Overview

overview

10

Static

static

10

Bunifu.UI.....3.dll

windows10-2004-x64

1

DrakeUI.Framework.dll

windows10-2004-x64

1

GeoIPCitys.dll

windows10-2004-x64

1

Guna.UI2.dll

windows10-2004-x64

1

KeyAuthPatchDll.dll

windows10-2004-x64

1

LiveCharts.MAPS.dll

windows10-2004-x64

1

LiveCharts...ms.dll

windows10-2004-x64

1

LiveCharts.Wpf.dll

windows10-2004-x64

1

LiveCharts.dll

windows10-2004-x64

1

MetroFramework.dll

windows10-2004-x64

1

MetroSet UI.dll

windows10-2004-x64

1

NAudio.dll

windows10-2004-x64

1

Newtonsoft.Json.dll

windows10-2004-x64

1

SPYdroiedVIP.exe

windows10-2004-x64

10

SipaaFramework.dll

windows10-2004-x64

1

Siticone.D...UI.dll

windows10-2004-x64

1

System.IO....le.dll

windows10-2004-x64

1

WinMM.Net.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Spyroid Vip [EagleSpy V4].zip

  • Size

    147.4MB

  • Sample

    240813-jpggkswglk

  • MD5

    8795e6fc407634b83f7264ab7a8cdc18

  • SHA1

    164dfaa19487455e41343dde07e195d1fbf84f9c

  • SHA256

    f6036ed6066d916a9fd27ecb9d9447bcaacc45dae8122de755630563e33e5430

  • SHA512

    6d5af203630f793874c49c1338df52b46b63016cafe0d2282ebb463a41ef368263caea72ffab2cf0427f8093b284553f801dfcc319c45a906f18c25bd46d9f6a

  • SSDEEP

    3145728:fD5qcJK+ueOmtynXEMKNTDynjR6+iCMFfSzJBAMbCuu+QxUFr0xARj9txmutLX:bweK+ueOAqZdqhF6zJBAMbCmIUF9tR1

Score
10/10
agentteslalimeratxwormagilenetdiscoveryexecutionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

limerat

Wallets

bc1qe6qclrn8s8ss6kcuh5n03mtn2m86zml3ucwtsa

Attributes
  • aes_key

    len-13395

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/u8f09e5b

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    VCruintime.exe

  • main_folder

    AppData

  • pin_spread

    true

  • sub_folder

    \

  • usb_spread

    true

Extracted

Family

xworm

C2

redslide133-49604.portmap.host:49604

wiz.bounceme.net:6000
Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7245769901:AAG_37K7d0DlKNRIZshszMjtQDXRfUiSCa4/sendMessage?chat_id=6652235050

aes.plain

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/u8f09e5b

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Targets

    • Target

      Bunifu.UI.WinForms.1.5.3.dll

    • Size

      223KB

    • MD5

      61b35cc7017df96351f4ee9d5db377ce

    • SHA1

      2bdab9b59e1e909f8011759cedc037822ef14357

    • SHA256

      e2d8041a6e57dbbde7c94398c3c83c66352ce4faf99dd2968e8c81d090905408

    • SHA512

      16d55621501aa05f11d78d79599cdf0a25188fa2e30faea1d57dd76edf4f12c4a12bb12af94c7c7658e833593c2eb537e3217eb87ef75dc7225346b7067ecc5b

    • SSDEEP

      3072:q4S17brKmFKTmq9Umtv5kJjoaTl2rIU+LwAjH4NIH2ENiJJ8MnPBlbbRS2/qW/Eq:WZk5JIMIU+dcNIH2ENak4

    Score
    1/10
    behavioral1

    • Target

      DrakeUI.Framework.dll

    • Size

      3.3MB

    • MD5

      dcd013eac797c81a9250d4214b26435f

    • SHA1

      c98259accd13042a5cd32a9ab6ed8ab0372022c1

    • SHA256

      578eb6d0fc846883129374903a6ef885e53fbab173339400bf8e3cf0da143dd3

    • SHA512

      bc7a6d0de64d4c2aff668bea370421ee8e8a47939261d986b66dcb76f4e195a126221505dd4dada2ec02ce8edecb229ae7cde283807162d8996f4a50a478d369

    • SSDEEP

      49152:LMt8GGXNncIv1N1YwzhmVSMoNqFFhWDYISVvWS5uQwEgRKiDCg+z9Y16FwiXrwUf:LN1YyhKoNqFFqYnVvW51fnDqznw085

    Score
    1/10
    behavioral2

    • Target

      GeoIPCitys.dll

    • Size

      191KB

    • MD5

      c070f2421851420e832e4f5989a775a2

    • SHA1

      d6af3c48ffbe0fa1e0e54860836d3bbf374b8b46

    • SHA256

      d54fd6c5903eea49a75d620d4ba232f8effb1863f5f9c974e4ac0a8fb1904131

    • SHA512

      75c3edeb4c16d8e82eedc5595b9c3fde4cbd4a3e9deae1967ad513474920a48e4e9275fdc76f44032b1be570a4ece1a6393c4680af8989f67bcdec039d06798e

    • SSDEEP

      3072:87IcHKc0TwY4O6BlLiJxTmd9h1+fJ5uJnjpUoh/ht21hYvpMaoySJHPc8E:8dHV0Tn4pox6d9G4k

    Score
    1/10
    behavioral3

    • Target

      Guna.UI2.dll

    • Size

      2.1MB

    • MD5

      c97f23b52087cfa97985f784ea83498f

    • SHA1

      d364618bec9cd6f8f5d4c24d3cc0f4c1a8e06b89

    • SHA256

      e658e8a5616245dbe655e194b59f1bb704aaeafbd0925d6eebbe70555a638cdd

    • SHA512

      ecfa83596f99afde9758d1142ff8b510a090cba6f42ba6fda8ca5e0520b658943ad85829a07bf17411e26e58432b74f05356f7eaeb3949a8834faa5de1a4f512

    • SSDEEP

      49152:cvrqKk8q2gqi2OXCt6kuSw9g8PTNTN/23uxjPHEiCAjFcm:cvrqZr

    Score
    1/10
    behavioral4

    • Target

      KeyAuthPatchDll.dll

    • Size

      1.8MB

    • MD5

      f68eb2260fc58f3548229c1db5b68756

    • SHA1

      28ee89520bc2c4fc2d6268cfa79d6a21c1ccf12b

    • SHA256

      2bc4ad6e4546158bb0c8993ed9ca4f59c59db8fad8029a5f6f944d25b9a18b12

    • SHA512

      14796b37fa80a282fb26110c5d91969bf9a06bb47baf332202a8bd1098e267a3ac871675e68d6819480c6fae0358ce063f67587cc27f6508e008f4c062cac6b5

    • SSDEEP

      49152:D8Ndb2FXu7J2xePZaTojaFehH7pNLLvm:+bF1Z08jWe97vLv

    Score
    1/10
    behavioral5

    • Target

      LiveCharts.MAPS.dll

    • Size

      53KB

    • MD5

      dfee15e4c6efa37e6645d8b47c8581e0

    • SHA1

      876140e0855fcd15bfb590431fb7b280d1db4a21

    • SHA256

      5b8a9a04f454a2c4da5989fa454a0138d3e5c40712816600f90111b7bf045c40

    • SHA512

      4d0e7b0a5642b649c04e54d89e707ec00e79a0fa282eac19b6097b819652045c3e157763b5b2922a4c2252b0877059ef90eb60038280dbfbef9502f421d739df

    • SSDEEP

      768:r4gOx89xKERw2U11HI+bZO603JLw8MOrNNLSW5/5xTcb2y1ehVHp:rPKB22HIwwFNuC5N6n+VHp

    Score
    1/10
    behavioral6

    • Target

      LiveCharts.WinForms.dll

    • Size

      19KB

    • MD5

      76c775d09b24798f6923452e920979b5

    • SHA1

      3fe2c79512a0d1153fb07f6640b27106c90d333e

    • SHA256

      a5b61c1726304e6b72e09a0f35ddbf52f89a75a4e28e6ed098c8d1df6081b4ad

    • SHA512

      eacc093f8ac9401f617df7e07fd68a8a0f1f03aa150283de67ad8c338fcb1520b0f07335547cf533a646ff95f239c92b029f952a706e736bcd9508817c9be0f9

    • SSDEEP

      384:F5gNA4m0NkdPbJfGZLifwdNqF8vLvTjzHEhZFUPOxFBVGquJpQ76RqMm:F5gNnrNklJfGZLiAw27jrEhZFyYMm

    Score
    1/10
    behavioral7

    • Target

      LiveCharts.Wpf.dll

    • Size

      212KB

    • MD5

      e924f79f0b5f3e79c98477d75831813d

    • SHA1

      64f71e20e1953b13c771d8a8e63549ad6d64216e

    • SHA256

      1bdbb1b5c1a50653e5c26161e9b7c03edc518721a6e10ea180a84049d967106b

    • SHA512

      063e9bdbdaf0accb46cef5fdb98b30a97b8a6ba097a80d43a9799ff73e820d1c56d41ca9f71d94497736e3def7fbd0109db4000ab1d9e46cdc96357bf3e15fd1

    • SSDEEP

      6144:d/vd0eaDQcUc0GkiTV3bkACA3AloBtefVt+aA2xgKPo1zlW1w:vaErjGkiTV3bkACA3AloBtefVt+aAGBF

    Score
    1/10
    behavioral8

    • Target

      LiveCharts.dll

    • Size

      148KB

    • MD5

      9642899636959b7fc89bf34a8b998a90

    • SHA1

      479a0254d1c9e5565c7d861bb77f54b7eae50c96

    • SHA256

      9fcf89837b60f69c1c501e4cfa4d2860887afd0b8f325803367e795a4e3bc9ca

    • SHA512

      435dccb57ff3e9d0663770768c866838b19fbaa5b8e79de0ca111d9c73276f016e016d1d268f72cf3435ecac122039764fada952e1a4f68f368b492bb866c9a2

    • SSDEEP

      3072:saegvMNVoz3Vlw6/R3z3MV1IdJJGVKWHC2KdxFFT9lzo:VFJlwYMVWY65z

    Score
    1/10
    behavioral9

    • Target

      MetroFramework.dll

    • Size

      149KB

    • MD5

      44538b311e9ec2bcf0a6452702628d99

    • SHA1

      da67301539903775708e9ec913654851e9e8eade

    • SHA256

      baf326f52d39155d722465947f4cc67e6e90cfd0f89954eab959568e9bc342aa

    • SHA512

      b65e3bc1c0f7b4c8f778cf52a36d628301d60aab53fdaf0355163e4865bc3d3adbf8870bb6cefc604708fdf2c0e72258eaf2fe301d524af2f77bc08014c9610a

    • SSDEEP

      3072:LU0T+erz8jYxYg5lzrPHlMUzxXd4kRZPI9q:vT+erz8jYxYgv/lxXGWPS

    Score
    1/10
    behavioral10

    • Target

      MetroSet UI.dll

    • Size

      444KB

    • MD5

      d99a97de55b2561e57135433b44bb786

    • SHA1

      ab588b8d36683b52adcb32c03a9859b884838f29

    • SHA256

      6288e559b0f34d56ab4601ffb2ba2289001c77cf7351d135dd93915034c56bba

    • SHA512

      7ef95cb161265fcf110ba843fe3af5e6cf6d47465e17a10c742256bebd91c128df2cfa7d21696d716bfa861c952d6fad445912f8cca9da9cb03d780211b0545c

    • SSDEEP

      6144:PTJ1DwrSfCmrB0O1SIai39IkRetlJT4ihPrsAgbP2UiuE2Bnw7M:rJSpmaxIephPrYDK

    Score
    1/10
    behavioral11

    • Target

      NAudio.dll

    • Size

      498KB

    • MD5

      6ca17abccae3050f391401b2955f9333

    • SHA1

      0975b039a793accb58130d6639262cd291d80d5d

    • SHA256

      3ad5d09b4c8c3146d15955a564a9f1a57d7c795b189a25c6f722a738d95ef89c

    • SHA512

      c08f366aae9baf0e7762f47a2f79d0dee5187a1d7631e5838590b7c12911bdeb6247e0ff860ade36e04f1d6717f919ad98df6d3a1a556bff4b8994db9616ccec

    • SSDEEP

      12288:MnXnae2TPlr3zvzar5oRDaw92wP6mai9gs6C:K8lrT+r5ADakP4i9gs

    Score
    1/10
    behavioral12

    • Target

      Newtonsoft.Json.dll

    • Size

      695KB

    • MD5

      195ffb7167db3219b217c4fd439eedd6

    • SHA1

      1e76e6099570ede620b76ed47cf8d03a936d49f8

    • SHA256

      e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

    • SHA512

      56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

    • SSDEEP

      12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/

    Score
    1/10
    behavioral13

    • Target

      SPYdroiedVIP.exe

    • Size

      139.8MB

    • MD5

      b7d3b8f8e284fb9b586cf8969e83100c

    • SHA1

      7b6caeb90302ec3bc0f426fd925ecdf5d19b0b92

    • SHA256

      f08f44a1a04d641fda13aff23cdcaf85cc86237ee9924b6b78835906bae17f3b

    • SHA512

      8e89598300214f5d4a6c8e6e373a03d236d024e81d95b9a9e10c131c2e120c1183d4c569aaeff9e1f33c231847b00afb570a10329afd23b2f09da49cb16358e6

    • SSDEEP

      3145728:jqU9w0EOiCbAP/Sc6lTB6rtt2ScCcfxc5VJwAtHk4u81+91i9slbf1TME4:2Cw0EOiA+3z0HfO5VJwAtHg8+Vf1x4

    Score
    10/10
    agentteslalimeratxwormdiscoveryexecutionkeyloggerpersistenceratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect Xworm Payload

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

      ratlimerat

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • AgentTesla payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral14

    • Target

      SipaaFramework.dll

    • Size

      54KB

    • MD5

      7ca0f8aff7fc8c357dd26d617fa2d625

    • SHA1

      482b3efc1b12f9c8600c74b7218fe3ba5762cc9e

    • SHA256

      daacd27b8c89b8f328ac2b2d80fe4646a9df9500e5265d8f743911cad4fd5636

    • SHA512

      3927e713682bdfdcf3f8f45b7f4e7171a0fb6af302d4e76cc05fc47ef3d49047ef9fa49c6d577934b03f5b327cc391c49d9fa9e8df942e8e9019641a38b3df89

    • SSDEEP

      768:7vD2jQYGvCr8/rZRD/GfrseWaD9T2brrF8LBx+QdIb+Kdpq7m6q3niv9lAU:WjDr8/32QeVD9T2br27NIb+Kb64GAU

    Score
    1/10
    behavioral15

    • Target

      Siticone.Desktop.UI.dll

    • Size

      4.0MB

    • MD5

      1582aa45d981e0e569c6e05698642b30

    • SHA1

      763506f312a186c55a04ef6a16ad7e867c394097

    • SHA256

      21eecaf504b7fe787a45f4aa8f8f36dacfc3ab1d75624dfb41827cdef2a9a589

    • SHA512

      278a7a4e2b9d82528200b9f92244db3f228187d15c36fd169deb927e343bc4d0bb29c9dba496f86558aea4f4deb44d1e47a41d5598c0b375d99ad9fbe99cec34

    • SSDEEP

      24576:UCCxPAT4L7h3M7O2MLBSlvTh/aOBteUePU/DU/GHQYazK/DkWoql3zjbndHQ/jzb:WuO2MIThZNwewYDoyG

    Score
    1/10
    behavioral16

    • Target

      System.IO.Compression.ZipFile.dll

    • Size

      24KB

    • MD5

      dcda916372128f13ada8b07026c1b3e7

    • SHA1

      99d6c187de8510206a93d2eed9c65e65e0c86e72

    • SHA256

      b5c12e9099643e2eda9b49edd0d98bdaed153c72a7e8e6235d8e78714402d16a

    • SHA512

      d66de5d61cf7090ce2e11ca8064723a44c2fdbd7ed937f1cf4198ebe13083037941b816ad9022d332bbb853666785600fa8b1faca94c498d2f82de73fe1e42f9

    • SSDEEP

      384:dK8Y54xRiW3mWeW+mWE3rq0GftpBj52ERHRN7dldBopPI:dKfemqiuEBHoa

    Score
    1/10
    behavioral17

    • Target

      WinMM.Net.dll

    • Size

      43KB

    • MD5

      cd70c893ed72c41f61431b583421270a

    • SHA1

      748d445623dbbfa57da4c36fe10dfa50ea00f72f

    • SHA256

      d320e4c7ff3671d4949e4fd0b3937e77a1b2fd1c7d8c20d7a9cd124c443182b1

    • SHA512

      eb69130688f14ae722f3b531c4336cdcbb4868411122fdf0566f80103c2eba360dec9b1b2f3ea5c614608d0f985d85e24afb42a91a6bd6889f7d133c90e44a27

    • SSDEEP

      768:LyasDzF2TDSemqD9tGI+ffwj2Au0LVpqmf7KxcOOrYCPTxqPb85h:LyaXKemqD9tGI+ffwj2Au0LVpq4KWrlZ

    Score
    1/10
    behavioral18

MITRE ATT&CK Enterprise v15

Tasks