Resubmissions
25-06-2024 11:24
240625-nhwp5swhja 1025-06-2024 11:22
240625-ngzemszcrm 324-06-2024 00:56
240624-bamq2s1gma 1023-06-2024 11:27
240623-nkejmsygnf 823-06-2024 11:15
240623-nchw4ayflh 1023-06-2024 11:08
240623-m81w4syerb 1023-06-2024 11:08
240623-m8qq5ssfpn 322-05-2024 09:14
240522-k7dzvaad9z 1021-05-2024 10:21
240521-mdy42aaa2x 1021-05-2024 10:18
240521-mcbx4shg72 10General
-
Target
Downloaders.zip
-
Size
12KB
-
Sample
240522-k7dzvaad9z
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
New Text Document mod.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
New Text Document mod.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
quasar
1.4.1
Office04
185.196.10.233:4782
79.132.193.215:4782
b0fcdfbd-bdd4-4a5d-8ab1-7217539d4db6
-
encryption_key
0EC03133971030F6D05E6D59F71626F6543BBE65
-
install_name
gfdgfdg.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
fgfdhdgg
-
subdirectory
gfgfgf
Extracted
asyncrat
0.5.8
Spread
94.156.10.12:80
94.156.10.12:443
94.156.8.44:80
94.156.8.44:443
B7T0vEfLYvgG
-
delay
300
-
install
false
-
install_folder
%AppData%
Extracted
https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002
Extracted
https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002
Extracted
xworm
5.0
85.203.4.146:7000
5.182.87.154:7000
eItTbYBfBYihwkyW
-
Install_directory
%Userprofile%
-
install_file
svchost.exe
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.2
Default
85.209.133.18:4545
5.182.87.154:4449
tdipywykihsjieff
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
taskhostw.exe
-
pastebin_url
https://pastebin.com/raw/Xuc6dzua
Extracted
asyncrat
1.0.7
Default
127.0.0.1:8848
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
-
Modifies WinLogon for persistence
-
Modifies security service
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Looks for VirtualBox Guest Additions in registry
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Looks for VMWare Tools registry key
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
New Text Document mod.exe
-
Size
8KB
-
MD5
69994ff2f00eeca9335ccd502198e05b
-
SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead
-
SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
-
SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
SSDEEP
96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
-
Detect Xworm Payload
-
Modifies security service
-
PureLog Stealer payload
-
Quasar payload
-
Async RAT payload
-
Blocklisted process makes network request
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Possible privilege escalation attempt
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
New Text Document mod.exse
-
Size
8KB
-
MD5
69994ff2f00eeca9335ccd502198e05b
-
SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead
-
SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
-
SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
SSDEEP
96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
-
Detect Xworm Payload
-
Modifies security service
-
PureLog Stealer payload
-
Quasar payload
-
Async RAT payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Possible privilege escalation attempt
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
4PowerShell
4System Services
6Service Execution
6Scripting
1Scheduled Task/Job
3Persistence
Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
4Winlogon Helper DLL
1Create or Modify System Process
11Windows Service
11Scheduled Task/Job
3Privilege Escalation
Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
4Winlogon Helper DLL
1Create or Modify System Process
11Windows Service
11Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
3Defense Evasion
Modify Registry
22Impair Defenses
12Disable or Modify Tools
8Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Virtualization/Sandbox Evasion
2Hide Artifacts
4Hidden Files and Directories
4Scripting
1Subvert Trust Controls
3Install Root Certificate
3File and Directory Permissions Modification
2