Resubmissions

28-11-2024 02:19

241128-cr9sks1kht 10

27-11-2024 21:08

241127-zyzyaawqgn 10

27-11-2024 20:16

241127-y145caymbs 10

27-11-2024 20:13

241127-yzlxdavlen 10

27-11-2024 19:53

241127-yl61dsxpcs 10

27-11-2024 19:38

241127-ycrjcaxkfx 10

27-11-2024 19:03

241127-xqsswsslej 10

27-11-2024 19:03

241127-xqf44aslcr 3

27-11-2024 19:02

241127-xpxqfsslan 3

27-11-2024 18:32

241127-w6pkqs1mek 10

General

  • Target

    Downloaders.zip

  • Size

    12KB

  • Sample

    240521-mdy42aaa2x

  • MD5

    94fe78dc42e3403d06477f995770733c

  • SHA1

    ea6ba4a14bab2a976d62ea7ddd4940ec90560586

  • SHA256

    16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

  • SHA512

    add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff

  • SSDEEP

    384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1002

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002

Extracted

Family

xworm

Version

5.0

C2

79.110.49.133:5700

5.182.87.154:7000

Mutex

Bg9JRZDpyEfXxrAy

Attributes
  • install_file

    USB.exe

aes.plain
aes.plain

Extracted

Family

amadey

Version

4.20

Botnet

c767c0

C2

http://5.42.96.7

Attributes
  • install_dir

    7af68cdb52

  • install_file

    axplons.exe

  • strings_key

    e2ce58e78f631ed97d01fe7b70e85d5e

  • url_paths

    /zamo7h/index.php

rc4.plain

Extracted

Family

redline

Botnet

1

C2

185.215.113.67:26260

Extracted

Family

redline

Botnet

Vic

C2

beshomandotestbesnd.run.place:1111

Extracted

Family

xworm

C2

127.0.0.1:7000

beshomandotestbesnd.run.place:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    taskmgr.exe

  • telegram

    https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Extracted

Family

stealc

rc4.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

79.132.193.215:4782

Mutex

f99ccef5-65c4-4972-adf2-fb38921cc9fc

Attributes
  • encryption_key

    1C15E91ACCFAC60B043A1336CF6912EA8572BA83

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

Extracted

Family

redline

Botnet

DOCX

C2

beshomandotestbesnd.run.place:1111

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

C2

5.182.87.154:4449

Mutex

jiqsvporltpvroy

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Downloaders.zip

    • Size

      12KB

    • MD5

      94fe78dc42e3403d06477f995770733c

    • SHA1

      ea6ba4a14bab2a976d62ea7ddd4940ec90560586

    • SHA256

      16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

    • SHA512

      add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff

    • SSDEEP

      384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Lumma Stealer payload V2

    • Detect Lumma Stealer payload V4

    • Detect Vidar Stealer

    • Detect Xworm Payload

    • Detects HijackLoader (aka IDAT Loader)

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Modifies firewall policy service

    • Modifies security service

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PureLog Stealer

      PureLog Stealer is an infostealer written in C#.

    • PureLog Stealer payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • UAC bypass

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Windows security bypass

    • Xworm

      Xworm is a remote access trojan written in C#.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Modifies boot configuration data using bcdedit

    • Warzone RAT payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Contacts a large (627) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Possible privilege escalation attempt

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Stops running service(s)

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Modifies file permissions

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Uses the VBS compiler for execution

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks