Resubmissions
05-09-2023 01:34
230905-by5lrsch46 10General
-
Target
2023-09-04.zip
-
Size
299.5MB
-
Sample
240524-bp6gpsga3v
-
MD5
eea227737face033b823122d906dabed
-
SHA1
a35c1ae86ff0aa50fb2b1e941c9b35f711c354bd
-
SHA256
5695a75d96e56497ab5f7175d5c1da59a4565df668cb89db774eefbb5bfb6cf5
-
SHA512
99d7bf96ba029cd723671754bae514200697806a0fa32eeb3a7cf6e7237d30e51987bea15b31932b08de0b4332c4ba0d5e4a71283a5574d4780d593510b8d760
-
SSDEEP
6291456:QH0GuwBg8s1enBP7CXaDOl7R0Y/2f9Jzwnq92kYqYnLxyRPI:QK8UenRLK2fDz3bWn1yFI
Malware Config
Extracted
nanocore
1.2.2.0
0.tcp.ngrok.io:19529
e8dc0029-2692-4710-a5f6-d65df0a729cd
-
activate_away_mode
true
-
backup_connection_host
0.tcp.ngrok.io
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2023-06-12T19:31:10.719245436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
19529
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
e8dc0029-2692-4710-a5f6-d65df0a729cd
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
0.tcp.ngrok.io
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
mirai
BOTNET
Extracted
mirai
BOTNET
Extracted
mirai
2.59.254.14
Extracted
mirai
BOTNET
Extracted
njrat
im523
svchost.exe
5.tcp.eu.ngrok.io:15312
0c7caa8c30ecac23145985ecdefb5649
-
reg_key
0c7caa8c30ecac23145985ecdefb5649
-
splitter
|'|'|
Extracted
agenttesla
Protocol: smtp- Host:
mail.elhamdelevator.com - Port:
587 - Username:
info@elhamdelevator.com - Password:
01221417748 - Email To:
info@elhamdelevator.com
https://discordapp.com/api/webhooks/1141171534019436636/rsmn69Lcmg35Ga7bqVUGtuetk3b-HNiKLnmDMzvt91gHtESYIARmGI9pQQxxg2F5Q3mM
Extracted
mirai
o.do.do
Extracted
mirai
BOTNET
Extracted
mirai
8.8.8.8
Extracted
mirai
8.8.8.8
2.59.254.14
Extracted
mirai
zerobot.zc.al
2.59.254.14
Extracted
njrat
0.7NC
NYAN CAT
4Mekey.myftp.biz:1011
adminbogota.duckdns.org:2015
unicornio2020.duckdns.org:9966
cfcfc4ede74345f998
-
reg_key
cfcfc4ede74345f998
-
splitter
@!#&^%$
Extracted
mirai
BOTNET
Extracted
mirai
LZRD
Extracted
mirai
2.59.254.14
Extracted
mirai
LZRD
Extracted
mirai
SORA
Extracted
asyncrat
1.0.7
VBS09
4Mekey.myftp.biz:8848
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
metasploit
encoder/shikata_ga_nai
Extracted
metasploit
windows/reverse_tcp
156.223.59.18:4444
Extracted
mirai
2.59.254.14
Extracted
mirai
SORA
Extracted
darkcloud
https://api.telegram.org/bot6342175884:AAGNYnOE8HN_cXImf1tA6GQfayeeb18yP84/sendMessage?chat_id=5990783030
-
email_from
tsctubesales.co.in
-
email_to
bestbenefthk@gmail.com
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Extracted
mirai
2.59.254.14
Extracted
strrat
powerful.ddnsfree.com:7802
judepower.duckdns.org:7817
-
license_id
EBGS-IHJV-5E77-T3MF-HBXL
-
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
-
scheduled_task
false
-
secondary_startup
true
-
startup
false
Extracted
asyncrat
1.0.7
PIJAO 4 SEPT
16agostok.duckdns.org:8004
DcRatMutex_qwqdanchunfdsaf
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
metasploit
windows/reverse_tcp_dns
privacy-now.org:8888
Extracted
asyncrat
0.5.7B
VBS09
4Mekey.myftp.biz:6606
4Mekey.myftp.biz:7707
4Mekey.myftp.biz:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
mirai
BOTNET
Extracted
lokibot
http://fiorentcamcycle.redirectme.net/jzdgfsh/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
formbook
4.1
v93r
labourcommunitymarket.com
nba82.com
datahabitsales.site
rosstony.link
baliorganic.farm
qefhyjngrxcbjfvgft.autos
bippttcg.click
tldrschool.com
vcdaawug.click
garage2mats.com
soulrin.store
themezodermacream.com
522fairwaylookout.com
jmhoa.cyou
sygcb.link
thanhpresident.com
biy-home.com
imtmlife.online
dijitalpasaj.app
105261.com
Targets
-
-
Target
d7deda9897282437fa0da638c09ce0a66a147d6c0ff6e05e5694eff45072a48d.exe
-
Size
2.5MB
-
MD5
83bb427fb0c1d78cf27f7f7b3a0ddb51
-
SHA1
c6add026998074678ff17a77200bc9433b12e410
-
SHA256
d7deda9897282437fa0da638c09ce0a66a147d6c0ff6e05e5694eff45072a48d
-
SHA512
8adc548873fc57732a99f48e69716e7d74bb2abf59904b86cc0e282f1a3b37a47fe84d7d94518973960c3d079c7c739926fb35d7bb09a25a48c5f02e30a6c1d2
-
SSDEEP
49152:kWhSV4BfJXAEgs3OaQCU+bzbDP4Fnbo8AdmkugFtWZ/q4xCl+gbAC8J:kWhSeBfKExOaQ6vP4dW0CWZ/q43gclJ
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
-
-
Target
d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe
-
Size
328KB
-
MD5
bed5bc899097b4922fb846b4c571eb8a
-
SHA1
fc46b499c632debda49c629c9b550db28f4a0417
-
SHA256
d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20
-
SHA512
19904b5ae96e4a050b91ae814d35ab3786fae07c81a84063caaa19ae4f6f2797790cf330bcb1b04d788a57ec8698c80b17f68a4a0ac7405e5bbec0e29d83ecb5
-
SSDEEP
6144:cNDlOlZXy3X2zE2Ymn0xduOp+E8bfiN/9WG3ktHhpBnyv+bx2MTxr9LAJeVsBqt+:csZXy3Xn2YlduOp+jbqN/9WG3QBPyv+q
Score7/10-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe
-
Size
713KB
-
MD5
8b1058f347f74e2b92b1764025733631
-
SHA1
76f54a1b4d333c07f4a09998bf0c9b4e87f31f10
-
SHA256
d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076
-
SHA512
131394e6cd72d7876676722ddc9f3c9ac2c82d1ece911cb1fb7cd3b005c1fc8ae6ea9cd6ef2a084fd6270b790c0357964616d9f7429a8af07330631ce8d9a656
-
SSDEEP
12288:62OweL71Vy9/XbXKjgeEFH32QrmnSQ9mqMWN/c4JfhGwSIrcHjSxP9DBRwuv7/pf:hi71VS/XLKjgNFHmukXvNL5ujSvrJJV
Score7/10-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
d92b5b079600e4b7db2b17374ce0f2e20e077a28f9275c5054b857de09377745.exe
-
Size
2.4MB
-
MD5
871437c5f018c4fe1dc51e8a92ee2278
-
SHA1
437ef6aac1ecb9b8c52f3e3a8161404e2ab88698
-
SHA256
d92b5b079600e4b7db2b17374ce0f2e20e077a28f9275c5054b857de09377745
-
SHA512
67e75646861267120b6760e3d85d7012626282e0cfcfa6974d48f17fc5e00356e542c9c38293fbb29b7770033db9489eb98fd0caffe7ea04dfd4186eafdb4081
-
SSDEEP
49152:rLLqnWBq9t/saLUwE1MTck6+UuNkKY2HjbgqNOXu149N/Qg1xYF:riLts8+1MTcENJY6joh1xs
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
-
-
Target
de558a924a89a755f2d660f864d164c81e62ddf7da400fe771c0febbe1858aa1.exe
-
Size
45KB
-
MD5
88ce1fc7c64ce41bccfc80e97db6bbe3
-
SHA1
a20d4b7e038256c1e29e549cb18261d483a840bd
-
SHA256
de558a924a89a755f2d660f864d164c81e62ddf7da400fe771c0febbe1858aa1
-
SHA512
82138002d26357f3b14e4c33b4ec0235507ca99fab6f2f4bf10ebe8ae3ee7c5afa6be92d3d5a914fd322265226e60e8debd54fcdfc02dcde330abe4d8bb7abe3
-
SSDEEP
768:Pu/6ZTgoiziWUUM9rmo2qrjO5QyJ4PiNjPISzjbwgX3iwL6ocrFO8BDZrx:Pu/6ZTgle2IO52iKS3b3XSw2oGOadrx
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
-
-
Target
e1051e77a093d4fd5c81b43914bff83dce8662374f1c7e4b3a082ce2094870c0.exe
-
Size
79KB
-
MD5
d4cd720a666d79b2ab49106c8a9f36f6
-
SHA1
9098478ffab34d0d9e334dce3cd1769b86be166b
-
SHA256
e1051e77a093d4fd5c81b43914bff83dce8662374f1c7e4b3a082ce2094870c0
-
SHA512
586ef5a136c0d1ab918af6745ad8ab2c922fddff4748a495c5e183c9dae608d0cf3dd7c642b8212e63cdc003f93f64f9b3b19c5250468e699e5c07d1c6f84f61
-
SSDEEP
768:vljP1pmjALZy6prdO7K+tJpN201s9jmHt8N5zg7de8Aaiqk329ZvUDJK9BHXYpoz:vsuHQelfUAauuVU0TKoLOIrdppmdQ
Score1/10 -
-
-
Target
e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe
-
Size
752KB
-
MD5
1ae98135f3721f93c3627b8167e6fa50
-
SHA1
c5eae06d96051b94cb6e0dabd0f40fed7384306d
-
SHA256
e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be
-
SHA512
64db93b80a24eb03104caaf778dd29d1a1592652b2d7f734f1e3e0ede89af5f1cafa627a756ec6fb63aa2e2cfa42ade6c6a9aa1e8dfff749275c19e6cb6e7565
-
SSDEEP
12288:767B0v33ZJRDqzafmCu5ZjcVZaY2xtxDLQLBNwR2z3n8jUhRcOJ5cLc:76+v3RB+Cu5CZlutZLQLBNhn8j5y/
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
e4d5b043f5c9e0894a5f4a21c93cd7347a609a900da8f56f55a0dd84269e81f1.exe
-
Size
6.9MB
-
MD5
acc8d28b6efffe73bc7087b610c6dd9f
-
SHA1
ee5d1ce578c07a8378189e72345277efc696c090
-
SHA256
e4d5b043f5c9e0894a5f4a21c93cd7347a609a900da8f56f55a0dd84269e81f1
-
SHA512
a94ce3d5795d13d4474a0afcbd65772d4d34f5756f2ae961f5082aa0570e078ea410aafc893cff54e2a1fad2b690de7060754aafbd48b3a9f1b2d28753b9db7c
-
SSDEEP
196608:MYh4Y2TV9xyWZzP+EyNlbof4N9XxuzeS5fWPs1:VuYW1PK9owN9BceifWPS
Score7/10-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
-
-
Target
e4d72d8ddc51c3881aac8e689eeb381b4c97a87cf7dc973c97e5fe35feaa80a8.exe
-
Size
375KB
-
MD5
0094d5ff373cec9019212a835c894851
-
SHA1
1b1cf094623b3d3ab7fe023f31efe2effed19012
-
SHA256
e4d72d8ddc51c3881aac8e689eeb381b4c97a87cf7dc973c97e5fe35feaa80a8
-
SHA512
5c6fee60774b1fe4e9f5a63483219e2717a301a31ffb8eba4e5277d4770ea69a93f4f5b398fc7b0249bd9cb5cb4a13147b731222a075cd2fcec7da10e48e9275
-
SSDEEP
6144:CON3t/C8E6+4xuQvxbAg/1XPxlw/08TgX4flL+84X9wBG8PAbLBFiYV:Cwd6hSBF/1/Lw/HTtNi84X9amPBFi
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
-
-
Target
e5370d47a36c3b7af18e4c8e1adb4a08f18bf9ee424f821ccfd585dfb7c111e0.exe
-
Size
648KB
-
MD5
904d9a8a5b31139b3c895ef48806c646
-
SHA1
23305c7323f220e8eb6b87f12244ca9419fda48f
-
SHA256
e5370d47a36c3b7af18e4c8e1adb4a08f18bf9ee424f821ccfd585dfb7c111e0
-
SHA512
71dbc2495b7b3e4e724340059b8cc8a74d3fde9a4367b008f74e3f63a987c34d61feeb8a4daf007712981fbf72d6f0268a4e9622e3cf87a89c3487669e415bda
-
SSDEEP
12288:F97C0hXzJP7k4LycnkzaWkHKlABWD35LRl6/Vu9V:F9mSjK4yhoqOWb5Vl6/VuT
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
e57bff75d5dff87a5a965e50d9acdfb8237419c14a102b78493d893e11b1adad.exe
-
Size
20KB
-
MD5
015f9f208a2475de5d15de69435d2d0c
-
SHA1
2a7bfbece0acf9e446a5419bcff2a9120639e01c
-
SHA256
e57bff75d5dff87a5a965e50d9acdfb8237419c14a102b78493d893e11b1adad
-
SHA512
331ddd2d95cce0e74af7ef6da3c5bd4127973624ab94407ca94cb1f4aaa13c582eaf342373ce86f5e2de7c6ef8e72a9321abe9ac67696939fc067759aef028b3
-
SSDEEP
384:6fvaO6XCWQef8pTFO2sjorQUKJV15Rnu0/w3UfZ:ZfCSaFbsjorW1nu0/w3Q
Score1/10 -
-
-
Target
e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe
-
Size
616KB
-
MD5
1caeba20d73f6665029d6bc0fa853312
-
SHA1
849a79c6dfe1483875e7ca1780d9718c11102321
-
SHA256
e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea
-
SHA512
7272c07c70f7a3b542a1a2e022184c161e7f72f3f27e5c52d7e847bc94bca1a3f34b062e80510bae1a847e02d54bc1214a00470d510eabeafd31e58849f6cdd5
-
SSDEEP
12288:KE9/X2MaoJKyKNt91+HMXvEYghrdyWocb75y5hxGJgcz/b/CEsPRWw3KV0:P/X2Kf0T+ttb2o7UbxYrzLCtWgKV0
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8.exe
-
Size
783KB
-
MD5
dd32fbe95047642376227127eaffe815
-
SHA1
8d2c3539b0307816c4e0d447cb5b577cb6e15c07
-
SHA256
e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8
-
SHA512
97645a91ca1219a221ef60083adbbc07f4706030f5bc0669965fa3e53881c3422ae2aac0eb14d0dce7470ff7f06e2987d33bc7f1ee03aae93b34fa3ff81cdd49
-
SSDEEP
24576:yNA3R5drXP0lV4LIqzSVq1r+w/URexTF2+:L5OZzAr+0UExB1
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
e8412c49890da839070b49b7eb8f364b408557fd35ab5fc593637e4e8e496dcb.exe
-
Size
554KB
-
MD5
105814bac2dfd18013fcd6110e8da3fa
-
SHA1
7294336871bab0cd1391bae4ece6f2ce49770d2c
-
SHA256
e8412c49890da839070b49b7eb8f364b408557fd35ab5fc593637e4e8e496dcb
-
SHA512
371750239a46c19da755e4578975e4b8daee749a746ec8ae0942969ef43592dcb55d12ef7dc18de6a4ef580ce3bc0c2765ff7634638a68d39287ec2ddaeeb3e9
-
SSDEEP
12288:Ykd04ufFuI4bf7zM2wsbTe8hUg4agLinoh/YZ0bwYIELpp1:/d+fr49wOTe76gLoBXRELpL
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload
-
Suspicious use of SetThreadContext
-
-
-
Target
e91296156cd506f7a152db4e4beac1c56ce03676f16db637c97cd135038409ff.exe
-
Size
2.6MB
-
MD5
838bf9e13202d1ceeac814788efe837b
-
SHA1
75b46cb896ccb9f3209ce235ebd5f62fb2c35b3d
-
SHA256
e91296156cd506f7a152db4e4beac1c56ce03676f16db637c97cd135038409ff
-
SHA512
b75f12b8941843ee4141a017c61001f57f3e016cc5cd9530a0aad7478b4cb38b9fca5d5070e4f7f55417653bc6732db85db996ace60aa3c4f04c3454c6db3410
-
SSDEEP
49152:HdgDxc28AZaaE5CPuJIurzZuwWToqZsscWVYzRtYxZ7zgCBoL2I2/Re:HocbA0avPuhSToqZsscBzRin7zrI2pe
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
-
-
Target
ea6ec9be3aea67056e4564a9b3ce8d6e92eda54db32e710043de98d7d65ffd54.exe
-
Size
472KB
-
MD5
c9bd78329466c6f92ebd4989e5cb0d35
-
SHA1
62ed9e02eb9b387211153e8cd7554d82ba70541c
-
SHA256
ea6ec9be3aea67056e4564a9b3ce8d6e92eda54db32e710043de98d7d65ffd54
-
SHA512
e37d5d69908d84d45bbd03cd455a51bf43a71b7d7d1726dd01dd2553d48667770c7d57a1979d2c93b4bada4ab7db8d7bb0a79fb59fc47c5e2d1e727bb158b841
-
SSDEEP
6144:lKGWDvcUw8avAb7WsNjag3TSsRyaph69qNw5RDAOufxdFpeOY6W1QznIyCd:l5OvPsYN72s6INwPkOu5dFpe1
Score1/10 -
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
2