Resubmissions
28-11-2024 02:19
241128-cr9sks1kht 1027-11-2024 21:08
241127-zyzyaawqgn 1027-11-2024 20:16
241127-y145caymbs 1027-11-2024 20:13
241127-yzlxdavlen 1027-11-2024 19:53
241127-yl61dsxpcs 1027-11-2024 19:38
241127-ycrjcaxkfx 1027-11-2024 19:03
241127-xqsswsslej 1027-11-2024 19:03
241127-xqf44aslcr 327-11-2024 19:02
241127-xpxqfsslan 327-11-2024 18:32
241127-w6pkqs1mek 10General
-
Target
Downloaders.zip
-
Size
12KB
-
Sample
240509-b51w6aeb68
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.exe
Resource
win11-20240426-en
Behavioral task
behavioral3
Sample
New Text Document mod.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
New Text Document mod.exe
Resource
win11-20240508-en
Behavioral task
behavioral5
Sample
New Text Document mod.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
New Text Document mod.exe
Resource
win11-20240426-en
Malware Config
Extracted
amadey
4.18
http://185.172.128.3
-
install_dir
One_Dragon_Center
-
install_file
MSI.CentralServer.exe
-
strings_key
fd2f5851d3165c210396dcbe9930d294
-
url_paths
/QajE3OBS/index.php
Extracted
agenttesla
Protocol: smtp- Host:
mail.kino2.top - Port:
587 - Username:
[email protected] - Password:
]]KMGj9lIqJ# - Email To:
[email protected]
Extracted
Protocol: ftp- Host:
tff.hu - Port:
21 - Username:
[email protected] - Password:
domschitz.matyas
Extracted
Protocol: ftp- Host:
bodenonline.eu - Port:
21 - Username:
[email protected] - Password:
andreas
Extracted
Protocol: ftp- Host:
superwomen.de - Port:
21 - Username:
[email protected] - Password:
donvito14
Extracted
Protocol: ftp- Host:
4herself.com - Port:
21 - Username:
[email protected] - Password:
kut02?hi
Extracted
Protocol: ftp- Host:
4herself.com - Port:
21 - Username:
admin - Password:
kut02?hi
Extracted
Protocol: ftp- Host:
4herself.com - Port:
21 - Username:
4herself - Password:
kut02?hi
Extracted
Protocol: ftp- Host:
andrea-sat.it - Port:
21 - Username:
[email protected] - Password:
infoasat
Extracted
Protocol: ftp- Host:
mikus.org - Port:
21 - Username:
[email protected] - Password:
mertesucker
Extracted
Protocol: ftp- Host:
blachura.com - Port:
21 - Username:
[email protected] - Password:
kam123456
Extracted
Protocol: ftp- Host:
mikus.org - Port:
21 - Username:
gisbert - Password:
mertesucker
Extracted
Protocol: ftp- Host:
blachura.com - Port:
21 - Username:
kamil - Password:
kam123456
Extracted
Protocol: ftp- Host:
mikus.org - Port:
21 - Username:
admin - Password:
mertesucker
Extracted
Protocol: ftp- Host:
andrea-sat.it - Port:
21 - Username:
andrea - Password:
infoasat
Extracted
Protocol: ftp- Host:
mikus.org - Port:
21 - Username:
mikus - Password:
mertesucker
Extracted
Protocol: ftp- Host:
blachura.com - Port:
21 - Username:
admin - Password:
kam123456
Extracted
Protocol: ftp- Host:
andrea-sat.it - Port:
21 - Username:
admin - Password:
infoasat
Extracted
Protocol: ftp- Host:
blachura.com - Port:
21 - Username:
blachura - Password:
kam123456
Extracted
Protocol: ftp- Host:
twin-set.es - Port:
21 - Username:
[email protected] - Password:
millymilly
Extracted
Protocol: ftp- Host:
twin-set.es - Port:
21 - Username:
milena.righetti - Password:
millymilly
Extracted
Protocol: ftp- Host:
andrea-sat.it - Port:
21 - Username:
andrea-sat - Password:
infoasat
Extracted
Protocol: ftp- Host:
twin-set.es - Port:
21 - Username:
admin - Password:
millymilly
Extracted
Protocol: ftp- Host:
twin-set.es - Port:
21 - Username:
twin-set - Password:
millymilly
Extracted
Protocol: ftp- Host:
ftp.mikus.org - Port:
21 - Username:
[email protected] - Password:
mertesucker
Extracted
Protocol: ftp- Host:
ftp.mikus.org - Port:
21 - Username:
gisbert - Password:
mertesucker
Extracted
Protocol: ftp- Host:
ftp.mikus.org - Port:
21 - Username:
admin - Password:
mertesucker
Extracted
Protocol: ftp- Host:
ftp.mikus.org - Port:
21 - Username:
mikus - Password:
mertesucker
Extracted
Protocol: ftp- Host:
ftp.twin-set.es - Port:
21 - Username:
[email protected] - Password:
millymilly
Extracted
Protocol: ftp- Host:
ftp.twin-set.es - Port:
21 - Username:
milena.righetti - Password:
millymilly
Extracted
Protocol: ftp- Host:
ftp.twin-set.es - Port:
21 - Username:
admin - Password:
millymilly
Extracted
Protocol: ftp- Host:
ftp.twin-set.es - Port:
21 - Username:
twin-set - Password:
millymilly
Extracted
Protocol: ftp- Host:
66.96.133.1 - Port:
21 - Username:
wiebes - Password:
,"mel123"
Extracted
Protocol: ftp- Host:
ftp.c9n.com - Port:
21 - Username:
[email protected] - Password:
sbandes
Extracted
Protocol: ftp- Host:
ftp.c9n.com - Port:
21 - Username:
8lacksam - Password:
sbandes
Extracted
Protocol: ftp- Host:
ftp.c9n.com - Port:
21 - Username:
admin - Password:
sbandes
Extracted
Protocol: ftp- Host:
ftp.c9n.com - Port:
21 - Username:
c9n - Password:
sbandes
Extracted
Protocol: ftp- Host:
ftp.caradoc.co.uk - Port:
21 - Username:
[email protected] - Password:
chrisharris
Extracted
Protocol: ftp- Host:
ftp.caradoc.co.uk - Port:
21 - Username:
20kcirtapll - Password:
chrisharris
Extracted
Protocol: ftp- Host:
ftp.caradoc.co.uk - Port:
21 - Username:
admin - Password:
chrisharris
Extracted
Protocol: ftp- Host:
ftp.caradoc.co.uk - Port:
21 - Username:
caradoc - Password:
chrisharris
Extracted
Protocol: ftp- Host:
grupobeta.com.mx - Port:
21 - Username:
[email protected] - Password:
fmoralesm
Extracted
Protocol: ftp- Host:
grupobeta.com.mx - Port:
21 - Username:
811026 - Password:
fmoralesm
Extracted
Protocol: ftp- Host:
grupobeta.com.mx - Port:
21 - Username:
admin - Password:
fmoralesm
Extracted
Protocol: ftp- Host:
grupobeta.com.mx - Port:
21 - Username:
grupobeta - Password:
fmoralesm
Extracted
redline
siski
168.119.242.255:7742
Extracted
xworm
209.145.51.44:7000
iLWUbOJf8Atlquud
-
install_file
USB.exe
Extracted
risepro
147.45.47.126:58709
Extracted
remcos
RemoteHost
107.173.4.16:2560
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-KDW6BI
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
amadey
4.20
http://193.233.132.139
-
install_dir
5454e6f062
-
install_file
explorta.exe
-
strings_key
c7a869c5ba1d72480093ec207994e2bf
-
url_paths
/sev56rkm/index.php
Extracted
asyncrat
0.5.8
Default
NvCHbLc8lsi9
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.ai/raw/o87oy6ywss
Extracted
redline
7001210066
https://pastebin.com/raw/KE5Mft0T
Extracted
redline
5637482599
https://pastebin.com/raw/NgsUAPya
Extracted
redline
5345987420
https://pastebin.com/raw/KE5Mft0T
Extracted
lumma
https://whispedwoodmoodsksl.shop/api
https://acceptabledcooeprs.shop/api
https://obsceneclassyjuwks.shop/api
https://zippyfinickysofwps.shop/api
https://miniaturefinerninewjs.shop/api
https://plaintediousidowsko.shop/api
https://sweetsquarediaslw.shop/api
https://holicisticscrarws.shop/api
https://boredimperissvieos.shop/api
Extracted
socks5systemz
http://bdlbeqm.com/search/?q=67e28dd86c08f72b460daf4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ee8889b5e4fa9281ae978a271ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffa13c1e6979932
http://bmhoajx.com/search/?q=67e28dd83a09fa2d165cad4d7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa48e8889b5e4fa9281ae978a571ea771795af8e05c645db22f31dfe339426fa12a466c553adb719a9577e55b8603e983a608ffa13c1e697993a
http://ayrbsxi.ru/search/?q=67e28dd83a5da32a155afd1b7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a271ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffa13c1e6969939
http://ayrbsxi.ru/search/?q=67e28dd83a5da32a155afd1b7c27d78406abdd88be4b12eab517aa5c96bd86eb978f45805a8bbc896c58e713bc90c91936b5281fc235a925ed3e01d6bd974a95129070b616e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee90983ac46c9514
http://aqtevem.ru/search/?q=67e28dd8655ba77a135ffe187c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa48e8889b5e4fa9281ae978a571ea771795af8e05c645db22f31dfe339426fa12a466c553adb719a9577e55b8603e983a608ffa13c1e6979933
http://aqtevem.ru/search/?q=67e28dd8655ba77a135ffe187c27d78406abdd88be4b12eab517aa5c96bd86ec90864e845a8bbc896c58e713bc90c91d36b5281fc235a925ed3e06d6bd974a95129070b616e96cc92be510b866db51b9e34eed4c2b14a82966836f23d7f210c7ee90983ac46d951e
Targets
-
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Blackmoon payload
-
Detect Xworm Payload
-
Detect ZGRat V1
-
Detects HijackLoader (aka IDAT Loader)
-
Modifies WinLogon for persistence
-
Modifies security service
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SectopRAT payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Contacts a large (781) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Sets file execution options in registry
-
Sets service image path in registry
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
New Text Document mod.exe
-
Size
8KB
-
MD5
69994ff2f00eeca9335ccd502198e05b
-
SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead
-
SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
-
SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
SSDEEP
96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
-
Detect Blackmoon payload
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Async RAT payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Sets file execution options in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
New Text Document mod.exse
-
Size
8KB
-
MD5
69994ff2f00eeca9335ccd502198e05b
-
SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead
-
SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
-
SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
SSDEEP
96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
-
Detect Blackmoon payload
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Async RAT payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Sets file execution options in registry
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
11Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1