Resubmissions

05-09-2023 01:34

230905-by5lrsch46 10

General

  • Target

    2023-09-04.zip

  • Size

    299.5MB

  • Sample

    240524-bxrnhsgd3z

  • MD5

    eea227737face033b823122d906dabed

  • SHA1

    a35c1ae86ff0aa50fb2b1e941c9b35f711c354bd

  • SHA256

    5695a75d96e56497ab5f7175d5c1da59a4565df668cb89db774eefbb5bfb6cf5

  • SHA512

    99d7bf96ba029cd723671754bae514200697806a0fa32eeb3a7cf6e7237d30e51987bea15b31932b08de0b4332c4ba0d5e4a71283a5574d4780d593510b8d760

  • SSDEEP

    6291456:QH0GuwBg8s1enBP7CXaDOl7R0Y/2f9Jzwnq92kYqYnLxyRPI:QK8UenRLK2fDz3bWn1yFI

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

0.tcp.ngrok.io:19529

Mutex

e8dc0029-2692-4710-a5f6-d65df0a729cd

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    0.tcp.ngrok.io

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2023-06-12T19:31:10.719245436Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    19529

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    e8dc0029-2692-4710-a5f6-d65df0a729cd

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    0.tcp.ngrok.io

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

mirai

C2

2.59.254.14

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

njrat

Version

im523

Botnet

svchost.exe

C2

5.tcp.eu.ngrok.io:15312

Mutex

0c7caa8c30ecac23145985ecdefb5649

Attributes
  • reg_key

    0c7caa8c30ecac23145985ecdefb5649

  • splitter

    |'|'|

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.elhamdelevator.com
  • Port:
    587
  • Username:
    info@elhamdelevator.com
  • Password:
    01221417748
  • Email To:
    info@elhamdelevator.com
C2

https://discordapp.com/api/webhooks/1141171534019436636/rsmn69Lcmg35Ga7bqVUGtuetk3b-HNiKLnmDMzvt91gHtESYIARmGI9pQQxxg2F5Q3mM

Extracted

Family

mirai

C2

o.do.do

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

mirai

C2

8.8.8.8

Extracted

Family

mirai

C2

8.8.8.8

2.59.254.14

Extracted

Family

mirai

C2

zerobot.zc.al

2.59.254.14

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

4Mekey.myftp.biz:1011

adminbogota.duckdns.org:2015

unicornio2020.duckdns.org:9966

Mutex

cfcfc4ede74345f998

Attributes
  • reg_key

    cfcfc4ede74345f998

  • splitter

    @!#&^%$

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

C2

2.59.254.14

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

asyncrat

Version

1.0.7

Botnet

VBS09

C2

4Mekey.myftp.biz:8848

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

156.223.59.18:4444

Extracted

Family

mirai

C2

2.59.254.14

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

darkcloud

C2

https://api.telegram.org/bot6342175884:AAGNYnOE8HN_cXImf1tA6GQfayeeb18yP84/sendMessage?chat_id=5990783030

Attributes
  • email_from

    tsctubesales.co.in

  • email_to

    bestbenefthk@gmail.com

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

C2

2.59.254.14

Extracted

Family

strrat

C2

powerful.ddnsfree.com:7802

judepower.duckdns.org:7817

Attributes
  • license_id

    EBGS-IHJV-5E77-T3MF-HBXL

  • plugins_url

    http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5

  • scheduled_task

    false

  • secondary_startup

    true

  • startup

    false

Extracted

Family

asyncrat

Version

1.0.7

Botnet

PIJAO 4 SEPT

C2

16agostok.duckdns.org:8004

Mutex

DcRatMutex_qwqdanchunfdsaf

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

metasploit

Version

windows/reverse_tcp_dns

C2

privacy-now.org:8888

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

VBS09

C2

4Mekey.myftp.biz:6606

4Mekey.myftp.biz:7707

4Mekey.myftp.biz:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

mirai

Botnet

BOTNET

Targets

    • Target

      2023-09-04.zip

    • Size

      299.5MB

    • MD5

      eea227737face033b823122d906dabed

    • SHA1

      a35c1ae86ff0aa50fb2b1e941c9b35f711c354bd

    • SHA256

      5695a75d96e56497ab5f7175d5c1da59a4565df668cb89db774eefbb5bfb6cf5

    • SHA512

      99d7bf96ba029cd723671754bae514200697806a0fa32eeb3a7cf6e7237d30e51987bea15b31932b08de0b4332c4ba0d5e4a71283a5574d4780d593510b8d760

    • SSDEEP

      6291456:QH0GuwBg8s1enBP7CXaDOl7R0Y/2f9Jzwnq92kYqYnLxyRPI:QK8UenRLK2fDz3bWn1yFI

    Score
    1/10

MITRE ATT&CK Matrix

Tasks