupx

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    halogamingleague.com
  • Port:
    21
  • Username:
    poweredby@halogamingleague.com
  • Password:
    spartanmdx7

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    studiorighi.net
  • Port:
    21
  • Username:
    office@studiorighi.net
  • Password:
    zopanyqo

Targets

    • Target

      079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04

    • Size

      1.8MB

    • MD5

      05e0bbeb4452eb1e90ba6e2c730519df

    • SHA1

      a231b7fc6fd2ac37f29d0c20531dba861fc3afa9

    • SHA256

      079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04

    • SHA512

      3ba2dd278cf8e6b91c8b44839e37bb47f64262de2d42341711acfa0e790491690c965cac9d39de9c76105004dfa0dee34f391ff0d01097f8bf262d94300e78f1

    • SSDEEP

      49152:/gceKimpc/OM9yeF/WRG+jFvmpQtySk5kf:/gpKBp6O8yeFIG+jVaH

    Score
    10/10
    discoverypersistenceupxmotwphishing

    • Contacts a large (683) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

      phishingmotw

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3behavioral4behavioral5

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Network Service Discovery

2
T1046

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks