Overview

overview

10

Static

static

3

bomb.exe.zip

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bomb.exe.zip

  • Size

    4KB

  • Sample

    240807-1ne1ssyape

  • MD5

    814538a1573b8df19f7f110392ce393d

  • SHA1

    152fc8b65388b59da9c8743c64bb8773dda60bfa

  • SHA256

    3f50821e75438309214415a60245529318ef95d4c86bde2e65cb65d5e92cb7da

  • SHA512

    71cb79c405377dbf7b32bd12c378daab6855ed8af7c8967f8e50dc8e3f698890d5309e19cf3d44e3148e6a663d534832794415014176488723111d0323378a00

  • SSDEEP

    96:OhMjbwQROK0RKz1Eu6SxB6JdysqDAbszKoddVesqFKg6WYof9w4AqOAPdc7x40:V+R+16SxwdcDAbszxqmxoe4AqvPg

Score
10/10
agentteslaphorphiexquasarsnakekeyloggerduder1234bootkitcollectioncredential_accessdefense_evasiondiscoveryevasionexecutionkeyloggerloaderpersistencepyinstallerspywarestealertrojanupxworm

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.synergyinnovationsgroup.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    C@p-Y8BoHc#?

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    yUiavQX8

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.blooming.com.my
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    THL191282

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.progestionperu.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Progestionperu2017

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.aw.em-net.ne.jp
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    manabon0512

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    ca.thn.ne.jp
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    puf73iej

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.af.em-net.ne.jp
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    popipal9

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.jttk.zaq.ne.jp
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    momosaku0926

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.uu.em-net.ne.jp
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ux5mqkie

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.oo.em-net.ne.jp
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    2giwniwa

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.ai.ayu.ne.jp
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    8p9s4i4qq

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    ab.thn.ne.jp
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    mbs5co3z

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.blooming.com.my
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    THL191282

Extracted

Family

agenttesla

Credentials

Extracted

Family

quasar

Version

1.4.1

Botnet

duder1234

C2

asd123123.zapto.org:4782

Mutex

0b2f89f9-0512-464a-8ed5-7c7b92e47150

Attributes
  • encryption_key

    CACF16743B18545EC9FE5512A605B86F4128B37D

  • install_name

    windowsManager32.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    windowsman32

  • subdirectory

    windows

Targets

    • Target

      bomb.exe.zip

    • Size

      4KB

    • MD5

      814538a1573b8df19f7f110392ce393d

    • SHA1

      152fc8b65388b59da9c8743c64bb8773dda60bfa

    • SHA256

      3f50821e75438309214415a60245529318ef95d4c86bde2e65cb65d5e92cb7da

    • SHA512

      71cb79c405377dbf7b32bd12c378daab6855ed8af7c8967f8e50dc8e3f698890d5309e19cf3d44e3148e6a663d534832794415014176488723111d0323378a00

    • SSDEEP

      96:OhMjbwQROK0RKz1Eu6SxB6JdysqDAbszKoddVesqFKg6WYof9w4AqOAPdc7x40:V+R+16SxwdcDAbszxqmxoe4AqvPg

    Score
    10/10
    agentteslaphorphiexquasarsnakekeyloggerduder1234bootkitcollectioncredential_accessdefense_evasiondiscoveryevasionexecutionkeyloggerloaderpersistencepyinstallerspywarestealertrojanupxworm

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Modifies security service

      evasion

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

      wormtrojanloaderphorphiex

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Windows security bypass

      evasiontrojan

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: Clear Persistence

      remove IFEO.

      defense_evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

3
T1562

Disable or Modify Tools

2
T1562.001

Indicator Removal

1
T1070

Clear Persistence

1
T1070.009

Modify Registry

5
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

2
T1553

Install Root Certificate

1
T1553.004

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

7
T1012

Remote System Discovery

1
T1018

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks