General
-
Target
3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77
-
Size
1.8MB
-
Sample
240514-zplpasfh6x
-
MD5
2307c3f2702a53fdc03bf2f05fe51a25
-
SHA1
5d31c179f4d5e0831fb5ad877fbfe8fe6b88a26d
-
SHA256
3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77
-
SHA512
14c7feba21ae7b6b3e3d1bf06a8dea88c784ba1e5e86ffd9724be66ef880bfb89c66ae5f906e1d7c9fc18635b892ec32255ecad57dd71c11d4e40a2f9922e6bf
-
SSDEEP
49152:VKrUl9aoaN6dMU27MyNw2e9ObxiFlWukA+dEoBpck6Co:VKrb6bmw2mOliFlWuQxpcN
Malware Config
Extracted
Protocol: smtp- Host:
mx.progiftstore.org - Port:
587 - Username:
[email protected] - Password:
eHdixiY321
Extracted
Protocol: smtp- Host:
mx.mannbdinfo.org - Port:
587 - Username:
[email protected] - Password:
9O2sw3bc
Extracted
Protocol: smtp- Host:
mail.jlchacha.com - Port:
587 - Username:
[email protected] - Password:
chacha123
Extracted
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
dano67
Extracted
Protocol: smtp- Host:
autismplus.com.au - Port:
587 - Username:
[email protected]
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
DEC1564
Extracted
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
Gto6766
Extracted
Protocol: smtp- Host:
mx.breakthur.com - Port:
587 - Username:
[email protected] - Password:
hYN2mU67!
Extracted
Protocol: smtp- Host:
mx.giochi0.it - Port:
587 - Username:
[email protected] - Password:
Barcellona28
Extracted
Protocol: smtp- Host:
smtp.nifty.ne.jp - Port:
587 - Username:
[email protected] - Password:
19711229
Extracted
Protocol: smtp- Host:
mx.breakthur.com - Port:
587 - Username:
[email protected] - Password:
110110Jp
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
eagle1
Extracted
Protocol: smtp- Host:
smtp.frontiernet.net - Port:
587 - Username:
[email protected] - Password:
gloria02151
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
Taylor5bob
Extracted
Protocol: smtp- Host:
mx.nikeshoesoutletforsale.com - Port:
587 - Username:
[email protected] - Password:
dsfsdfede2022
Extracted
Protocol: smtp- Host:
mx.gcdetectivefree.com - Port:
587 - Username:
[email protected] - Password:
Parola12
Extracted
Protocol: smtp- Host:
smtp.terre-net.fr - Port:
587 - Username:
[email protected] - Password:
s2l81290
Extracted
Protocol: smtp- Host:
mx.fkksol.com - Port:
587 - Username:
[email protected] - Password:
Cucuzq7p
Extracted
Protocol: smtp- Host:
mx.breakthur.com - Port:
587 - Username:
[email protected] - Password:
medomak4554!medomak4554!123
Extracted
Protocol: smtp- Host:
mx.websitebod.com - Port:
587 - Username:
[email protected] - Password:
tTisf7i32wy
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
rideboard1
Extracted
Protocol: smtp- Host:
void.blackhole.mx - Port:
587 - Username:
[email protected] - Password:
super6
Extracted
Protocol: smtp- Host:
hcmp.co.kr - Port:
587 - Username:
[email protected]
Extracted
Protocol: smtp- Host:
mx.websitebod.com - Port:
587 - Username:
[email protected] - Password:
eHdixiY
Extracted
Protocol: smtp- Host:
mx.uvvc.info - Port:
587 - Username:
[email protected] - Password:
663765335226
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
barbbite
Extracted
Protocol: smtp- Host:
romanov.ca - Port:
587 - Username:
[email protected] - Password:
jasper
Extracted
Protocol: smtp- Host:
autismplus.com.au - Port:
587 - Username:
[email protected]
Extracted
Protocol: smtp- Host:
smtp.homtail.co.uk - Port:
587 - Username:
[email protected] - Password:
s1zzle
Extracted
Protocol: smtp- Host:
mx.breakthur.com - Port:
587 - Username:
[email protected] - Password:
4Jr4xr8ekq&
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
honda91
Extracted
Protocol: smtp- Host:
mx.fkksol.com - Port:
587 - Username:
[email protected] - Password:
6YKeuo3A
Extracted
Protocol: smtp- Host:
hcmp.co.kr - Port:
587 - Username:
[email protected]
Extracted
Protocol: smtp- Host:
wightman.ca - Port:
587 - Username:
[email protected]
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
Insanity1
Extracted
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
Loukasd12
Extracted
Protocol: smtp- Host:
mail.jbc.co.jp - Port:
587 - Username:
[email protected] - Password:
Take0912
Extracted
Protocol: smtp- Host:
mx.ertemaik.com - Port:
587 - Username:
[email protected] - Password:
zq15VjBo
Extracted
amadey
4.20
http://5.42.96.7
-
install_dir
7af68cdb52
-
install_file
axplons.exe
-
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
-
url_paths
/zamo7h/index.php
Extracted
redline
1
185.215.113.67:26260
Extracted
gcleaner
185.172.128.90
5.42.64.56
5.42.65.64
Targets
-
-
Target
3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77
-
Size
1.8MB
-
MD5
2307c3f2702a53fdc03bf2f05fe51a25
-
SHA1
5d31c179f4d5e0831fb5ad877fbfe8fe6b88a26d
-
SHA256
3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77
-
SHA512
14c7feba21ae7b6b3e3d1bf06a8dea88c784ba1e5e86ffd9724be66ef880bfb89c66ae5f906e1d7c9fc18635b892ec32255ecad57dd71c11d4e40a2f9922e6bf
-
SSDEEP
49152:VKrUl9aoaN6dMU27MyNw2e9ObxiFlWukA+dEoBpck6Co:VKrb6bmw2mOliFlWuQxpcN
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect ZGRat V1
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Windows security bypass
-
ZGRat
ZGRat is remote access trojan written in C#.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies boot configuration data using bcdedit
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Contacts a large (764) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Installed Components in the registry
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Manipulates WinMon driver.
Roottkits write to WinMon to hide PIDs from being detected.
-
Manipulates WinMonFS driver.
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
2PowerShell
1System Services
2Service Execution
2Scheduled Task/Job
1Persistence
Create or Modify System Process
3Windows Service
3Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
5Disable or Modify Tools
2Disable or Modify System Firewall
1Modify Registry
5Virtualization/Sandbox Evasion
2Subvert Trust Controls
1Install Root Certificate
1