General
-
Target
Setup.ZIP
-
Size
4KB
-
Sample
240603-xvjqsafd4s
-
MD5
8f09880436e2d5218370bdffe4430d77
-
SHA1
e9ec604b1cefa128d7b611d88b665f079dce2b24
-
SHA256
2e51701c2ae78af7f1ff4d2aed64148e19d138c36c4096cae67c638e642e054e
-
SHA512
7990c6a2efeed4bf57812434d79f0ef968e06a460f28cd23c407f8bbb2a0f84de17309c9acd02e97dc503bb25294f39ad877a69b1f1baddef4d54c0f3f783981
-
SSDEEP
96:pSfd8hcsTZKP1qiJn46vGM5sXkMVijOJ5hTmT+31+1J1p1nWWjRn0:cfdy8qg46vGMekeijOJrFQV0WjRn0
Static task
static1
Behavioral task
behavioral1
Sample
Setup.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Setup.zip
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Setup.zip
Resource
win10v2004-20240508-en
Malware Config
Extracted
http://94.103.188.126/jerry/putty.zip
Extracted
http://49.13.194.118/ADServices.exe
Extracted
phorphiex
http://185.215.113.66/
http://5.42.96.117/
http://91.202.233.141/
0xCa90599132C4D88907Bd8E046540284aa468a035
TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6
qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
XryzFMFVpDUvU7famUGf214EXD3xNUSmQf
LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv
rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb
48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg
15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC
17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY
ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp
3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc
3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3
DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA
t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh
stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj
bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw
bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3
bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3
-
mutex
plo7udsa2s
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Extracted
redline
newbild
185.215.113.67:40960
Extracted
remcos
RemoteHost
oceansss.duckdns.org:1144
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
fgdghrd
-
mouse_option
false
-
mutex
Rmc-O8FLSY
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
stealc
default
http://147.45.47.150
-
url_path
/eb6f29c6a60b3865.php
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
Password: )NYyffR0 - Email To:
[email protected]
Extracted
systembc
204.137.14.135:443
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
147.45.47.126:58709
Extracted
amadey
4.21
49e482
http://147.45.47.70
-
install_dir
1b29d73536
-
install_file
axplont.exe
-
strings_key
4d31dd1a190d9879c21fac6d87dc0043
-
url_paths
/tr8nomy/index.php
Extracted
asyncrat
AsyncRAT
Fresh
pepecasas123.net:4608
AsyncMutex_5952
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
redline
@LOGSCLOUDYT_BOT
185.172.128.33:8970
Targets
-
-
Target
Setup.ZIP
-
Size
4KB
-
MD5
8f09880436e2d5218370bdffe4430d77
-
SHA1
e9ec604b1cefa128d7b611d88b665f079dce2b24
-
SHA256
2e51701c2ae78af7f1ff4d2aed64148e19d138c36c4096cae67c638e642e054e
-
SHA512
7990c6a2efeed4bf57812434d79f0ef968e06a460f28cd23c407f8bbb2a0f84de17309c9acd02e97dc503bb25294f39ad877a69b1f1baddef4d54c0f3f783981
-
SSDEEP
96:pSfd8hcsTZKP1qiJn46vGM5sXkMVijOJ5hTmT+31+1J1p1nWWjRn0:cfdy8qg46vGMekeijOJrFQV0WjRn0
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies security service
-
Phorphiex payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Modifies boot configuration data using bcdedit
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Contacts a large (721) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Downloads MZ/PE file
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1