General

  • Target

    32x (2024-07-15).zip

  • Size

    20.2MB

  • Sample

    240731-meszeaxhqr

  • MD5

    05543d62dd8e652936165c212ca0980a

  • SHA1

    f0c13e272c06cc945891d3508e341c1b5550a8e9

  • SHA256

    bfc092b384976e97153bae0e29359461bfd65fce5ad8188d6460de57bc680eaf

  • SHA512

    3cae5f69d3a7beffcb357b668b00a2223d3e616eb29564ed978138c80d9245af3ef77d78a86365039e745d430dac6d8e0a75d683c38f45024a6c9193bebc70ee

  • SSDEEP

    393216:8rniuKDJ1KA/oaXpBbD3QRDqeyNrQ/MR50eaJ92Bc0bU4BVzjfBzGct9/ug5Hd3w:8rOJsA/dBb7Qg3rQ0Q0TUcBzj/ugNd3w

Malware Config

Extracted

Family

stealc

Botnet

hello

C2

http://85.28.47.70

Attributes
  • url_path

    /570d5d5e8678366c.php

Extracted

Family

xworm

C2

schools-copper.gl.at.ply.gg:14154

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot6887301557:AAE2e7AcjyzPeaHQb_2XBthrT3TTCKt7jCs/sendMessage?chat_id=7045481276

Extracted

Family

redline

Botnet

6951125327

C2

https://t.me/+7Lir0e4Gw381MDhi

https://steamcommunity.com/profiles/76561199038841443

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

82.65.19.134:4443

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

agenttesla

Credentials

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note
~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3C6BD1B9F936CC3295 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.bonnyriggdentalsurgery.com.au
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Sages101*

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.libreriagandhi.cl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    x6p2^m#1#~+O

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.3.64.149:2888

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-7Q1GRN

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

stealc

Botnet

default

C2

http://85.28.47.101

Attributes
  • url_path

    /f3ee98d7eec07fb9.php

Targets

    • Target

      1/0178b79bd084c2597b2de4e62e61a88bb8359e4fcac2fe672bb887e0e52e5dbd.exe

    • Size

      678KB

    • MD5

      c229261d7e8c8524dd25f7bc58edddf8

    • SHA1

      781d106f3aa60c392f039968ae45c53f78890871

    • SHA256

      0178b79bd084c2597b2de4e62e61a88bb8359e4fcac2fe672bb887e0e52e5dbd

    • SHA512

      be05a39499b86bfcb30725fd277502f026b29b205bb657d8303b55d9b8e0ae6d4bfb507153d77229871df32d4608a5b8b3bdb1e783f12db2541e48a73fd2891c

    • SSDEEP

      12288:8S2iNbczDLej8zhAA3Crp4mIjYBTBIE5Vmmah9di01DRzqICQlzCDmXPIPe:8S1ZcXh9IuMZBIEHlg9s01D71lzCDmXS

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      1/0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe

    • Size

      1.3MB

    • MD5

      73d006e33d8eda033e684c07b15c53ad

    • SHA1

      e3e0a09b37beee1e19d5a6b9fd5322f906f4493d

    • SHA256

      0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160

    • SHA512

      1b2822a9f568783a6064194c21e4147ffb10c1a0c3ca00f586f3306cf7b5d0bee39af5dad5a78f720d75c09b0b71d44c75d05d9b432b1159915977006e9252db

    • SSDEEP

      24576:KAHnh+eWsN3skA4RV1Hom2KXMmHaKi4Tivd32MUMh9ZzU2Fk1gn5:dh+ZkldoPK8YaKi4mrUUZbk1I

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Suspicious use of SetThreadContext

    • Target

      1/08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe

    • Size

      161KB

    • MD5

      855da30648c0d4f4e2497470ece750bf

    • SHA1

      4f45dae1b578ddd47a0d62b59e5fbc9a4f11e58a

    • SHA256

      08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65

    • SHA512

      948b66613c1e494e445a8fb7eff553345385ca0cd468c500397ea7c3bd02bc6163930759b057f98c9245c118205e0166023fee4e13135ef677947619d184d393

    • SSDEEP

      3072:/9gyPX977bb+Vnh9N47rL74qBlslaubyAWEktPZsZ:/yMZPb+Vnh9CLtkauehEkf

    • Stealc

      Stealc is an infostealer written in C++.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      1/0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe

    • Size

      389KB

    • MD5

      35a50d146a389289bf8cf8ae60c9e785

    • SHA1

      eb94502d25789eb86dc160c2bc9be4b4a64131bd

    • SHA256

      0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791

    • SHA512

      9bfe09f5165fd43579d87f229ba4a17cc8af8d7fc50ed629de3ec93e1b8d94d9c6aac17f7a429b401f332623cef2178f0d0f1930b674cf1061d24225e5427ada

    • SSDEEP

      6144:blwLkykiFkeLnCUcx/IcoN6OpMW6rTBwEBKI7MUYbuYg785zg2di8DEO:bRiFHnC5m2TB+I70678dXi8DEO

    • Stealc

      Stealc is an infostealer written in C++.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

    • Target

      1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe

    • Size

      146KB

    • MD5

      2357ecbcf3b566c76c839daf7ecf2681

    • SHA1

      89d9b7c3eff0a15dc9dbbfe2163de7d5e9479f58

    • SHA256

      0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305

    • SHA512

      bb5630ae44e684f2dfc74478c57bf97a94045501a64022d563e87f2a60d777307cab2b5a14e6764d25a2fd1f27901624c1ee76ca551d5a5e3a21abc4befef401

    • SSDEEP

      3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUS:V6gDBGpvEByocWeauV2gvzwU

    • Renames multiple (617) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      1/25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f.exe

    • Size

      1.0MB

    • MD5

      631e3c5465349fdfd6fc2fbe9c15cf65

    • SHA1

      af9e5b3d8ca4b6c64b69876b9cad6a18476f0168

    • SHA256

      25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f

    • SHA512

      31c6c58a5ec3d26e67a20f46df689fcfe69e90dffeaa36183630cc2cfa20d7fc07e19efe551f65f9606e435e26e2daf50b2275ee4b1cd7ab6b3641bef1552b93

    • SSDEEP

      24576:GAHnh+eWsN3skA4RV1Hom2KXMmHasvktOpBS5:hh+ZkldoPK8Yasvkt+2

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      1/2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe

    • Size

      338KB

    • MD5

      6f1e400bcf79c773832b3ca2aab94d3d

    • SHA1

      8a1724e7f0df1b8bb22413751908b76f72498121

    • SHA256

      2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c

    • SHA512

      2459d2e2b39987ebcf635a2867b67d8b5ae7c865157fe1ad32513fb0dcae0d226532d2416d4fc23c347add8a9d741ba3d15e662c3e2a01cf316046b1fab1254a

    • SSDEEP

      6144:mY1jumalKcYdvkMEdRE29UHYOhQWr6vSuwgeBNsCri5rg/73LM+L2di8bEO:maEKc+kMcIOauwgeBPi5rgz3L4i8bEO

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

    • Target

      1/2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe

    • Size

      338KB

    • MD5

      d5ad720fa67bbce2d11544ad3c211424

    • SHA1

      e9f63402b2eaabbdcc6cb5ec95e328f9620cd170

    • SHA256

      2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e

    • SHA512

      d8a8ae60abec80b7cfd7c9b9bc19d2f2594d1ecee0a28cf9a2f545afc7ef0ee59ca7a073edb8415f006662ed2095f9f3c190abed5023b81e094724c04ba153c6

    • SSDEEP

      6144:RY1jkmalKcYdvkMEdRE29UHYOhQWr3y/7qpKfQmhapjXFISRn2di8bEO:RcEKc+kMcI+IKImcFISAi8bEO

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

    • Target

      1/39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82.exe

    • Size

      3.3MB

    • MD5

      7cdff219ccaaa4c4d67448e9e812f2de

    • SHA1

      a063103f177df84c90f0054d0f2adcae6f1885af

    • SHA256

      39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82

    • SHA512

      5986b98ac4ff98da5188b8d5ee53400a4a3bd7dfe3de70471b090c3c3d751f550f7ebd3757554e5976b069c1da1cc1cb69808504ac97987ae42e5152f72408e5

    • SSDEEP

      49152:/5dVwPaFHTTgkAAn2IQ39y9rRF8v72yEh72yEE72yE72y5:RdW4lQw5RF8T

    • Babylon RAT

      Babylon RAT is remote access trojan written in C++.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

    • Target

      1/3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe

    • Size

      487KB

    • MD5

      f451292bbe0b4c16d244c251105de16a

    • SHA1

      a527d277ccc25ad97ae64fb76767f1e2cda66ff2

    • SHA256

      3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a

    • SHA512

      d53a9cd31a3a98eb88af0c5454007adf8c897db53b6518a9f0c019af0bdcb906bf9fbca616b5ee03d7adfa397a16af06bbfbbbf36d15b89fdf3b96fb79fd439a

    • SSDEEP

      6144:MNDD+bHpEiGXQ4rnc+UI73whSk7MIhWI3tf5Jx/R7ZCe7w4uoVLdaPYZHuW31bZ+:MNncp0jUI73F0DhHbbzCMwI11b

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      1/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe

    • Size

      731KB

    • MD5

      bd1050f3642d22733a30cd101f591713

    • SHA1

      5a6553bea21e2df2307ed5c843072bcb023566be

    • SHA256

      3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671

    • SHA512

      6cc19b1df105d9f4e76c39f7be79c9a5a42fdb338a8b56b1d16e1343221e36552344fc30aa8c2bf4d48781694a412dcddb5858a36c643706bc778b0b8cc59883

    • SSDEEP

      12288:tmoDWx2PQfRcudR5C3T+Lc7vaVs95ucinaj13Tp8K2:tHawMR9/gDR5yrQx2K2

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      1/4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5.exe

    • Size

      109KB

    • MD5

      2da5e6b97759d3537cbd23e9fdb2b770

    • SHA1

      cabbf38051fa6657e28a12dee92042e44d8b72cb

    • SHA256

      4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5

    • SHA512

      7ea710ed16326bd0841f403c9db260a20dfec5f22fe2fd85970d51764e612c4a495a7c9abec6999dc8e1a7134656a4d65994c8f4cc138bb353b43a7be9b1698b

    • SSDEEP

      1536:jr7WmLwJll8imS4qZyNRMCuCDGSLf0Rc/cVjpnrRWKkystINby+xXm8lMwGHG6w:jmdyGSLfIFtnrRKysYyMWvpm6w

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

    • Size

      1.2MB

    • MD5

      dd831eb4a822421a497990d84a0fd578

    • SHA1

      aa7ee9cd7fcdb6e0f15c57f6f99c83c320480f3b

    • SHA256

      4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95

    • SHA512

      5a894b58d5d6b3a6abedb687caa16c06344d87b6d8e5bfb39d5b9806a7b51f3003e3ae83871683d086a760ea987a42bff511d4cb4d723a9e52744ea8aaf9b73e

    • SSDEEP

      24576:4qDEvCTbMWu7rQYlBQcBiT6rprG8aLY2Sbly7TWEPje:4TvC/MTQYxsWR7aLY2dW

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      1/5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33.exe

    • Size

      719KB

    • MD5

      a7d3bd55656bdc04c270315d083b59c1

    • SHA1

      a76453791867e4aaf4cd0551b70e52ced80b3fab

    • SHA256

      5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33

    • SHA512

      9233bbbbaed1bafaa296ae332713d0374594443dea06df83ebc9934ae0341ac7366a91c47cdd9b0877313ad1bbbf9b747f34e7cf75a1a21816463791cfdea861

    • SSDEEP

      12288:wY2iNiw9WMA4snu2lpaSgsDLRK8RP8dSWhdWyGLiOkV2IPePH:wY1UnH4olpaSgsDlK2PKSWnWyqiJ2q

    Score
    5/10
    • Suspicious use of SetThreadContext

    • Target

      1/68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe

    • Size

      765KB

    • MD5

      a8e583583122cff4ea57a3062bb4aa3f

    • SHA1

      b4a4bee8dbc966624f43273a500aa0ec1bbf1790

    • SHA256

      68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4

    • SHA512

      3c1205a23cb737ab7d81377672954e55e3adae6858bb1ba1eaae80669ef8957487090cacf2fdb6377c9bdf0cf7af27ede3e788f1dd767ded7d16aea484ca6d91

    • SSDEEP

      12288:6WgLNqLMg5tqimUsu8l5hs4PShE9EZnuKFqik7/6VVu+mvd789LjQg6xOVw:vgLNqLMJimUsu8lw4PShgOuKFqizgduE

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

    • Target

      1/6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe

    • Size

      2.1MB

    • MD5

      ab6ca8e3d0c7967c6372a96334e6bb19

    • SHA1

      58a2142787ffae164d4c78d97102ff652fecfc86

    • SHA256

      6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5

    • SHA512

      a50b4935510a1e6a7100b8eaed8301c8436138960c0932e54d7b59e79da3a0e60b702ccde2388b9c2d6f70d1cff8143bb055e0382b7af6d9788f498f2773c445

    • SSDEEP

      49152:6aUQl+AM2inT6xlAT78y5hIl8JZ7a07xznKMj5RyXE1ID1u17:nLIAM2uumTIft+xznKMj58aIxu17

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks

static1

hello6951125327ratdefaultstealclockbitxwormredlineasyncrat
Score
10/10

behavioral1

agentteslacredential_accessdiscoveryexecutionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral2

agentteslacredential_accessdiscoveryexecutionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral3

remcosremotehostdiscoveryrat
Score
10/10

behavioral4

discovery
Score
3/10

behavioral5

stealchellocredential_accessdiscoveryspywarestealer
Score
10/10

behavioral6

stealchellocredential_accessdiscoveryspywarestealer
Score
10/10

behavioral7

discovery
Score
3/10

behavioral8

stealcdefaultcredential_accessdiscoveryspywarestealer
Score
10/10

behavioral9

defense_evasiondiscoveryransomwarespywarestealer
Score
10/10

behavioral10

defense_evasiondiscoveryransomwarespywarestealer
Score
10/10

behavioral11

agentteslacredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral12

agentteslacredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral13

discovery
Score
3/10

behavioral14

redline6951125327credential_accessdiscoveryinfostealerspywarestealer
Score
10/10

behavioral15

discovery
Score
3/10

behavioral16

redline6951125327credential_accessdiscoveryinfostealerspywarestealer
Score
10/10

behavioral17

babylonratdiscoverytrojanupx
Score
10/10

behavioral18

babylonratdiscoverytrojanupx
Score
10/10

behavioral19

xwormexecutionpersistencerattrojan
Score
10/10

behavioral20

xwormexecutionpersistencerattrojan
Score
10/10

behavioral21

agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan
Score
10/10

behavioral22

agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan
Score
10/10

behavioral23

redline6951125327discoveryinfostealer
Score
10/10

behavioral24

redline6951125327credential_accessdiscoveryinfostealerspywarestealer
Score
10/10

behavioral25

discovery
Score
3/10

behavioral26

discovery
Score
7/10

behavioral27

discovery
Score
5/10

behavioral28

discovery
Score
5/10

behavioral29

discovery
Score
3/10

behavioral30

redline6951125327credential_accessdiscoveryinfostealerspywarestealer
Score
10/10

behavioral31

discoverypersistence
Score
7/10

behavioral32

discoverypersistence
Score
7/10