Overview

overview

10

Static

static

3

AdyenCC.exe

windows10-2004-x64

10

⠨/start.vbs

windows10-2004-x64

⠨/temp.bat

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    AdyenCC.exe

  • Size

    273KB

  • Sample

    240512-b7htcsdf87

  • MD5

    981009b1dda38bdd2d025e809ab90bb0

  • SHA1

    9d48eb4e3a4ebe40a40a2484fb95bb05794c8643

  • SHA256

    a83dd4e909952c0888c41722b8f562c81003b495184b7a8201dd23eab1860486

  • SHA512

    e5a74d0a9e39718183676dfeb6c73d56b2f4efd5665b4e4ebb6d4a4a62346c04ab1687934e52a5a274d02f32a820696abd93fd58b3d1acb476783b0789386f98

  • SSDEEP

    3072:bfi3k+oWDBDh1duENb5ahEpaGJxsN+ArxMJd8oGGObFAYXt0mDIh9Lt:bfL+oqF5ahWaMPAwRGzia0h9Lt

Score
10/10
asyncratneshtastealeriumxmrigzgratnewcollectionevasionexecutionminerpersistenceratspywarestealerupx

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

new

C2

51.195.211.231:1337

Mutex

WvNwgVZuZq18

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1225875767368486942/5c4OGPahFFqxsBAEOsOsI277xzRXCuuEgfvT3PZsylVCde5eKsEwgW3b48i3aoV2ey6D

Targets

    • Target

      AdyenCC.exe

    • Size

      273KB

    • MD5

      981009b1dda38bdd2d025e809ab90bb0

    • SHA1

      9d48eb4e3a4ebe40a40a2484fb95bb05794c8643

    • SHA256

      a83dd4e909952c0888c41722b8f562c81003b495184b7a8201dd23eab1860486

    • SHA512

      e5a74d0a9e39718183676dfeb6c73d56b2f4efd5665b4e4ebb6d4a4a62346c04ab1687934e52a5a274d02f32a820696abd93fd58b3d1acb476783b0789386f98

    • SSDEEP

      3072:bfi3k+oWDBDh1duENb5ahEpaGJxsN+ArxMJd8oGGObFAYXt0mDIh9Lt:bfL+oqF5ahWaMPAwRGzia0h9Lt

    Score
    10/10
    asyncratneshtastealeriumxmrigzgratnewcollectionevasionexecutionminerpersistenceratspywarestealerupx

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detect Neshta payload

    • Detect ZGRat V1

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

      stealerstealerium

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Creates new service(s)

      persistenceexecution

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      ⠨/start.vbs

    • Size

      158B

    • MD5

      93d87c8509ed0e495a02d6b2cb4e0522

    • SHA1

      9cbc105b345ccce63a8edb2b2f86932142735226

    • SHA256

      b25a6eded1b6e392997b6cd72f20914456ec52ed3fed688d021c55e0e4090238

    • SHA512

      97a33aa53ac17a6250b0bddb8f8027d2d2fe36b8e7bf843b3b9d6655b067b7e56e8c8d5218208f82f8b439f5af2cf6546ee753ea9eb267c21ff8e4c2d5d0eff8

    Score
    1/10
    behavioral2

    • Target

      ⠨/temp.bat

    • Size

      198KB

    • MD5

      9d5d6af2f6dd8e176f3c137d155a6523

    • SHA1

      a7aff2aa02b6479f5430d3d71b7bd1e8171dc1ec

    • SHA256

      8e5caf28acdfbe1a160b450ef1798778abb0a9b7952b03a2b0c7c11fd6fcadcd

    • SHA512

      f8d6d39fdefe2ff6e3327d6e0f9a64afa6b14730e3b99b8b20d6157d64cb57b0bf889d62d91dbb30ce6f25194e9cbc259d225cd608a7fde42cdf51ac0148c7e7

    • SSDEEP

      6144:tpZ0OwGqM6C+JNJyJzcoN4WjVYKFMW8ko5POkc:HLr+JsFNrCKFCbPOj

    Score
    1/10
    behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks