Resubmissions

07-05-2024 08:45

240507-kn5nfsha6t 10

07-05-2024 08:45

240507-kn42xsbg96 10

07-05-2024 08:44

240507-knlkksbg83 10

07-05-2024 08:44

240507-knky2sbg79 10

07-05-2024 08:44

240507-knknaabg78 10

25-04-2024 13:01

240425-p9hg9sah6z 7

General

  • Target

    079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04

  • Size

    1.8MB

  • Sample

    240507-knlkksbg83

  • MD5

    05e0bbeb4452eb1e90ba6e2c730519df

  • SHA1

    a231b7fc6fd2ac37f29d0c20531dba861fc3afa9

  • SHA256

    079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04

  • SHA512

    3ba2dd278cf8e6b91c8b44839e37bb47f64262de2d42341711acfa0e790491690c965cac9d39de9c76105004dfa0dee34f391ff0d01097f8bf262d94300e78f1

  • SSDEEP

    49152:/gceKimpc/OM9yeF/WRG+jFvmpQtySk5kf:/gpKBp6O8yeFIG+jVaH

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    origo.at
  • Port:
    21
  • Username:
    wurli1@origo.at
  • Password:
    c.petruzelka

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    orunge.com
  • Port:
    21
  • Username:
    muximmuxim@orunge.com
  • Password:
    muximmuxim

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    jagen.com.au
  • Port:
    21
  • Username:
    getadogupya@jagen.com.au
  • Password:
    lawrence

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    tahiliani.com
  • Port:
    21
  • Username:
    want2ski@tahiliani.com
  • Password:
    drarick

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    middleages.hu
  • Port:
    21
  • Username:
    wsparci@middleages.hu
  • Password:
    shackallor

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    christine.fr
  • Port:
    21
  • Username:
    mom107@christine.fr
  • Password:
    goose4me

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    middleages.hu
  • Port:
    21
  • Username:
    wsparci
  • Password:
    shackallor

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    orunge.com
  • Port:
    21
  • Username:
    admin
  • Password:
    muximmuxim

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    mailgate.tahiliani.com
  • Port:
    21
  • Username:
    admin
  • Password:
    drarick

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.matferbourgeat.com
  • Port:
    21
  • Username:
    nraynaud@matferbourgeat.com
  • Password:
    tiger07

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.auto-france.com.pl
  • Port:
    21
  • Username:
    postmaster@auto-france.com.pl
  • Password:
    rynisihi

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.orunge.com
  • Port:
    21
  • Username:
    muximmuxim@orunge.com
  • Password:
    muximmuxim

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.matferbourgeat.com
  • Port:
    21
  • Username:
    admin
  • Password:
    tiger07

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.tahiliani.com
  • Port:
    21
  • Username:
    want2ski@tahiliani.com
  • Password:
    drarick

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.tahiliani.com
  • Port:
    21
  • Username:
    want2ski
  • Password:
    drarick

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ssh.orunge.com
  • Port:
    21
  • Username:
    muximmuxim
  • Password:
    muximmuxim

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.matferbourgeat.com
  • Port:
    21
  • Username:
    matferbourgeat
  • Password:
    tiger07

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.auto-france.com.pl
  • Port:
    21
  • Username:
    admin

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    relay.tahiliani.com
  • Port:
    21
  • Username:
    tahiliani
  • Password:
    drarick

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ssh.orunge.com
  • Port:
    21
  • Username:
    orunge
  • Password:
    muximmuxim

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    knapec.sk
  • Port:
    21
  • Username:
    apoyo@knapec.sk
  • Password:
    Lc9AJY6u

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    charvolin.com
  • Port:
    21
  • Username:
    240994@charvolin.com
  • Password:
    charvolin

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    dance-or-die.de
  • Port:
    21
  • Username:
    webmaster000@dance-or-die.de
  • Password:
    amadeus66

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    dance-or-die.de
  • Port:
    21
  • Username:
    dance-or-die
  • Password:
    amadeus66

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.ipc-v.de
  • Port:
    21
  • Username:
    m.boehme@ipc-v.de
  • Password:
    seraphis1798

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.gm-eventwerbung.de
  • Port:
    21
  • Username:
    iiinkuuff2@gm-eventwerbung.de
  • Password:
    utersum

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.ipc-v.de
  • Port:
    21
  • Username:
    m.boehme
  • Password:
    seraphis1798

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.ipc-v.de
  • Port:
    21
  • Username:
    admin
  • Password:
    seraphis1798

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.gm-eventwerbung.de
  • Port:
    21
  • Username:
    admin
  • Password:
    utersum

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.ipc-v.de
  • Port:
    21
  • Username:
    ipc-v
  • Password:
    seraphis1798

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.gm-eventwerbung.de
  • Port:
    21
  • Username:
    gm-eventwerbung
  • Password:
    utersum

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    cbpbenefits.com
  • Port:
    21
  • Username:
    regall28@cbpbenefits.com
  • Password:
    bwunderer

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    cbpbenefits.com
  • Port:
    21
  • Username:
    regall28
  • Password:
    bwunderer

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    cbpbenefits.com
  • Port:
    21
  • Username:
    admin
  • Password:
    bwunderer

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    cbpbenefits.com
  • Port:
    21
  • Username:
    cbpbenefits
  • Password:
    bwunderer

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    gemmersdoerfer.de
  • Port:
    21
  • Username:
    postmaster@gemmersdoerfer.de
  • Password:
    ge211081

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    gemmersdoerfer.de
  • Port:
    21
  • Username:
    postmaster
  • Password:
    ge211081

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    gemmersdoerfer.de
  • Port:
    21
  • Username:
    admin
  • Password:
    ge211081

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    gemmersdoerfer.de
  • Port:
    21
  • Username:
    gemmersdoerfer
  • Password:
    ge211081

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    i3s.co.za
  • Port:
    21
  • Username:
    i3ssecurity@i3s.co.za
  • Password:
    employment

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    mail.i3s.co.za
  • Port:
    21
  • Username:
    i3ssecurity
  • Password:
    employment

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.rvit.co.uk
  • Port:
    21
  • Username:
    apoyo@rvit.co.uk
  • Password:
    5y588r45

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    mail.rvit.co.uk
  • Port:
    21
  • Username:
    apoyo
  • Password:
    5y588r45

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    mail.rvit.co.uk
  • Port:
    21
  • Username:
    admin
  • Password:
    5y588r45

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    mail.rvit.co.uk
  • Port:
    21
  • Username:
    rvit
  • Password:
    5y588r45

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.super-teneriffa.de
  • Port:
    21
  • Username:
    pw859114@super-teneriffa.de
  • Password:
    super-teneriffa.de

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.super-teneriffa.de
  • Port:
    21
  • Username:
    pw859114
  • Password:
    super-teneriffa.de

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.super-teneriffa.de
  • Port:
    21
  • Username:
    admin
  • Password:
    super-teneriffa.de

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.super-teneriffa.de
  • Port:
    21
  • Username:
    super-teneriffa
  • Password:
    super-teneriffa.de

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.winchenbach.net
  • Port:
    21
  • Username:
    admin@winchenbach.net
  • Password:
    my5p4c3

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.winchenbach.net
  • Port:
    21
  • Username:
    admin
  • Password:
    my5p4c3

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    cafekunterbunt.de
  • Port:
    21
  • Username:
    kunterbunt80@cafekunterbunt.de
  • Password:
    torrox1

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    cafekunterbunt.de
  • Port:
    21
  • Username:
    kunterbunt80
  • Password:
    torrox1

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    cafekunterbunt.de
  • Port:
    21
  • Username:
    admin
  • Password:
    torrox1

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    cafekunterbunt.de
  • Port:
    21
  • Username:
    cafekunterbunt
  • Password:
    torrox1

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.winchenbach.net
  • Port:
    21
  • Username:
    winchenbach
  • Password:
    my5p4c3

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.vitogaz.ma
  • Port:
    21
  • Username:
    admin@vitogaz.ma
  • Password:
    jagojeqo

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.vitogaz.ma
  • Port:
    21
  • Username:
    admin
  • Password:
    jagojeqo

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.vitogaz.ma
  • Port:
    21
  • Username:
    vitogaz
  • Password:
    jagojeqo

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    pithers.eu
  • Port:
    21
  • Username:
    simon@pithers.eu
  • Password:
    Benson$

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    pithers.eu
  • Port:
    21
  • Username:
    simon
  • Password:
    Benson$

Targets

    • Target

      079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04

    • Size

      1.8MB

    • MD5

      05e0bbeb4452eb1e90ba6e2c730519df

    • SHA1

      a231b7fc6fd2ac37f29d0c20531dba861fc3afa9

    • SHA256

      079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04

    • SHA512

      3ba2dd278cf8e6b91c8b44839e37bb47f64262de2d42341711acfa0e790491690c965cac9d39de9c76105004dfa0dee34f391ff0d01097f8bf262d94300e78f1

    • SSDEEP

      49152:/gceKimpc/OM9yeF/WRG+jFvmpQtySk5kf:/gpKBp6O8yeFIG+jVaH

    • Contacts a large (762) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

Network Service Discovery

2
T1046

System Information Discovery

1
T1082

Tasks