Resubmissions

02-09-2024 02:19

240902-crxs1syfmm 10

07-07-2024 21:02

240707-zvllgsyaqp 10

01-07-2024 21:37

240701-1gjemsverk 10

General

  • Target

    Document Mod Malware.zip

  • Size

    12KB

  • Sample

    240707-zvllgsyaqp

  • MD5

    d7271e018618f08b55c07521f5179ff1

  • SHA1

    6bd4442b342ab5e012a8cad49fb5a19e2236cfc9

  • SHA256

    b434527e3f55425dc624118395ee28b4725e81464863dfd15d175dd74fbd9a6a

  • SHA512

    fc37e5922f89178a7716624a1f134472eea7b14dde88fc2895b2bafbe7877d8833ef0a34888dee6aece0f41ff96967a9cfd06bc0cdd8b42f0a9373ef3739270b

  • SSDEEP

    384:6BfwcSEp9ZjKXSBIDv4dDfjlMJASHWgHWkp:efACW6DrPSHWgHWkp

Malware Config

Extracted

Family

xworm

Version

5.0

C2

64.226.123.178:6098

Mutex

1z0ENxCLSR3XRSre

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

metasploit

Version

windows/reverse_http

C2

http://89.197.154.116:7810/O6Z_Oh2DCu_X-db4sYLFEg1hYXRf_R2oUsq-2FBCe7OY5fyzWx30F0mf2_tTjbnFbloJRApsw

Extracted

Family

xworm

Version

3.1

C2

185.91.127.220:7000

Mutex

0liuzqSbSYrrf5nM

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

94.232.249.204:6660

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

redline

Botnet

1

C2

94.232.249.204:1912

Extracted

Family

lumma

C2

https://benchillppwo.shop/api

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Files\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Family

gcleaner

C2

185.172.128.90

185.172.128.69

Attributes
  • url_path

    /advdlc.php

Targets

    • Target

      4363463463464363463463463.exe

    • Size

      10KB

    • MD5

      2a94f3960c58c6e70826495f76d00b85

    • SHA1

      e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

    • SHA256

      2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

    • SHA512

      fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

    • SSDEEP

      192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Vidar Stealer

    • Detect Xehook Payload

    • Detect Xworm Payload

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Xehook stealer

      Xehook is an infostealer written in C#.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • XMRig Miner payload

    • Creates new service(s)

    • Downloads MZ/PE file

    • Stops running service(s)

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      New Text Document mod.exe

    • Size

      8KB

    • MD5

      69994ff2f00eeca9335ccd502198e05b

    • SHA1

      b13a15a5bea65b711b835ce8eccd2a699a99cead

    • SHA256

      2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

    • SHA512

      ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

    • SSDEEP

      96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Async RAT payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    • Target

      New Text Document mod.exse

    • Size

      8KB

    • MD5

      69994ff2f00eeca9335ccd502198e05b

    • SHA1

      b13a15a5bea65b711b835ce8eccd2a699a99cead

    • SHA256

      2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

    • SHA512

      ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

    • SSDEEP

      96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Async RAT payload

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

metasploitrhadamanthyssectopratvidarxehookxmrigxwormbackdoorevasionexecutionminerpersistenceratstealertrojanupx
Score
10/10

behavioral2

dcratwannacrydefense_evasiondiscoveryinfostealerransomwareratworm
Score
10/10

behavioral3

Score
3/10

behavioral4

gcleanerloader
Score
10/10

behavioral5

asyncratmeduzaredlinestormkitty1defaultvenom clientscollectiondiscoveryinfostealerpersistenceprivilege_escalationratspywarestealerupx
Score
10/10

behavioral6

asyncratlummameduzaredlinestormkitty1defaultvenom clientscollectiondiscoveryinfostealerpersistenceprivilege_escalationratspywarestealerupx
Score
10/10

behavioral7

asyncratlummameduzaredlinestormkitty1defaultvenom clientscollectiondiscoveryinfostealerratspywarestealerupx
Score
10/10

behavioral8

asyncratmeduzaredlinestormkittyvenom clientscollectiondiscoveryinfostealerratspywarestealerupx
Score
10/10

behavioral9

asyncratmeduzaredlinestormkitty1defaultvenom clientscollectiondiscoveryinfostealerratspywarestealerupx
Score
10/10

behavioral10

asyncratlummameduzaredlinestormkitty1defaultvenom clientscollectiondiscoveryinfostealerpersistenceprivilege_escalationratspywarestealerupx
Score
10/10

behavioral11

asyncratlummameduzaredlinestormkitty1defaultvenom clientscollectiondiscoveryinfostealerpersistenceprivilege_escalationratspywarestealerupx
Score
10/10

behavioral12

Score
1/10