General

  • Target

    bomb.zip

  • Size

    4KB

  • Sample

    240612-1m2s6svgrl

  • MD5

    5631d3a0074b6c93d537ca6974e518cd

  • SHA1

    b3141c9824cda0b4bd88af8dcc37389353b98817

  • SHA256

    79a68cdabfed0db4f35af981d8d44889d3124100bffcb1a7fb6473da67804394

  • SHA512

    6fd5927d1836325f4866f7e95528f1a4d4cecebd0cb66c1ccea29d8697691c5192d954af6052782ee8f38b4a930d885732f9032302f2aa88f1750fc47132c64c

  • SSDEEP

    96:ghMjbwQROK0RKz1Eu6SxB6JdysqDAbszKoddVesqFKg6WYof9w4AqOAPdc7x4K:L+R+16SxwdcDAbszxqmxoe4AqvPG

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.educa.co.jp
  • Port:
    587
  • Username:
    fumie@educa.co.jp
  • Password:
    Junnii11123

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp-box-01.iol.pt
  • Port:
    587
  • Username:
    carlotarente@iol.pt
  • Password:
    carlota

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.frontiernet.net
  • Port:
    587
  • Username:
    mjcoop@frontiernet.net
  • Password:
    Gcc010801!

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    ps.ksky.ne.jp
  • Port:
    587
  • Username:
    sekky@ps.ksky.ne.jp
  • Password:
    rhfl0603

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    aa.bb-east.ne.jp
  • Port:
    587
  • Username:
    yokokura@aa.bb-east.ne.jp
  • Password:
    cycy0327

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.doc-net.or.jp
  • Port:
    587
  • Username:
    trinity@doc-net.or.jp
  • Password:
    hirochik

Extracted

Family

risepro

C2

147.45.47.126:58709

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

C2

http://147.45.47.155

Attributes
  • install_dir

    9217037dc9

  • install_file

    explortu.exe

  • strings_key

    8e894a8a4a3d0da8924003a561cfb244

  • url_paths

    /ku4Nor9/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

C2

http://77.91.77.81

Attributes
  • install_dir

    8254624243

  • install_file

    axplong.exe

  • strings_key

    90049e51fabf09df0d6748e0b271922e

  • url_paths

    /Kiru9gu/index.php

rc4.plain
1
a091ec0a6e22276a96a99c1d34ef679c

Extracted

Family

lumma

C2

https://notoriousdcellkw.shop/api

https://liabiliytshareodlkv.shop/api

https://conferencefreckewl.shop/api

https://flourhishdiscovrw.shop/api

https://landdumpycolorwskfw.shop/api

https://ohfantasyproclaiwlo.shop/api

https://parallelmercywksoffw.shop/api

https://barebrilliancedkoso.shop/api

Targets

    • Target

      bomb.zip

    • Size

      4KB

    • MD5

      5631d3a0074b6c93d537ca6974e518cd

    • SHA1

      b3141c9824cda0b4bd88af8dcc37389353b98817

    • SHA256

      79a68cdabfed0db4f35af981d8d44889d3124100bffcb1a7fb6473da67804394

    • SHA512

      6fd5927d1836325f4866f7e95528f1a4d4cecebd0cb66c1ccea29d8697691c5192d954af6052782ee8f38b4a930d885732f9032302f2aa88f1750fc47132c64c

    • SSDEEP

      96:ghMjbwQROK0RKz1Eu6SxB6JdysqDAbszKoddVesqFKg6WYof9w4AqOAPdc7x4K:L+R+16SxwdcDAbszxqmxoe4AqvPG

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Modifies security service

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

    • Windows security bypass

    • XMRig Miner payload

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Creates new service(s)

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Windows security modification

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      bomb.exe

    • Size

      12KB

    • MD5

      55dba6e7aa4e8cc73415f4e3f9f6bdae

    • SHA1

      87c9f29d58f57a5e025061d389be2655ee879d5d

    • SHA256

      3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a

    • SHA512

      f2eb91e812b2ba58c4309fd44edadc8977367c7d9d6214d7e70a0392ae8427d570746ae57cca68dc260901f664f2e8c6c5387118ff01d243abeb5680abe2a352

    • SSDEEP

      192:vnpYaU28zxHdo4ZMgQl9q+4ua7HhdSbwxz1ULU87glpK/b26J4Uf1XXr5:vWZdoWMR96uaLhM6ULU870gJR

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.