Resubmissions

11-12-2024 15:32

241211-sy44nssrdm 10

09-08-2024 21:57

240809-1t1vfs1cpm 10

06-08-2024 13:01

240806-p9f97szdlm 10

06-08-2024 12:52

240806-p3672stdkg 10

06-08-2024 12:29

240806-ppa8fsygqr 10

06-08-2024 12:26

240806-pmc92ashlh 10

General

  • Target

    silly.zip

  • Size

    20.2MB

  • Sample

    240806-pmc92ashlh

  • MD5

    e6223205e5424612c074648b87487e31

  • SHA1

    25d6ce1b0c91a5cdd1a5127537dce9c68c008a95

  • SHA256

    3123af93014a5a5c49aa6fd2118f6805041af178c222be27e30b2fd477085c19

  • SHA512

    9d6561386ff20c51eab8c3579a5fa64dba38914912ee41f4b00e0f322935c082f48320b6e1d5f96e1ab67c04c5736cda9ea1b874a9d5e34fa876b1b64dd2f3e6

  • SSDEEP

    393216:OuLfnQ/LwLbzfsnoUH46mHGquJZgh98gTOm7RGP4x11QtD2s:nLfYLYHsnbl6vnObEI6s

Malware Config

Extracted

Family

stealc

Botnet

hello

C2

http://85.28.47.70

Attributes
  • url_path

    /570d5d5e8678366c.php

Extracted

Family

xworm

C2

schools-copper.gl.at.ply.gg:14154

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot6887301557:AAE2e7AcjyzPeaHQb_2XBthrT3TTCKt7jCs/sendMessage?chat_id=7045481276

Extracted

Family

redline

Botnet

6951125327

C2

https://t.me/+7Lir0e4Gw381MDhi

https://steamcommunity.com/profiles/76561199038841443

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

82.65.19.134:4443

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

agenttesla

Credentials

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.3.64.149:2888

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-7Q1GRN

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

formbook

Version

4.1

Campaign

45er

Decoy

depotpulsa.com

k2bilbao.online

bb4uoficial.com

rwc666.club

us-pservice.cyou

tricegottreats.com

zsystems.pro

qudouyin6.com

sfumaturedamore.net

pcetyy.icu

notbokin.online

beqprod.tech

flipbuilding.com

errormitigationzoo.com

zj5u603.xyz

jezzatravel.com

zmdniavysyi.shop

quinnsteele.com

522334.com

outdoorshopping.net

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note
~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3C73B3FA82B7C052F2 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note
~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3CD34CA2D20830EAAB >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Targets

    • Target

      1/0178b79bd084c2597b2de4e62e61a88bb8359e4fcac2fe672bb887e0e52e5dbd.exe

    • Size

      678KB

    • MD5

      c229261d7e8c8524dd25f7bc58edddf8

    • SHA1

      781d106f3aa60c392f039968ae45c53f78890871

    • SHA256

      0178b79bd084c2597b2de4e62e61a88bb8359e4fcac2fe672bb887e0e52e5dbd

    • SHA512

      be05a39499b86bfcb30725fd277502f026b29b205bb657d8303b55d9b8e0ae6d4bfb507153d77229871df32d4608a5b8b3bdb1e783f12db2541e48a73fd2891c

    • SSDEEP

      12288:8S2iNbczDLej8zhAA3Crp4mIjYBTBIE5Vmmah9di01DRzqICQlzCDmXPIPe:8S1ZcXh9IuMZBIEHlg9s01D71lzCDmXS

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      1/0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe

    • Size

      1.3MB

    • MD5

      73d006e33d8eda033e684c07b15c53ad

    • SHA1

      e3e0a09b37beee1e19d5a6b9fd5322f906f4493d

    • SHA256

      0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160

    • SHA512

      1b2822a9f568783a6064194c21e4147ffb10c1a0c3ca00f586f3306cf7b5d0bee39af5dad5a78f720d75c09b0b71d44c75d05d9b432b1159915977006e9252db

    • SSDEEP

      24576:KAHnh+eWsN3skA4RV1Hom2KXMmHaKi4Tivd32MUMh9ZzU2Fk1gn5:dh+ZkldoPK8YaKi4mrUUZbk1I

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Suspicious use of SetThreadContext

    • Target

      1/08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe

    • Size

      161KB

    • MD5

      855da30648c0d4f4e2497470ece750bf

    • SHA1

      4f45dae1b578ddd47a0d62b59e5fbc9a4f11e58a

    • SHA256

      08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65

    • SHA512

      948b66613c1e494e445a8fb7eff553345385ca0cd468c500397ea7c3bd02bc6163930759b057f98c9245c118205e0166023fee4e13135ef677947619d184d393

    • SSDEEP

      3072:/9gyPX977bb+Vnh9N47rL74qBlslaubyAWEktPZsZ:/yMZPb+Vnh9CLtkauehEkf

    • Target

      1/0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe

    • Size

      389KB

    • MD5

      35a50d146a389289bf8cf8ae60c9e785

    • SHA1

      eb94502d25789eb86dc160c2bc9be4b4a64131bd

    • SHA256

      0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791

    • SHA512

      9bfe09f5165fd43579d87f229ba4a17cc8af8d7fc50ed629de3ec93e1b8d94d9c6aac17f7a429b401f332623cef2178f0d0f1930b674cf1061d24225e5427ada

    • SSDEEP

      6144:blwLkykiFkeLnCUcx/IcoN6OpMW6rTBwEBKI7MUYbuYg785zg2di8DEO:bRiFHnC5m2TB+I70678dXi8DEO

    Score
    3/10
    • Target

      1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe

    • Size

      146KB

    • MD5

      2357ecbcf3b566c76c839daf7ecf2681

    • SHA1

      89d9b7c3eff0a15dc9dbbfe2163de7d5e9479f58

    • SHA256

      0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305

    • SHA512

      bb5630ae44e684f2dfc74478c57bf97a94045501a64022d563e87f2a60d777307cab2b5a14e6764d25a2fd1f27901624c1ee76ca551d5a5e3a21abc4befef401

    • SSDEEP

      3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUS:V6gDBGpvEByocWeauV2gvzwU

    • Renames multiple (323) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      1/25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f.exe

    • Size

      1.0MB

    • MD5

      631e3c5465349fdfd6fc2fbe9c15cf65

    • SHA1

      af9e5b3d8ca4b6c64b69876b9cad6a18476f0168

    • SHA256

      25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f

    • SHA512

      31c6c58a5ec3d26e67a20f46df689fcfe69e90dffeaa36183630cc2cfa20d7fc07e19efe551f65f9606e435e26e2daf50b2275ee4b1cd7ab6b3641bef1552b93

    • SSDEEP

      24576:GAHnh+eWsN3skA4RV1Hom2KXMmHasvktOpBS5:hh+ZkldoPK8Yasvkt+2

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      1/2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe

    • Size

      338KB

    • MD5

      6f1e400bcf79c773832b3ca2aab94d3d

    • SHA1

      8a1724e7f0df1b8bb22413751908b76f72498121

    • SHA256

      2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c

    • SHA512

      2459d2e2b39987ebcf635a2867b67d8b5ae7c865157fe1ad32513fb0dcae0d226532d2416d4fc23c347add8a9d741ba3d15e662c3e2a01cf316046b1fab1254a

    • SSDEEP

      6144:mY1jumalKcYdvkMEdRE29UHYOhQWr6vSuwgeBNsCri5rg/73LM+L2di8bEO:maEKc+kMcIOauwgeBPi5rgz3L4i8bEO

    Score
    3/10
    • Target

      1/2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe

    • Size

      338KB

    • MD5

      d5ad720fa67bbce2d11544ad3c211424

    • SHA1

      e9f63402b2eaabbdcc6cb5ec95e328f9620cd170

    • SHA256

      2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e

    • SHA512

      d8a8ae60abec80b7cfd7c9b9bc19d2f2594d1ecee0a28cf9a2f545afc7ef0ee59ca7a073edb8415f006662ed2095f9f3c190abed5023b81e094724c04ba153c6

    • SSDEEP

      6144:RY1jkmalKcYdvkMEdRE29UHYOhQWr3y/7qpKfQmhapjXFISRn2di8bEO:RcEKc+kMcI+IKImcFISAi8bEO

    Score
    3/10
    • Target

      1/39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82.exe

    • Size

      3.3MB

    • MD5

      7cdff219ccaaa4c4d67448e9e812f2de

    • SHA1

      a063103f177df84c90f0054d0f2adcae6f1885af

    • SHA256

      39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82

    • SHA512

      5986b98ac4ff98da5188b8d5ee53400a4a3bd7dfe3de70471b090c3c3d751f550f7ebd3757554e5976b069c1da1cc1cb69808504ac97987ae42e5152f72408e5

    • SSDEEP

      49152:/5dVwPaFHTTgkAAn2IQ39y9rRF8v72yEh72yEE72yE72y5:RdW4lQw5RF8T

    • Babylon RAT

      Babylon RAT is remote access trojan written in C++.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

    • Target

      1/3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe

    • Size

      487KB

    • MD5

      f451292bbe0b4c16d244c251105de16a

    • SHA1

      a527d277ccc25ad97ae64fb76767f1e2cda66ff2

    • SHA256

      3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a

    • SHA512

      d53a9cd31a3a98eb88af0c5454007adf8c897db53b6518a9f0c019af0bdcb906bf9fbca616b5ee03d7adfa397a16af06bbfbbbf36d15b89fdf3b96fb79fd439a

    • SSDEEP

      6144:MNDD+bHpEiGXQ4rnc+UI73whSk7MIhWI3tf5Jx/R7ZCe7w4uoVLdaPYZHuW31bZ+:MNncp0jUI73F0DhHbbzCMwI11b

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      1/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe

    • Size

      731KB

    • MD5

      bd1050f3642d22733a30cd101f591713

    • SHA1

      5a6553bea21e2df2307ed5c843072bcb023566be

    • SHA256

      3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671

    • SHA512

      6cc19b1df105d9f4e76c39f7be79c9a5a42fdb338a8b56b1d16e1343221e36552344fc30aa8c2bf4d48781694a412dcddb5858a36c643706bc778b0b8cc59883

    • SSDEEP

      12288:tmoDWx2PQfRcudR5C3T+Lc7vaVs95ucinaj13Tp8K2:tHawMR9/gDR5yrQx2K2

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      1/4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5.exe

    • Size

      109KB

    • MD5

      2da5e6b97759d3537cbd23e9fdb2b770

    • SHA1

      cabbf38051fa6657e28a12dee92042e44d8b72cb

    • SHA256

      4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5

    • SHA512

      7ea710ed16326bd0841f403c9db260a20dfec5f22fe2fd85970d51764e612c4a495a7c9abec6999dc8e1a7134656a4d65994c8f4cc138bb353b43a7be9b1698b

    • SSDEEP

      1536:jr7WmLwJll8imS4qZyNRMCuCDGSLf0Rc/cVjpnrRWKkystINby+xXm8lMwGHG6w:jmdyGSLfIFtnrRKysYyMWvpm6w

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

    • Size

      1.2MB

    • MD5

      dd831eb4a822421a497990d84a0fd578

    • SHA1

      aa7ee9cd7fcdb6e0f15c57f6f99c83c320480f3b

    • SHA256

      4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95

    • SHA512

      5a894b58d5d6b3a6abedb687caa16c06344d87b6d8e5bfb39d5b9806a7b51f3003e3ae83871683d086a760ea987a42bff511d4cb4d723a9e52744ea8aaf9b73e

    • SSDEEP

      24576:4qDEvCTbMWu7rQYlBQcBiT6rprG8aLY2Sbly7TWEPje:4TvC/MTQYxsWR7aLY2dW

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Target

      1/5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33.exe

    • Size

      719KB

    • MD5

      a7d3bd55656bdc04c270315d083b59c1

    • SHA1

      a76453791867e4aaf4cd0551b70e52ced80b3fab

    • SHA256

      5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33

    • SHA512

      9233bbbbaed1bafaa296ae332713d0374594443dea06df83ebc9934ae0341ac7366a91c47cdd9b0877313ad1bbbf9b747f34e7cf75a1a21816463791cfdea861

    • SSDEEP

      12288:wY2iNiw9WMA4snu2lpaSgsDLRK8RP8dSWhdWyGLiOkV2IPePH:wY1UnH4olpaSgsDlK2PKSWnWyqiJ2q

    Score
    5/10
    • Suspicious use of SetThreadContext

    • Target

      1/68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe

    • Size

      765KB

    • MD5

      a8e583583122cff4ea57a3062bb4aa3f

    • SHA1

      b4a4bee8dbc966624f43273a500aa0ec1bbf1790

    • SHA256

      68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4

    • SHA512

      3c1205a23cb737ab7d81377672954e55e3adae6858bb1ba1eaae80669ef8957487090cacf2fdb6377c9bdf0cf7af27ede3e788f1dd767ded7d16aea484ca6d91

    • SSDEEP

      12288:6WgLNqLMg5tqimUsu8l5hs4PShE9EZnuKFqik7/6VVu+mvd789LjQg6xOVw:vgLNqLMJimUsu8lw4PShgOuKFqizgduE

    Score
    3/10
    • Target

      1/6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe

    • Size

      2.1MB

    • MD5

      ab6ca8e3d0c7967c6372a96334e6bb19

    • SHA1

      58a2142787ffae164d4c78d97102ff652fecfc86

    • SHA256

      6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5

    • SHA512

      a50b4935510a1e6a7100b8eaed8301c8436138960c0932e54d7b59e79da3a0e60b702ccde2388b9c2d6f70d1cff8143bb055e0382b7af6d9788f498f2773c445

    • SSDEEP

      49152:6aUQl+AM2inT6xlAT78y5hIl8JZ7a07xznKMj5RyXE1ID1u17:nLIAM2uumTIft+xznKMj58aIxu17

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      1/7021c9cba6c224272f01d04450c6c31c93857a21feacfa4295a878a4d7b04378.exe

    • Size

      45KB

    • MD5

      40d4750c85941ad0d82953d2804cc44b

    • SHA1

      7df06a6ddef2b5a9bf627eec731420f72709d470

    • SHA256

      7021c9cba6c224272f01d04450c6c31c93857a21feacfa4295a878a4d7b04378

    • SHA512

      1f6206c82c01278a73c34cdb25027a822b4330629b5ff3c6da08b1102881a5adae99fd06aa1c3963a7c3a7a9321e450f57b3f789b023d9bb296005ef79315f98

    • SSDEEP

      768:0uwCfTg46YbWUn8jjmo2qrrO5QyJ4PiNjPISzjbwgX3iRFwP+01tUbcRBDZqx:0uwCfTgp/2AO52iKS3b3XSRFwP+012bn

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Target

      1/752f5cc5a7b0f986286d09e8288c0958bc1b798477ca0d09dc2658c7ab109060.exe

    • Size

      2.2MB

    • MD5

      d35a5aff7f4b4a1d20e1495732c5ca6d

    • SHA1

      0573b56a43102c893a2a6c0ef61b870b575aeb97

    • SHA256

      752f5cc5a7b0f986286d09e8288c0958bc1b798477ca0d09dc2658c7ab109060

    • SHA512

      c49d69553aa6287cc50b2d1e94b2a56cddc8882a44dcf832ae9f93e2972d44908141da776b44569f84ed85aee187ad06fe19a0a2af8c2bc425d6146e75816f4e

    • SSDEEP

      12288:In7kekBhy2rOJFoqTrlSwkm9mQ90zsx2Hgum4Ff8jbvTfI3:FU2cTTX9990Qx2bFFfGbvzI3

    • UAC bypass

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Accesses Microsoft Outlook profiles

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      1/7c7cded8d1c0784881859ed03340d81c24ea9bf5d9972963cedf0e40b9856a0c.exe

    • Size

      337KB

    • MD5

      1aae19c81605bf0a5851e42e3574a83c

    • SHA1

      ba91bcc371d24ba57458ba4a2aa82bc83447a129

    • SHA256

      7c7cded8d1c0784881859ed03340d81c24ea9bf5d9972963cedf0e40b9856a0c

    • SHA512

      8bcf76009e5503c598e2080dcfa9fb1e74783786dfc028ee4cbb066d79d2f4b22c9df962b6d89ea4429e23bccb9641574af3b03bc556d250295c236154b9dbc5

    • SSDEEP

      3072:3i2YQ2pbPh1mJ8XrMg8Nwrppwbg0z3TH:38Q2pbJcJz/2Mgq3T

    • Target

      1/97d29ffc3556069c807b5c0ae2e2b109ae329feafc912d64f8b7f437bea47d84.exe

    • Size

      778KB

    • MD5

      2ad173552c56070abfeaf09f29b60269

    • SHA1

      5bd937b54ee178da4928d489108dfa5638fd62af

    • SHA256

      97d29ffc3556069c807b5c0ae2e2b109ae329feafc912d64f8b7f437bea47d84

    • SHA512

      a9cac300ade317a8f7b32c464ad2480fc6310bdc5bfad7d1e39daf959ee5052a6268cac2f1f28b98536146cd616a4b9d18225ab57fad18042f15be10a33c8a29

    • SSDEEP

      12288:oLDlvpu2GkClIuRj26OQ4qAwWAMxB6PzNm0E7UHPkRdDTVVZ+ApP4C:EGkCxg6ONqvfzNm0EG8BxF4C

    • Target

      1/a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe

    • Size

      1.2MB

    • MD5

      81d3df03a7bfb9112626bdcedae6df90

    • SHA1

      ba206887aa11de8e1b405e5a18bd04568e2b5693

    • SHA256

      a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03

    • SHA512

      7580b5dd5452afba147417685bf9d42816c7f32af9496e4f8dec519c0abbb9578206a5e432c1b884abaa0b9870c198b8d0c7d109b43590d95ea855bff6a59a13

    • SSDEEP

      24576:EqDEvCTbMWu7rQYlBQcBiT6rprG8aLS2Sbly7TWEPje:ETvC/MTQYxsWR7aLS2dW

    Score
    3/10
    • Target

      1/ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474.exe

    • Size

      5.7MB

    • MD5

      40a22356fd06bc9a4fd4ddedf5286666

    • SHA1

      32ee28a964557f6e1effd28ed8c91328e7698e23

    • SHA256

      ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474

    • SHA512

      d67256c51af065f58e7d037387cba7fdde6b55b0e10f24572bb039033a406450b079d32e62450570202305ffee2991b9c6fc74ce72bae48217c984c9cbcfeb97

    • SSDEEP

      98304:NLIAMmuuNkfUo2EwVPBh4i02bt+xznOywv+r4oYIxu1i2e56SM2F9jE37HethOKd:WyNkfr29VPBhh0p5ngve4lIQe5UM9jqK

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      1/b13f23643fddce3f41b6908a00051b6688788668c81d698994c140bf6290c2d6.exe

    • Size

      808KB

    • MD5

      4ac882ebdbc1431cdd3ab45e1712ada1

    • SHA1

      b871304fd060b700fd66ce0c87014ec955d12979

    • SHA256

      b13f23643fddce3f41b6908a00051b6688788668c81d698994c140bf6290c2d6

    • SHA512

      f3ff8d00849289436b723bc48c14113e51b583955d7f69870458d7b7d72ba214ad531d601a950b247f43325a610fd15cd6584008fd842a29c1dd0804ee2e6f98

    • SSDEEP

      24576:65MOrT+F0sIE9JqsC6mVFyCsffzMS6pcsP9Qtce0TBs/lPsoCyEbDb7Br5oANn90:+bjnS

    Score
    8/10
    • Target

      1/b2a1d168dc4234e687d0969b6a1901ac7e69c0d4bb72a1a4c76ba67fa6a14f9d.bat

    • Size

      2KB

    • MD5

      1f6a683461594803fd6dc17f376ca209

    • SHA1

      82d0627379b0ff73279122bcf2d40db15eb83483

    • SHA256

      b2a1d168dc4234e687d0969b6a1901ac7e69c0d4bb72a1a4c76ba67fa6a14f9d

    • SHA512

      ceb192ba7afbd9c7308098abff5f83e824ca0d28c9077271abf6e048cc0f161d0db798fba5463d5598f1428e0505fa1a9dd0ae81e74f91abb8873c7693a7cc49

    Score
    8/10
    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Target

      1/bb29aeb6ceecc37829b40e36f91a4620d7e0aae16b1ceea70bb70135e11172bd.exe

    • Size

      759KB

    • MD5

      3da3fb16927c47114ad0bb865c08467c

    • SHA1

      b1d7037b0347bd9c8c215270166b0bcd46b8f8eb

    • SHA256

      bb29aeb6ceecc37829b40e36f91a4620d7e0aae16b1ceea70bb70135e11172bd

    • SHA512

      7aa677f24ef99ca32ad114fe8b95a444716b37a27f40e67b76abeb124d6e0364206a1e2fa373f3792b4684fae479a66d9653d30e5bdfecf8889cbf70aa6e71ab

    • SSDEEP

      12288:reUDWx2PQf9TtNBY2JgD9WFtJ0m1+Xeb4/E5xdHKcWA6H4J2jqo/ZoM7+SdvKWny:rzawM9TJY3MbJ1gXRUzHKJNH4wnxotc4

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    • Target

      1/c8e5a24a6d2fa68d7976457a19576b381e6211202500af5280b0f3b256446bf5.bat

    • Size

      2KB

    • MD5

      5617370486b7ded0ad8cf5ca9fc69e06

    • SHA1

      3baa1dab061a9cb6a329dc72e3e35fa3829341fa

    • SHA256

      c8e5a24a6d2fa68d7976457a19576b381e6211202500af5280b0f3b256446bf5

    • SHA512

      a4a5d99cf5d1b3bed3819f24d297f5283107880d5c51010a11aed2d5f4545d9f52c648fcbc3f6d884f71d1cc1217a67dbae722cfc36baa65d4ca0e0948163772

    Score
    8/10
    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Target

      1/c9736cdc4ade9fddb9b293e0366f182f972154d98169b58e532b7905c310bf97.exe

    • Size

      541KB

    • MD5

      fc55407cc82612103c5971dca1837d6b

    • SHA1

      01efa90009900c64c846b7ac716dea3c5f97c4e8

    • SHA256

      c9736cdc4ade9fddb9b293e0366f182f972154d98169b58e532b7905c310bf97

    • SHA512

      08edfa8f06459ae170ea444664776e57836bd6142721d8df663776051c8c6dab98f7c8902848ed08e4311a858d95eb38d0df13208f8e0144a2fa9fa1a90c0240

    • SSDEEP

      12288:WDkS/CNT9fM913qbLd+cUQj5X7JPKmdE9s4Jr:WDEc9tqb5akVPHE93N

    Score
    8/10
    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      1/d58780d1d574bfe77c6f9cfad1cf4b51522231b2699081befd5bbd15f7309aa0.exe

    • Size

      691KB

    • MD5

      c2ae4fdb661a151be4876289ed7f8261

    • SHA1

      f8fbb8b8ddb55aacc20449ff2bd5d671e4cbb9fa

    • SHA256

      d58780d1d574bfe77c6f9cfad1cf4b51522231b2699081befd5bbd15f7309aa0

    • SHA512

      2642eac12e6a42fbd503621871802da278e0c68a4678675ddbe71f66d7a2b7d0ed8a22640c13d153ea63bcb33f7f13ae32eaa3e444fc451c64a1839d8cc91c89

    • SSDEEP

      12288:luCDWx2PQfnESfZ0nl+xD4u1JW31MlxwXY5oMY3tQMmVHMe3+L4Ull0l8fkR:/awMnESR0nl+Z9OSXwXuoaVse3+sCie6

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Suspicious use of SetThreadContext

    • Target

      1/de19e0163af15585c305f845b90262aee3c2bdf037f9fc733d3f1b379d00edd0.exe

    • Size

      34KB

    • MD5

      19aff0a43f80919a6113020d3ff38300

    • SHA1

      f0db6e0967c534fa0326c9db009d0f22e0112a6b

    • SHA256

      de19e0163af15585c305f845b90262aee3c2bdf037f9fc733d3f1b379d00edd0

    • SHA512

      bbd6b4fdf3aea24aa66b6e17b778596c86260f76b7d0502fe5339dc198d30c4314d18eb8121ec07995ea86d461c9bf0985c436b3c65b0001b357305a1e457e27

    • SSDEEP

      768:TLlw6CpA/0H9QoiMLD7aBzE/BMR35hUJtwjxI1VFA:TZMgu9QFM7x/BOpCExI7FA

    Score
    3/10
    • Target

      1/e886016e48bf0e3cd100d627678f345743509fd5f57f3c9b182f2833352bd451.exe

    • Size

      338KB

    • MD5

      f5607d12bfd66fa6205cfd6b078e8080

    • SHA1

      2c4f15f916b1dea8b76ebb06468e1700a2122b78

    • SHA256

      e886016e48bf0e3cd100d627678f345743509fd5f57f3c9b182f2833352bd451

    • SHA512

      74df2af255a0d0e6802ab13ffa2f44b26ed11d2bd4388d7659214ab42c5daa2319e1a924af4e8418e294678ee27508e908ac43becc544a8a7fa05cfccb230e94

    • SSDEEP

      6144:uwTSx/BpP+AegMMtRvu3LqBOkQWr3Yf0aldxZsakM2di8MEO:uJpP6gMEhEfjldxZei8MEO

    Score
    3/10
    • Target

      1/f0f496eccc61594c53ded581b6683a77072f607ab018ec0a770a0aa7c7f45ff4.bat

    • Size

      2KB

    • MD5

      e86739a5ddb407e0c60f9521728cf418

    • SHA1

      b6e2b6c70f3b09f7c12b4d8a83563e79a1745a23

    • SHA256

      f0f496eccc61594c53ded581b6683a77072f607ab018ec0a770a0aa7c7f45ff4

    • SHA512

      7d64d83aea215f0a0321d9d938c17bfcdcfa6d8f9c3aabce69067cdfffe1dbae0cc7da4425d5abfeee24cdf3efe0320df132a2c7564be80d30fc85eabad7434f

    Score
    8/10
    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Target

      1/f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe

    • Size

      146KB

    • MD5

      314275168bf7958219662a242dbfe8a7

    • SHA1

      d629032d9d8f491d133ee26a230c393335d7ad74

    • SHA256

      f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23

    • SHA512

      b5246db461ee78d622a33a758b3d178208b88e0b9e98185f17ee95f2fbbcf66b1059afece1dd5b586d01587bc01662491a6baab208b9836d4b4b9efc55f14c2f

    • SSDEEP

      3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUSx:V6gDBGpvEByocWeauV2gvzwUA

    • Renames multiple (352) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

hello6951125327ratdefaultstealclockbitxwormredlineasyncrat
Score
10/10

behavioral1

agentteslacredential_accessdiscoveryexecutionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral2

remcosremotehostdiscoveryrat
Score
10/10

behavioral3

stealchellodiscoverystealer
Score
10/10

behavioral4

discovery
Score
3/10

behavioral5

defense_evasiondiscoveryransomwarespywarestealer
Score
10/10

behavioral6

agentteslacredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

babylonratdiscoverytrojanupx
Score
10/10

behavioral10

xwormexecutionpersistencerattrojan
Score
10/10

behavioral11

agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan
Score
10/10

behavioral12

redline6951125327discoveryinfostealer
Score
10/10

behavioral13

credential_accessdiscoverystealer
Score
9/10

behavioral14

discovery
Score
5/10

behavioral15

discovery
Score
3/10

behavioral16

discoverypersistence
Score
7/10

behavioral17

asyncratdefaultdiscoveryrat
Score
10/10

behavioral18

collectioncredential_accessdiscoveryevasionexecutionstealertrojan
Score
10/10

behavioral19

smokeloaderpub1backdoortrojan
Score
10/10

behavioral20

agenttesladiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral21

discovery
Score
3/10

behavioral22

discoverypersistence
Score
7/10

behavioral23

persistence
Score
8/10

behavioral24

execution
Score
8/10

behavioral25

discoveryexecutionpersistenceprivilege_escalation
Score
8/10

behavioral26

execution
Score
8/10

behavioral27

discoveryexecution
Score
8/10

behavioral28

formbook45erdiscoveryexecutionratspywarestealertrojan
Score
10/10

behavioral29

discovery
Score
3/10

behavioral30

discovery
Score
3/10

behavioral31

execution
Score
8/10

behavioral32

defense_evasiondiscoveryransomwarespywarestealer
Score
10/10