General

  • Target

    2024-05-07-11.zip

  • Size

    56.8MB

  • Sample

    240507-rbgt7ada93

  • MD5

    018453293158a2cf6478e232de7eed1f

  • SHA1

    acf56164d4f832e95f7a04c1a37b100bfa381000

  • SHA256

    95e217da4c184170c705e9ef317b5d8333713f4f91435d0964e0e2cea03100ab

  • SHA512

    deb6e643ea7695db4426461c4c8f18f39d51ab76fcd1a8f5cfe083f20fc4d40c8891298f7539d2da7c036464e9b2800fc6b61774c22b11919df06f352e7fe5d7

  • SSDEEP

    786432:zVRQwWqfh2RrVmEnMqb+DE7N0uAg8MztpGi7zzPahDyduAqHujEQq:zXQV8qbt7yLg8qtp7zPQ0IHke

Malware Config

Extracted

Family

socks5systemz

C2

http://ccskvzm.net/search/?q=67e28dd83955a42b4006aa1b7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ee8889b5e4fa9281ae978f671ea771795af8e05c645db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a628ef610c1e990

http://ccskvzm.net/search/?q=67e28dd83955a42b4006aa1b7c27d78406abdd88be4b12eab517aa5c96bd86e99d874f865a8bbc896c58e713bc90c91b36b5281fc235a925ed3e55d6bd974a95129070b616e96cc92be20ea778c255bbe258b90d3b4eed3233d1626a8ff810c5ef9c9b3acb6a

http://betddnp.com/search/?q=67e28dd8650ba020110ffe1b7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4be8889b5e4fa9281ae978ff71ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffa11c9ee949d3b

Extracted

Family

risepro

C2

147.45.47.126:58709

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5239412158:AAHXn8rC3uvBHy_kv77GtIcxcuvBuXcKD_8/

Targets

    • Target

      01d63645f4c648e12fa693ecc9a926eda29ca031c5d067c687ee65cab67e74e3.exe

    • Size

      2.3MB

    • MD5

      d9615368a7ba5bb0c15e398f4097dc1f

    • SHA1

      bc747bc86fed777358b2c71a8ea95f7ccbf3e5a4

    • SHA256

      01d63645f4c648e12fa693ecc9a926eda29ca031c5d067c687ee65cab67e74e3

    • SHA512

      1b592a7a2034f881b86e7103c4fde9aed0a2095ee6e28bc61a7ff454c9ae0716a95b43785497a627e3cc66cccb6b338f4e832acdd69b0fdddb2c88f05aa73cd3

    • SSDEEP

      49152:xTs9zpYo556eURBCDd/BP1+zX3ympAGBnEl6U8/j/SIGzgnUjQ58IkUC4:x49SoqrRBClh1+znnBd77lPO

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      14bae02cc31e4fb13f02aa594d65a977f1fdec305089c415985e11903769ae0e.exe

    • Size

      615KB

    • MD5

      174dcf32138060240e094f9faefecfc5

    • SHA1

      0b271c152cfda5ba57273967d8729f9cd755aa12

    • SHA256

      14bae02cc31e4fb13f02aa594d65a977f1fdec305089c415985e11903769ae0e

    • SHA512

      f63c8bae8020d359f61e7d09af25ae5cace4225fcaf492518ad64ce87886eb29aba27122a2dfbfe330d0b344e974215daf0f9e698cf2c2f621a804f5fa68874a

    • SSDEEP

      12288:/XWG6OT+LTOaWT9N4XhgggCwulapByjZhO838sSuEloIkxFA:/XWsTmWT9N4xgghblapB2hz8sSuEoIz

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      TNT Original Invoice.exe

    • Size

      750KB

    • MD5

      1354b73c2f0f2a6a9cd4e5708a3d20c0

    • SHA1

      b450dc0d878cd80fe4ab8f8692a0ccbc2add52bf

    • SHA256

      e0c8b02870ad1dbca34a9167a4ed5316e8a3cba0d0872e48ee2f77642c1b70a5

    • SHA512

      062545776dcf29d5c90ecf8721b7df78373cc05fa599dd634a01262b0a7dff676c5b5ed3f9420e5fbe5f28190ccb13ef1ab7ebc7e56b30c20186750860e60215

    • SSDEEP

      12288:2hB2iNT/SHh92i5DIKYPWgMfX1v2aBWi1pJSx+BbcMc1QZt/V3E5C:2L1cHhxIKYPWgi1PcK6IB+QZt/Fj

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

    • Target

      402ff605d7f23f20e253e13b8cb1eb7b5b763a00311deba3cf13c9646ae1f397.exe

    • Size

      2.2MB

    • MD5

      6c6a6136030cabb7f08e8d2df789cbc2

    • SHA1

      b55dbf0e29bfd61ec9092f62420f9c08275974b9

    • SHA256

      402ff605d7f23f20e253e13b8cb1eb7b5b763a00311deba3cf13c9646ae1f397

    • SHA512

      afeca3d130e1af378faac023718b03ba5d45b8a5307b4b0f2b8081ffe8b85f95b7201f3932bfc9e9c05519ef6ccd64a79e34de9e5cd8f775fee126baeb61877a

    • SSDEEP

      49152:KHlAEi8etVYMUgCHhvcULUuNLP31VmRLVSQE2sCpdN:KHlJWYMfCHt4uVlVkICpdN

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Target

      4d0dfae91fed3f9273356eae54dae047b51e374034fd7e8c1e50066c24add6bf.exe

    • Size

      9.6MB

    • MD5

      5a0e99253f0367160afa2f036f123104

    • SHA1

      841579a218e2a2941562c30cec8d4722e64a05ee

    • SHA256

      4d0dfae91fed3f9273356eae54dae047b51e374034fd7e8c1e50066c24add6bf

    • SHA512

      94912f9061c1420a6a81ffd0aafa45b6ac72c4c73436da8b7d9c5a1b2852fd2dded8f9d3b1f2a73fe5cba7a77678bbd99fecf71345d887ecb21799a5063da5b8

    • SSDEEP

      196608:hyR5qLC403UTW/IRPtyFORoC0Csqc3viL9mS2xKnof5hF7u0Jp2sDo:hyR5qmAvdtyFSBTUS2xtXF7uTsM

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      5401a3332d6bf674b3a25eb23745edd09f943284aa4448f9eb6c53620027f28e.exe

    • Size

      5.0MB

    • MD5

      f53c43c9227024edbc439ecf566fda66

    • SHA1

      370fc3669327ae052eef8a2d06c20fbc9936d544

    • SHA256

      5401a3332d6bf674b3a25eb23745edd09f943284aa4448f9eb6c53620027f28e

    • SHA512

      7d9e9e16585208ee8f94b59f57fedaa450169305821d5fc18c74eb5b1b8283706ffa6ecb53fe31aefc381e47f24108de844eb1f82ae05f2e5ae420ac9ed42d8a

    • SSDEEP

      98304:+1OLumpHt8vXrNIatgG/aOa8sreegz/tSzzF0w9pJ9Bv+r7MCaNpPd1ZDlBx:pLnx8X+aS87hsg/tSzz6w/Bv+r7ho3X1

    • Detect Socks5Systemz Payload

    • Socks5Systemz

      Socks5Systemz is a botnet written in C++.

    • Executes dropped EXE

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      Autoit3.exe

    • Size

      872KB

    • MD5

      c56b5f0201a3b3de53e561fe76912bfd

    • SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

    • SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    • SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    • SSDEEP

      12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01

    Score
    3/10
    • Target

      6cfe745f03252b83604bf8159f4100e402af25444247e697165c96e2e12f58d2.exe

    • Size

      1.2MB

    • MD5

      3963e3d1ecc64e895451d9e243f10862

    • SHA1

      775f9c86b3b5ba45064f89c10775120da8deabb7

    • SHA256

      6cfe745f03252b83604bf8159f4100e402af25444247e697165c96e2e12f58d2

    • SHA512

      3552db20ac0013f647384383016e2eb49f28525848b5a5ab9609a8f0e88f26b8c5b6c47e9558619b54d697e956bf1880793b13f011caab7aeffa095ec7fc9d14

    • SSDEEP

      24576:rInyjugojpIaaHZn/HNTlL6lo4+ebE88T4SwrVO72:rqq2m7NK+3Tnk

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      90f19e1a7843dbee63856899da664d073c2b8fadd0cad368e623d5f7426ba5ef.exe

    • Size

      9.0MB

    • MD5

      ae5ffe6a64aef13c2712f073032b0806

    • SHA1

      6285497d8786742cca307bcf6958ecb01f439f42

    • SHA256

      90f19e1a7843dbee63856899da664d073c2b8fadd0cad368e623d5f7426ba5ef

    • SHA512

      81573d0c93538750d89daef81de1370441c48927620e2569ff038917d968b5760e9db68733a4f82d679c7832781c75cace285d6047e5947a5120f9a87ec14590

    • SSDEEP

      196608:gAeiSGnXc86iAD/0LUcEhNLbdubxaUTE8pUcXc1uVzb9:gn8nXc8WD/0LS6LVvzp

    Score
    7/10
    • Loads dropped DLL

    • Target

      a3eeef65c42890fd372bc7c627b36d2b9d54a909b809663e0f0392fa34766794.xlsx

    • Size

      51KB

    • MD5

      a30b624fcf50d488e0c251e14c838c19

    • SHA1

      d15e6e8cb2fa067141a8f7f11bef9ee3167c3cca

    • SHA256

      a3eeef65c42890fd372bc7c627b36d2b9d54a909b809663e0f0392fa34766794

    • SHA512

      5d0bf22a204529fd13ae63d96a66391e0d8da4ff1d3cfd12125aeb35226b42a9854eb2f7b43ffecbd7a0dff37c793d620aa3dda8ba43d9ab8608247f09708a14

    • SSDEEP

      1536:YYZDHgM8v42wkYq84lKL7IAnA4xCQH140t:YYZcMetF8T7IAA4xprt

    Score
    1/10
    • Target

      a71829e150536a415790ed3f8897daab1da879adef2366f75ec939ec0e749de5.exe

    • Size

      27.8MB

    • MD5

      3033425fb3445b47e770de064fcde43d

    • SHA1

      2edc8cbb59cc8f061cb6e1c8a849c5c6baf2a7da

    • SHA256

      a71829e150536a415790ed3f8897daab1da879adef2366f75ec939ec0e749de5

    • SHA512

      ee0562e8371c45311fc9f1f1a7885b2803924d089ac9d24afe6b94531454b2fab882ba8b4502d57142a37ceb7f3d84abde4b56f3dae762c49308d9a6c06b179a

    • SSDEEP

      393216:/vJoxhhz/JHFA6TGzSV9J1kMpazsLr8wm43WOzw02mgBe0xh7n9Ww//oBx/QUSoZ:/vJoxhJ53KzSjsYV3NzAnrAX/QG

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      db58eb77136d0a35453f949a25df9a2e0d344b389a136f966a1ec2c3c09ef2c4.exe

    • Size

      3.7MB

    • MD5

      39e94318d7c3f194abcbbbd0aa08430c

    • SHA1

      752c149fa64cfe7f3959aa6f03df22ac6e2b1b39

    • SHA256

      db58eb77136d0a35453f949a25df9a2e0d344b389a136f966a1ec2c3c09ef2c4

    • SHA512

      47e6d3a28b76cc1ed8f15ad04c86a49c022bd2cf4e87485afef5ae92e440943dc1de81da71bab070d516b2fec47465c43de8b6d4ccd4fda38462ba0c5cda1d18

    • SSDEEP

      98304:+t4fr5joIbcLGaUEPGYnUJT0mE265nld1Z4:c4T5j6GagCZZHX4

    • Detect Socks5Systemz Payload

    • Socks5Systemz

      Socks5Systemz is a botnet written in C++.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks

static1

themidaratdcrat
Score
10/10

behavioral1

collectiondiscoveryevasionpersistencespywarestealer
Score
9/10

behavioral2

riseproevasionstealer
Score
10/10

behavioral3

guloaderdownloaderexecutionpersistence
Score
10/10

behavioral4

execution
Score
8/10

behavioral5

agentteslaexecutionkeyloggerspywarestealertrojan
Score
10/10

behavioral6

agentteslaexecutionkeyloggerspywarestealertrojan
Score
10/10

behavioral7

riseproevasionstealerthemidatrojan
Score
10/10

behavioral8

riseproevasionstealerthemidatrojan
Score
10/10

behavioral9

Score
7/10

behavioral10

Score
7/10

behavioral11

socks5systemzbotnetdiscovery
Score
10/10

behavioral12

socks5systemzbotnetdiscovery
Score
10/10

behavioral13

Score
3/10

behavioral14

Score
3/10

behavioral15

dcratinfostealerrat
Score
10/10

behavioral16

dcratinfostealerrat
Score
10/10

behavioral17

Score
7/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
7/10

behavioral22

Score
7/10

behavioral23

socks5systemzbotnetdiscovery
Score
10/10

behavioral24

discovery
Score
7/10