Overview
overview
10Static
static
34363463463...63.exe
windows7-x64
104363463463...63.exe
windows10-1703-x64
104363463463...63.exe
windows10-2004-x64
34363463463...63.exe
windows11-21h2-x64
10New Text D...od.exe
windows7-x64
10New Text D...od.exe
windows10-1703-x64
10New Text D...od.exe
windows10-2004-x64
10New Text D...od.exe
windows11-21h2-x64
10New Text D...od.exe
windows7-x64
10New Text D...od.exe
windows10-1703-x64
10New Text D...od.exe
windows10-2004-x64
10New Text D...od.exe
windows11-21h2-x64
1General
-
Target
Document Mod Malware.zip
-
Size
12KB
-
Sample
240707-zvllgsyaqp
-
MD5
d7271e018618f08b55c07521f5179ff1
-
SHA1
6bd4442b342ab5e012a8cad49fb5a19e2236cfc9
-
SHA256
b434527e3f55425dc624118395ee28b4725e81464863dfd15d175dd74fbd9a6a
-
SHA512
fc37e5922f89178a7716624a1f134472eea7b14dde88fc2895b2bafbe7877d8833ef0a34888dee6aece0f41ff96967a9cfd06bc0cdd8b42f0a9373ef3739270b
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJASHWgHWkp:efACW6DrPSHWgHWkp
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
4363463463464363463463463.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
4363463463464363463463463.exe
Resource
win11-20240704-en
Behavioral task
behavioral5
Sample
New Text Document mod.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
New Text Document mod.exe
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
New Text Document mod.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral8
Sample
New Text Document mod.exe
Resource
win11-20240704-en
Behavioral task
behavioral9
Sample
New Text Document mod.exe
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
New Text Document mod.exe
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
New Text Document mod.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral12
Sample
New Text Document mod.exe
Resource
win11-20240508-en
Malware Config
Extracted
xworm
5.0
64.226.123.178:6098
1z0ENxCLSR3XRSre
-
install_file
USB.exe
Extracted
metasploit
windows/reverse_http
http://89.197.154.116:7810/O6Z_Oh2DCu_X-db4sYLFEg1hYXRf_R2oUsq-2FBCe7OY5fyzWx30F0mf2_tTjbnFbloJRApsw
Extracted
xworm
3.1
185.91.127.220:7000
0liuzqSbSYrrf5nM
-
install_file
USB.exe
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
5.0.5
Venom Clients
94.232.249.204:6660
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
redline
1
94.232.249.204:1912
Extracted
lumma
https://benchillppwo.shop/api
Extracted
C:\Users\Admin\AppData\Local\Temp\Files\@[email protected]
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Extracted
gcleaner
185.172.128.90
185.172.128.69
-
url_path
/advdlc.php
Targets
-
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Vidar Stealer
-
Detect Xehook Payload
-
Detect Xworm Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SectopRAT payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
XMRig Miner payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
New Text Document mod.exe
-
Size
8KB
-
MD5
69994ff2f00eeca9335ccd502198e05b
-
SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead
-
SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
-
SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
SSDEEP
96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
-
Meduza Stealer payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
StormKitty payload
-
Async RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
-
-
Target
New Text Document mod.exse
-
Size
8KB
-
MD5
69994ff2f00eeca9335ccd502198e05b
-
SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead
-
SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
-
SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
SSDEEP
96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
-
Meduza Stealer payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
StormKitty payload
-
Async RAT payload
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
3Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
3Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1