General
-
Target
2024-05-07-11.zip
-
Size
56.8MB
-
Sample
240507-rbgt7ada93
-
MD5
018453293158a2cf6478e232de7eed1f
-
SHA1
acf56164d4f832e95f7a04c1a37b100bfa381000
-
SHA256
95e217da4c184170c705e9ef317b5d8333713f4f91435d0964e0e2cea03100ab
-
SHA512
deb6e643ea7695db4426461c4c8f18f39d51ab76fcd1a8f5cfe083f20fc4d40c8891298f7539d2da7c036464e9b2800fc6b61774c22b11919df06f352e7fe5d7
-
SSDEEP
786432:zVRQwWqfh2RrVmEnMqb+DE7N0uAg8MztpGi7zzPahDyduAqHujEQq:zXQV8qbt7yLg8qtp7zPQ0IHke
Malware Config
Extracted
socks5systemz
http://ccskvzm.net/search/?q=67e28dd83955a42b4006aa1b7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ee8889b5e4fa9281ae978f671ea771795af8e05c645db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a628ef610c1e990
http://ccskvzm.net/search/?q=67e28dd83955a42b4006aa1b7c27d78406abdd88be4b12eab517aa5c96bd86e99d874f865a8bbc896c58e713bc90c91b36b5281fc235a925ed3e55d6bd974a95129070b616e96cc92be20ea778c255bbe258b90d3b4eed3233d1626a8ff810c5ef9c9b3acb6a
http://betddnp.com/search/?q=67e28dd8650ba020110ffe1b7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4be8889b5e4fa9281ae978ff71ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffa11c9ee949d3b
Extracted
risepro
147.45.47.126:58709
Extracted
agenttesla
https://api.telegram.org/bot5239412158:AAHXn8rC3uvBHy_kv77GtIcxcuvBuXcKD_8/
Targets
-
-
Target
01d63645f4c648e12fa693ecc9a926eda29ca031c5d067c687ee65cab67e74e3.exe
-
Size
2.3MB
-
MD5
d9615368a7ba5bb0c15e398f4097dc1f
-
SHA1
bc747bc86fed777358b2c71a8ea95f7ccbf3e5a4
-
SHA256
01d63645f4c648e12fa693ecc9a926eda29ca031c5d067c687ee65cab67e74e3
-
SHA512
1b592a7a2034f881b86e7103c4fde9aed0a2095ee6e28bc61a7ff454c9ae0716a95b43785497a627e3cc66cccb6b338f4e832acdd69b0fdddb2c88f05aa73cd3
-
SSDEEP
49152:xTs9zpYo556eURBCDd/BP1+zX3ympAGBnEl6U8/j/SIGzgnUjQ58IkUC4:x49SoqrRBClh1+znnBd77lPO
Score10/10-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
14bae02cc31e4fb13f02aa594d65a977f1fdec305089c415985e11903769ae0e.exe
-
Size
615KB
-
MD5
174dcf32138060240e094f9faefecfc5
-
SHA1
0b271c152cfda5ba57273967d8729f9cd755aa12
-
SHA256
14bae02cc31e4fb13f02aa594d65a977f1fdec305089c415985e11903769ae0e
-
SHA512
f63c8bae8020d359f61e7d09af25ae5cace4225fcaf492518ad64ce87886eb29aba27122a2dfbfe330d0b344e974215daf0f9e698cf2c2f621a804f5fa68874a
-
SSDEEP
12288:/XWG6OT+LTOaWT9N4XhgggCwulapByjZhO838sSuEloIkxFA:/XWsTmWT9N4xgghblapB2hz8sSuEoIz
Score10/10-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
TNT Original Invoice.exe
-
Size
750KB
-
MD5
1354b73c2f0f2a6a9cd4e5708a3d20c0
-
SHA1
b450dc0d878cd80fe4ab8f8692a0ccbc2add52bf
-
SHA256
e0c8b02870ad1dbca34a9167a4ed5316e8a3cba0d0872e48ee2f77642c1b70a5
-
SHA512
062545776dcf29d5c90ecf8721b7df78373cc05fa599dd634a01262b0a7dff676c5b5ed3f9420e5fbe5f28190ccb13ef1ab7ebc7e56b30c20186750860e60215
-
SSDEEP
12288:2hB2iNT/SHh92i5DIKYPWgMfX1v2aBWi1pJSx+BbcMc1QZt/V3E5C:2L1cHhxIKYPWgi1PcK6IB+QZt/Fj
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-
-
-
Target
402ff605d7f23f20e253e13b8cb1eb7b5b763a00311deba3cf13c9646ae1f397.exe
-
Size
2.2MB
-
MD5
6c6a6136030cabb7f08e8d2df789cbc2
-
SHA1
b55dbf0e29bfd61ec9092f62420f9c08275974b9
-
SHA256
402ff605d7f23f20e253e13b8cb1eb7b5b763a00311deba3cf13c9646ae1f397
-
SHA512
afeca3d130e1af378faac023718b03ba5d45b8a5307b4b0f2b8081ffe8b85f95b7201f3932bfc9e9c05519ef6ccd64a79e34de9e5cd8f775fee126baeb61877a
-
SSDEEP
49152:KHlAEi8etVYMUgCHhvcULUuNLP31VmRLVSQE2sCpdN:KHlJWYMfCHt4uVlVkICpdN
Score10/10-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-
-
-
Target
4d0dfae91fed3f9273356eae54dae047b51e374034fd7e8c1e50066c24add6bf.exe
-
Size
9.6MB
-
MD5
5a0e99253f0367160afa2f036f123104
-
SHA1
841579a218e2a2941562c30cec8d4722e64a05ee
-
SHA256
4d0dfae91fed3f9273356eae54dae047b51e374034fd7e8c1e50066c24add6bf
-
SHA512
94912f9061c1420a6a81ffd0aafa45b6ac72c4c73436da8b7d9c5a1b2852fd2dded8f9d3b1f2a73fe5cba7a77678bbd99fecf71345d887ecb21799a5063da5b8
-
SSDEEP
196608:hyR5qLC403UTW/IRPtyFORoC0Csqc3viL9mS2xKnof5hF7u0Jp2sDo:hyR5qmAvdtyFSBTUS2xtXF7uTsM
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
5401a3332d6bf674b3a25eb23745edd09f943284aa4448f9eb6c53620027f28e.exe
-
Size
5.0MB
-
MD5
f53c43c9227024edbc439ecf566fda66
-
SHA1
370fc3669327ae052eef8a2d06c20fbc9936d544
-
SHA256
5401a3332d6bf674b3a25eb23745edd09f943284aa4448f9eb6c53620027f28e
-
SHA512
7d9e9e16585208ee8f94b59f57fedaa450169305821d5fc18c74eb5b1b8283706ffa6ecb53fe31aefc381e47f24108de844eb1f82ae05f2e5ae420ac9ed42d8a
-
SSDEEP
98304:+1OLumpHt8vXrNIatgG/aOa8sreegz/tSzzF0w9pJ9Bv+r7MCaNpPd1ZDlBx:pLnx8X+aS87hsg/tSzz6w/Bv+r7ho3X1
Score10/10-
Detect Socks5Systemz Payload
-
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
Autoit3.exe
-
Size
872KB
-
MD5
c56b5f0201a3b3de53e561fe76912bfd
-
SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417
-
SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
-
SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
SSDEEP
12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
Score3/10 -
-
-
Target
6cfe745f03252b83604bf8159f4100e402af25444247e697165c96e2e12f58d2.exe
-
Size
1.2MB
-
MD5
3963e3d1ecc64e895451d9e243f10862
-
SHA1
775f9c86b3b5ba45064f89c10775120da8deabb7
-
SHA256
6cfe745f03252b83604bf8159f4100e402af25444247e697165c96e2e12f58d2
-
SHA512
3552db20ac0013f647384383016e2eb49f28525848b5a5ab9609a8f0e88f26b8c5b6c47e9558619b54d697e956bf1880793b13f011caab7aeffa095ec7fc9d14
-
SSDEEP
24576:rInyjugojpIaaHZn/HNTlL6lo4+ebE88T4SwrVO72:rqq2m7NK+3Tnk
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
90f19e1a7843dbee63856899da664d073c2b8fadd0cad368e623d5f7426ba5ef.exe
-
Size
9.0MB
-
MD5
ae5ffe6a64aef13c2712f073032b0806
-
SHA1
6285497d8786742cca307bcf6958ecb01f439f42
-
SHA256
90f19e1a7843dbee63856899da664d073c2b8fadd0cad368e623d5f7426ba5ef
-
SHA512
81573d0c93538750d89daef81de1370441c48927620e2569ff038917d968b5760e9db68733a4f82d679c7832781c75cace285d6047e5947a5120f9a87ec14590
-
SSDEEP
196608:gAeiSGnXc86iAD/0LUcEhNLbdubxaUTE8pUcXc1uVzb9:gn8nXc8WD/0LS6LVvzp
Score7/10-
Loads dropped DLL
-
-
-
Target
a3eeef65c42890fd372bc7c627b36d2b9d54a909b809663e0f0392fa34766794.xlsx
-
Size
51KB
-
MD5
a30b624fcf50d488e0c251e14c838c19
-
SHA1
d15e6e8cb2fa067141a8f7f11bef9ee3167c3cca
-
SHA256
a3eeef65c42890fd372bc7c627b36d2b9d54a909b809663e0f0392fa34766794
-
SHA512
5d0bf22a204529fd13ae63d96a66391e0d8da4ff1d3cfd12125aeb35226b42a9854eb2f7b43ffecbd7a0dff37c793d620aa3dda8ba43d9ab8608247f09708a14
-
SSDEEP
1536:YYZDHgM8v42wkYq84lKL7IAnA4xCQH140t:YYZcMetF8T7IAA4xprt
Score1/10 -
-
-
Target
a71829e150536a415790ed3f8897daab1da879adef2366f75ec939ec0e749de5.exe
-
Size
27.8MB
-
MD5
3033425fb3445b47e770de064fcde43d
-
SHA1
2edc8cbb59cc8f061cb6e1c8a849c5c6baf2a7da
-
SHA256
a71829e150536a415790ed3f8897daab1da879adef2366f75ec939ec0e749de5
-
SHA512
ee0562e8371c45311fc9f1f1a7885b2803924d089ac9d24afe6b94531454b2fab882ba8b4502d57142a37ceb7f3d84abde4b56f3dae762c49308d9a6c06b179a
-
SSDEEP
393216:/vJoxhhz/JHFA6TGzSV9J1kMpazsLr8wm43WOzw02mgBe0xh7n9Ww//oBx/QUSoZ:/vJoxhJ53KzSjsYV3NzAnrAX/QG
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
db58eb77136d0a35453f949a25df9a2e0d344b389a136f966a1ec2c3c09ef2c4.exe
-
Size
3.7MB
-
MD5
39e94318d7c3f194abcbbbd0aa08430c
-
SHA1
752c149fa64cfe7f3959aa6f03df22ac6e2b1b39
-
SHA256
db58eb77136d0a35453f949a25df9a2e0d344b389a136f966a1ec2c3c09ef2c4
-
SHA512
47e6d3a28b76cc1ed8f15ad04c86a49c022bd2cf4e87485afef5ae92e440943dc1de81da71bab070d516b2fec47465c43de8b6d4ccd4fda38462ba0c5cda1d18
-
SSDEEP
98304:+t4fr5joIbcLGaUEPGYnUJT0mE265nld1Z4:c4T5j6GagCZZHX4
Score10/10-
Detect Socks5Systemz Payload
-
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
3Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
3Defense Evasion
Virtualization/Sandbox Evasion
3Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Credential Access
Unsecured Credentials
6Credentials In Files
5Credentials in Registry
1