Resubmissions

28-05-2024 08:39

240528-kklq6scg8y 10

26-05-2024 17:22

240526-vxlxtaef89 10

General

  • Target

    New Text Document.bin

  • Size

    4KB

  • Sample

    240526-vxlxtaef89

  • MD5

    a239a27c2169af388d4f5be6b52f272c

  • SHA1

    0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c

  • SHA256

    98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc

  • SHA512

    f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da

  • SSDEEP

    48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.midhcodistribuciones.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ,A7}+JV4KExQ

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Exodus_Market

C2

leetboy.dynuddns.net:1339

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    svchos.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

remcos

Botnet

Remote

C2

leetboy.dynuddns.net:1998

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    svcs.exe

  • copy_folder

    microsofts

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    logsa

  • mouse_option

    false

  • mutex

    Rmc-3XK1S0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

LNKK

C2

leetboy.dynuddns.net:1338

Mutex

AsyncMutex_6h2caasdas2133sOkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

risepro

C2

118.194.235.187:50500

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Load_Man

C2

leetman.dynuddns.com:1337

Mutex

AsyncMutex_6SI8asdasd2casOkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

redline

Botnet

@OLEH_PSP

C2

185.172.128.33:8970

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.midhcodistribuciones.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ,A7}+JV4KExQ

Extracted

Family

metasploit

Version

metasploit_stager

C2

129.159.151.146:3344

Extracted

Family

xworm

Version

5.0

C2

45.141.27.41:7000

45.141.26.119:1996

85.203.4.146:7000

Mutex

9ZF9ZsOZGh1T1r1n

Attributes
  • Install_directory

    %Public%

  • install_file

    csrss.exe

aes.plain
aes.plain
aes.plain

Targets

    • Target

      New Text Document.bin

    • Size

      4KB

    • MD5

      a239a27c2169af388d4f5be6b52f272c

    • SHA1

      0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c

    • SHA256

      98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc

    • SHA512

      f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da

    • SSDEEP

      48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detect Xworm Payload

    • Detected google phishing page

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies firewall policy service

    • Modifies security service

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Windows security bypass

    • XMRig Miner payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Async RAT payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Modifies boot configuration data using bcdedit

    • Adds policy Run key to start application

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Contacts a large (648) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Installed Components in the registry

    • Possible privilege escalation attempt

    • Sets service image path in registry

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Modifies system executable filetype association

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Registers COM server for autorun

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Boot or Logon Autostart Execution

5
T1547

Registry Run Keys / Startup Folder

5
T1547.001

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Boot or Logon Autostart Execution

5
T1547

Registry Run Keys / Startup Folder

5
T1547.001

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

12
T1112

Impair Defenses

3
T1562

Disable or Modify Tools

2
T1562.001

Virtualization/Sandbox Evasion

1
T1497

File and Directory Permissions Modification

1
T1222

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Query Registry

10
T1012

Virtualization/Sandbox Evasion

1
T1497

Network Service Discovery

2
T1046

System Information Discovery

10
T1082

Software Discovery

1
T1518

Security Software Discovery

1
T1518.001

Peripheral Device Discovery

2
T1120

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Collection

Data from Local System

4
T1005

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

1
T1490

Service Stop

1
T1489

Defacement

1
T1491

Tasks

static1

Score
3/10

behavioral1

agentteslaasyncratmetasploitphorphiexprivateloaderredlineremcosriseproxworm@oleh_pspexodus_marketlnkkload_manremotebackdoorbootkitgooglediscoveryevasionexecutionexploitinfostealerkeyloggerloaderpersistencephishingransomwareratspywarestealerthemidatrojanupxvmprotectworm
Score
10/10

behavioral2

Score
1/10

behavioral3

agentteslaasyncratmetasploitphorphiexprivateloaderredlineriseproxmrigxworm@oleh_pspexodus_marketlnkkload_manbackdoorbootkitdiscoveryevasionexecutionexploitinfostealerkeyloggerloaderminerpersistenceratspywarestealerthemidatrojanupxvmprotectworm
Score
10/10

behavioral4

agentteslaasyncratmetasploitphorphiexprivateloaderredlineriseproxmrigxworm@oleh_pspexodus_marketlnkkload_manbackdoorbootkitdiscoveryevasionexecutionexploitinfostealerkeyloggerloaderminerpersistenceransomwareratspywarestealerthemidatrojanupxvmprotectworm
Score
10/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10