Resubmissions

05-09-2023 01:34

230905-by5lrsch46 10

General

  • Target

    2023-09-04.zip

  • Size

    299.5MB

  • Sample

    240524-b47cjsha22

  • MD5

    eea227737face033b823122d906dabed

  • SHA1

    a35c1ae86ff0aa50fb2b1e941c9b35f711c354bd

  • SHA256

    5695a75d96e56497ab5f7175d5c1da59a4565df668cb89db774eefbb5bfb6cf5

  • SHA512

    99d7bf96ba029cd723671754bae514200697806a0fa32eeb3a7cf6e7237d30e51987bea15b31932b08de0b4332c4ba0d5e4a71283a5574d4780d593510b8d760

  • SSDEEP

    6291456:QH0GuwBg8s1enBP7CXaDOl7R0Y/2f9Jzwnq92kYqYnLxyRPI:QK8UenRLK2fDz3bWn1yFI

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

0.tcp.ngrok.io:19529

Mutex

e8dc0029-2692-4710-a5f6-d65df0a729cd

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    0.tcp.ngrok.io

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2023-06-12T19:31:10.719245436Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    19529

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    e8dc0029-2692-4710-a5f6-d65df0a729cd

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    0.tcp.ngrok.io

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

mirai

C2

2.59.254.14

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

njrat

Version

im523

Botnet

svchost.exe

C2

5.tcp.eu.ngrok.io:15312

Mutex

0c7caa8c30ecac23145985ecdefb5649

Attributes
  • reg_key

    0c7caa8c30ecac23145985ecdefb5649

  • splitter

    |'|'|

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.elhamdelevator.com
  • Port:
    587
  • Username:
    info@elhamdelevator.com
  • Password:
    01221417748
  • Email To:
    info@elhamdelevator.com
C2

https://discordapp.com/api/webhooks/1141171534019436636/rsmn69Lcmg35Ga7bqVUGtuetk3b-HNiKLnmDMzvt91gHtESYIARmGI9pQQxxg2F5Q3mM

https://discord.com/api/webhooks/1145377925911290017/Z97pWUel52_tvWrOxk5XM_0ix9wRotIAl7h7K28Vywe0zXm3VwLHM3OoIEB0RzM-IrRE

Extracted

Family

mirai

C2

o.do.do

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

mirai

C2

8.8.8.8

Extracted

Family

mirai

C2

8.8.8.8

2.59.254.14

Extracted

Family

mirai

C2

zerobot.zc.al

2.59.254.14

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

4Mekey.myftp.biz:1011

adminbogota.duckdns.org:2015

unicornio2020.duckdns.org:9966

seznam.zapto.org:5050

Mutex

cfcfc4ede74345f998

Attributes
  • reg_key

    cfcfc4ede74345f998

  • splitter

    @!#&^%$

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

C2

2.59.254.14

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

asyncrat

Version

1.0.7

Botnet

VBS09

C2

4Mekey.myftp.biz:8848

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

156.223.59.18:4444

Extracted

Family

mirai

C2

2.59.254.14

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

darkcloud

C2

https://api.telegram.org/bot6342175884:AAGNYnOE8HN_cXImf1tA6GQfayeeb18yP84/sendMessage?chat_id=5990783030

Attributes
  • email_from

    tsctubesales.co.in

  • email_to

    bestbenefthk@gmail.com

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

C2

2.59.254.14

Extracted

Family

strrat

C2

powerful.ddnsfree.com:7802

judepower.duckdns.org:7817

Attributes
  • license_id

    EBGS-IHJV-5E77-T3MF-HBXL

  • plugins_url

    http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5

  • scheduled_task

    false

  • secondary_startup

    true

  • startup

    false

Extracted

Family

asyncrat

Version

1.0.7

Botnet

PIJAO 4 SEPT

C2

16agostok.duckdns.org:8004

Mutex

DcRatMutex_qwqdanchunfdsaf

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

metasploit

Version

windows/reverse_tcp_dns

C2

privacy-now.org:8888

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

VBS09

C2

4Mekey.myftp.biz:6606

4Mekey.myftp.biz:7707

4Mekey.myftp.biz:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

redline

Botnet

040923_rc

C2

sept4em.tuktuk.ug:11290

Attributes
  • auth_value

    47c23aee408443d5484756dcc468f53a

Extracted

Family

formbook

Version

4.1

Campaign

mh21

Decoy

qiandaye.top

zltgw.com

getxgp.link

forest-create.site

parsefilm.com

foodstore.top

reynoldsquality.com

tripleshops.com

altuwaijrifood.com

seniorassistedlivinglocator.com

essencedelanature.com

hrwv098.xyz

olkja.xyz

10685johansen.com

ajidenhp.com

sensifiedregistration.com

timetodatings.life

bizbet-review-pt.com

zhangming.asia

xn--vhq074eeozsda.top

Extracted

Family

formbook

Version

4.1

Campaign

he2a

Decoy

connectioncompass.store

zekicharge.com

dp77.shop

guninfo.guru

mamaeconomics.net

narcisme.coach

redtopassociates.com

ezezn.com

theoregondog.com

pagosmultired.online

emsculptcenterofne.com

meet-friends.online

pf326.com

wealthjigsaw.xyz

arsajib.com

kickassholdings.online

avaturre.biz

dtslogs.com

lb92.tech

pittalam.com

Targets

    • Target

      2023-09-04.zip

    • Size

      299.5MB

    • MD5

      eea227737face033b823122d906dabed

    • SHA1

      a35c1ae86ff0aa50fb2b1e941c9b35f711c354bd

    • SHA256

      5695a75d96e56497ab5f7175d5c1da59a4565df668cb89db774eefbb5bfb6cf5

    • SHA512

      99d7bf96ba029cd723671754bae514200697806a0fa32eeb3a7cf6e7237d30e51987bea15b31932b08de0b4332c4ba0d5e4a71283a5574d4780d593510b8d760

    • SSDEEP

      6291456:QH0GuwBg8s1enBP7CXaDOl7R0Y/2f9Jzwnq92kYqYnLxyRPI:QK8UenRLK2fDz3bWn1yFI

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Neshta payload

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Modifies WinLogon for persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Scripting

1
T1064

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

2
T1112

Scripting

1
T1064

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Tasks