Overview

overview

10

Static

static

10

possible malware.zip

windows10-2004-x64

10

Resubmissions

12-06-2024 08:39

240612-kkjltawejn 10

13-04-2024 00:14

240413-ajfhnagf98 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    possible malware.zip

  • Size

    682.3MB

  • Sample

    240612-kkjltawejn

  • MD5

    ba06cb72b125a0a353b87008d95e86ca

  • SHA1

    9b4d7e2f1087ccbe73012c8237b0609f10576806

  • SHA256

    ba18ff142bae31457031ca49e772b10792ad3a5bdead90cb2c1d37e2a6c2fd59

  • SHA512

    3270783c7b42014ecfa3be771d675cffe75a0ba65cf7d4e0f5e1d61e65a4cee2c6f2e471c0e95ef23799c6a7b2eb7edbca8393d59353f4d6531099dd4def909e

  • SSDEEP

    12582912:Bo4WyWq2xPQ3JjlAd9hpopjS5j/5i7Pdst6n8+fLOzV0fPWc+afxK6kKuq:BoJqJ5Bs9hpop25bvTGLeVJc3xgdq

Score
10/10
anchordnsaridvipercobaltstrikecomratjupyternetwalkernjratrevengeratsandroratslothfulmediaspynotesunburstsupernovateardropzebrocy0guesthackedaspackv2backdoorcryptonedropperlinkmacromacro_on_actionpackerpdfpyinstallerransomwarestealertrojanupxvmprotect

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://webmail.lax.co.il/owa/auth/Current/Script/jquery-3.5.1.min.js

Extracted

Family

revengerat

Botnet

Guest

C2

voly.ddns.net:88

Mutex

RV_MUTEX-BUPRawrSNddXxdY

Extracted

Family

spynote

C2

voly.ddns.net:1988

Extracted

Family

sandrorat

C2

voly.ddns.net:1962

Extracted

Family

njrat

Version

Hallaj PRO Rat [Fixed]

Botnet

HacKed

C2

voly.ddns.net:81

Mutex

23e6d18d0fa7e25eb8844687c5ca5f5c

Attributes
  • reg_key

    23e6d18d0fa7e25eb8844687c5ca5f5c

  • splitter

    boolLove

Extracted

Family

cobaltstrike

Botnet

0

C2

http://summerevent.webhop.net:443/safebrowsing/rd/tnOztRgLx1ugKt8uumGcreRFm5CqXD9ge-zzz5sA6WzhC

Attributes
  • access_type

    512

  • beacon_type

    2048

  • crypto_scheme

    256

  • host

    summerevent.webhop.net,/safebrowsing/rd/tnOztRgLx1ugKt8uumGcreRFm5CqXD9ge-zzz5sA6WzhC

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAIAAAAAgAAAAhQUkVGPUlEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAIAAAAAgAAABJVPXNSdjg1VUhpakJycldpSHoAAAACAAAACFBSRUY9SUQ9AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    3840

  • maxdns

    247

  • polling_time

    6600

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDmFvK6fWzx+zTnQqAkZAQv6Eqwme1a80cwMNtrYEJShrKKbgpTy71w5Zd9u7EdBClno3HF9U4/9/tkBRw6PPPRa+W6bgpf97I3/Y0z36I5E/h+UP8h076IkzaWyPHbS1QMOiE6AXC3rCERjgirkn1LKUs+Q+zj0LeN8/QHEq/ZqQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /safebrowsing/rd/r8l4jO3947jVxa5wBhEijGc0y77iX4oFy

  • user_agent

    Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0

  • watermark

    0

Extracted

Family

jupyter

Version

DR/1.4

C2

http://45.146.165.219

Extracted

Family

jupyter

Version

DR/1.0

C2

http://45.135.232.131

Targets

    • Target

      possible malware.zip

    • Size

      682.3MB

    • MD5

      ba06cb72b125a0a353b87008d95e86ca

    • SHA1

      9b4d7e2f1087ccbe73012c8237b0609f10576806

    • SHA256

      ba18ff142bae31457031ca49e772b10792ad3a5bdead90cb2c1d37e2a6c2fd59

    • SHA512

      3270783c7b42014ecfa3be771d675cffe75a0ba65cf7d4e0f5e1d61e65a4cee2c6f2e471c0e95ef23799c6a7b2eb7edbca8393d59353f4d6531099dd4def909e

    • SSDEEP

      12582912:Bo4WyWq2xPQ3JjlAd9hpopjS5j/5i7Pdst6n8+fLOzV0fPWc+afxK6kKuq:BoJqJ5Bs9hpop25bvTGLeVJc3xgdq

    Score
    10/10
    netwalkersupernovabackdoorcryptonepackerransomwaretrojanupx

    • Detected Netwalker Ransomware

      Detected unpacked Netwalker executable.

    • Detected SUPERNOVA .NET web shell

      SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and reponds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args).

      backdoor

    • Netwalker Ransomware

      Ransomware family with multiple versions. Also known as MailTo.

      ransomwarenetwalker

    • Supernova

      Supernova is a .NET web shell backdoor related to the SolarWinds breaches.

      trojanbackdoorsupernova

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

      cryptonepacker

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral1

MITRE ATT&CK Matrix

Tasks