Resubmissions
05-09-2023 01:34
230905-by5lrsch46 10General
-
Target
2023-09-04.zip
-
Size
299.5MB
-
Sample
240524-b47cjsha22
-
MD5
eea227737face033b823122d906dabed
-
SHA1
a35c1ae86ff0aa50fb2b1e941c9b35f711c354bd
-
SHA256
5695a75d96e56497ab5f7175d5c1da59a4565df668cb89db774eefbb5bfb6cf5
-
SHA512
99d7bf96ba029cd723671754bae514200697806a0fa32eeb3a7cf6e7237d30e51987bea15b31932b08de0b4332c4ba0d5e4a71283a5574d4780d593510b8d760
-
SSDEEP
6291456:QH0GuwBg8s1enBP7CXaDOl7R0Y/2f9Jzwnq92kYqYnLxyRPI:QK8UenRLK2fDz3bWn1yFI
Malware Config
Extracted
nanocore
1.2.2.0
0.tcp.ngrok.io:19529
e8dc0029-2692-4710-a5f6-d65df0a729cd
-
activate_away_mode
true
-
backup_connection_host
0.tcp.ngrok.io
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2023-06-12T19:31:10.719245436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
19529
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
e8dc0029-2692-4710-a5f6-d65df0a729cd
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
0.tcp.ngrok.io
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
mirai
BOTNET
Extracted
mirai
BOTNET
Extracted
mirai
2.59.254.14
Extracted
mirai
BOTNET
Extracted
njrat
im523
svchost.exe
5.tcp.eu.ngrok.io:15312
0c7caa8c30ecac23145985ecdefb5649
-
reg_key
0c7caa8c30ecac23145985ecdefb5649
-
splitter
|'|'|
Extracted
agenttesla
Protocol: smtp- Host:
mail.elhamdelevator.com - Port:
587 - Username:
[email protected] - Password:
01221417748 - Email To:
[email protected]
https://discordapp.com/api/webhooks/1141171534019436636/rsmn69Lcmg35Ga7bqVUGtuetk3b-HNiKLnmDMzvt91gHtESYIARmGI9pQQxxg2F5Q3mM
https://discord.com/api/webhooks/1145377925911290017/Z97pWUel52_tvWrOxk5XM_0ix9wRotIAl7h7K28Vywe0zXm3VwLHM3OoIEB0RzM-IrRE
Extracted
mirai
o.do.do
Extracted
mirai
BOTNET
Extracted
mirai
8.8.8.8
Extracted
mirai
8.8.8.8
2.59.254.14
Extracted
mirai
zerobot.zc.al
2.59.254.14
Extracted
njrat
0.7NC
NYAN CAT
4Mekey.myftp.biz:1011
adminbogota.duckdns.org:2015
unicornio2020.duckdns.org:9966
seznam.zapto.org:5050
cfcfc4ede74345f998
-
reg_key
cfcfc4ede74345f998
-
splitter
@!#&^%$
Extracted
mirai
BOTNET
Extracted
mirai
LZRD
Extracted
mirai
2.59.254.14
Extracted
mirai
LZRD
Extracted
mirai
SORA
Extracted
asyncrat
1.0.7
VBS09
4Mekey.myftp.biz:8848
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
metasploit
encoder/shikata_ga_nai
Extracted
metasploit
windows/reverse_tcp
156.223.59.18:4444
Extracted
mirai
2.59.254.14
Extracted
mirai
SORA
Extracted
darkcloud
https://api.telegram.org/bot6342175884:AAGNYnOE8HN_cXImf1tA6GQfayeeb18yP84/sendMessage?chat_id=5990783030
-
email_from
tsctubesales.co.in
- email_to
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Extracted
mirai
2.59.254.14
Extracted
strrat
powerful.ddnsfree.com:7802
judepower.duckdns.org:7817
-
license_id
EBGS-IHJV-5E77-T3MF-HBXL
-
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
-
scheduled_task
false
-
secondary_startup
true
-
startup
false
Extracted
asyncrat
1.0.7
PIJAO 4 SEPT
16agostok.duckdns.org:8004
DcRatMutex_qwqdanchunfdsaf
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
metasploit
windows/reverse_tcp_dns
privacy-now.org:8888
Extracted
asyncrat
0.5.7B
VBS09
4Mekey.myftp.biz:6606
4Mekey.myftp.biz:7707
4Mekey.myftp.biz:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
mirai
BOTNET
Extracted
redline
040923_rc
sept4em.tuktuk.ug:11290
-
auth_value
47c23aee408443d5484756dcc468f53a
Extracted
formbook
4.1
mh21
qiandaye.top
zltgw.com
getxgp.link
forest-create.site
parsefilm.com
foodstore.top
reynoldsquality.com
tripleshops.com
altuwaijrifood.com
seniorassistedlivinglocator.com
essencedelanature.com
hrwv098.xyz
olkja.xyz
10685johansen.com
ajidenhp.com
sensifiedregistration.com
timetodatings.life
bizbet-review-pt.com
zhangming.asia
xn--vhq074eeozsda.top
Extracted
formbook
4.1
he2a
connectioncompass.store
zekicharge.com
dp77.shop
guninfo.guru
mamaeconomics.net
narcisme.coach
redtopassociates.com
ezezn.com
theoregondog.com
pagosmultired.online
emsculptcenterofne.com
meet-friends.online
pf326.com
wealthjigsaw.xyz
arsajib.com
kickassholdings.online
avaturre.biz
dtslogs.com
lb92.tech
pittalam.com
Targets
-
-
Target
2023-09-04.zip
-
Size
299.5MB
-
MD5
eea227737face033b823122d906dabed
-
SHA1
a35c1ae86ff0aa50fb2b1e941c9b35f711c354bd
-
SHA256
5695a75d96e56497ab5f7175d5c1da59a4565df668cb89db774eefbb5bfb6cf5
-
SHA512
99d7bf96ba029cd723671754bae514200697806a0fa32eeb3a7cf6e7237d30e51987bea15b31932b08de0b4332c4ba0d5e4a71283a5574d4780d593510b8d760
-
SSDEEP
6291456:QH0GuwBg8s1enBP7CXaDOl7R0Y/2f9Jzwnq92kYqYnLxyRPI:QK8UenRLK2fDz3bWn1yFI
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Neshta payload
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Modifies WinLogon for persistence
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Formbook payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scripting
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1