General
-
Target
bomb.zip
-
Size
4KB
-
Sample
240612-1m2s6svgrl
-
MD5
5631d3a0074b6c93d537ca6974e518cd
-
SHA1
b3141c9824cda0b4bd88af8dcc37389353b98817
-
SHA256
79a68cdabfed0db4f35af981d8d44889d3124100bffcb1a7fb6473da67804394
-
SHA512
6fd5927d1836325f4866f7e95528f1a4d4cecebd0cb66c1ccea29d8697691c5192d954af6052782ee8f38b4a930d885732f9032302f2aa88f1750fc47132c64c
-
SSDEEP
96:ghMjbwQROK0RKz1Eu6SxB6JdysqDAbszKoddVesqFKg6WYof9w4AqOAPdc7x4K:L+R+16SxwdcDAbszxqmxoe4AqvPG
Malware Config
Extracted
Protocol: smtp- Host:
mail.educa.co.jp - Port:
587 - Username:
[email protected] - Password:
Junnii11123
Extracted
Protocol: smtp- Host:
smtp-box-01.iol.pt - Port:
587 - Username:
[email protected] - Password:
carlota
Extracted
Protocol: smtp- Host:
smtp.frontiernet.net - Port:
587 - Username:
[email protected] - Password:
Gcc010801!
Extracted
Protocol: smtp- Host:
ps.ksky.ne.jp - Port:
587 - Username:
[email protected] - Password:
rhfl0603
Extracted
Protocol: smtp- Host:
aa.bb-east.ne.jp - Port:
587 - Username:
[email protected] - Password:
cycy0327
Extracted
Protocol: smtp- Host:
mail.doc-net.or.jp - Port:
587 - Username:
[email protected] - Password:
hirochik
Extracted
risepro
147.45.47.126:58709
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Extracted
lumma
https://notoriousdcellkw.shop/api
https://liabiliytshareodlkv.shop/api
https://conferencefreckewl.shop/api
https://flourhishdiscovrw.shop/api
https://landdumpycolorwskfw.shop/api
https://ohfantasyproclaiwlo.shop/api
https://parallelmercywksoffw.shop/api
https://barebrilliancedkoso.shop/api
Targets
-
-
Target
bomb.zip
-
Size
4KB
-
MD5
5631d3a0074b6c93d537ca6974e518cd
-
SHA1
b3141c9824cda0b4bd88af8dcc37389353b98817
-
SHA256
79a68cdabfed0db4f35af981d8d44889d3124100bffcb1a7fb6473da67804394
-
SHA512
6fd5927d1836325f4866f7e95528f1a4d4cecebd0cb66c1ccea29d8697691c5192d954af6052782ee8f38b4a930d885732f9032302f2aa88f1750fc47132c64c
-
SSDEEP
96:ghMjbwQROK0RKz1Eu6SxB6JdysqDAbszKoddVesqFKg6WYof9w4AqOAPdc7x4K:L+R+16SxwdcDAbszxqmxoe4AqvPG
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Modifies security service
-
Phorphiex payload
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
Windows security bypass
-
XMRig Miner payload
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Creates new service(s)
-
Downloads MZ/PE file
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Windows security modification
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
bomb.exe
-
Size
12KB
-
MD5
55dba6e7aa4e8cc73415f4e3f9f6bdae
-
SHA1
87c9f29d58f57a5e025061d389be2655ee879d5d
-
SHA256
3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a
-
SHA512
f2eb91e812b2ba58c4309fd44edadc8977367c7d9d6214d7e70a0392ae8427d570746ae57cca68dc260901f664f2e8c6c5387118ff01d243abeb5680abe2a352
-
SSDEEP
192:vnpYaU28zxHdo4ZMgQl9q+4ua7HhdSbwxz1ULU87glpK/b26J4Uf1XXr5:vWZdoWMR96uaLhM6ULU870gJR
Score1/10 -
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
2Modify Registry
4Virtualization/Sandbox Evasion
2