Overview

overview

10

Static

static

3

4363463463...63.exe

windows7-x64

10

4363463463...63.exe

windows10-1703-x64

10

4363463463...63.exe

windows10-2004-x64

10

4363463463...63.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4363463463464363463463463.bin (2).zip

  • Size

    4KB

  • Sample

    240823-k95kksycjj

  • MD5

    cd192ab51845b19fdf63e128c9dcbdf3

  • SHA1

    5d036f2fac0abd4ed4617fbd28956fc97352be0c

  • SHA256

    647c12635ce1c94d07a0277f852a723a61ff44adc692d1d8a202d6c4eb52437b

  • SHA512

    9e60831a4406a5c8a77b9bd08eacea1780e102281e936aec3314fdd199654784b52f73cf019cd72987fc7f8abcbf50f959083bf99e446fcc347f17e24761b5a8

  • SSDEEP

    96:cGIz92juw+DVDtBY8YyTXLeDAUCz1eogHn8k09PDRtI/GS8FmWDSDUAFlqH0r:RIZFw+BDrFYyLdz1ez09FohW7D2F3

Score
10/10
lockbitmetasploitphorphiexquasarredlinestealcxmrig25072023banadefaultkorabackdoorcredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerloaderminerpersistencepyinstallerransomwarespywarestealertrojanworm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://77.91.77.92/

http://91.202.233.141/
Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3
Attributes
  • mutex

    x66x54x66x

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

103.42.55.251:8080

Extracted

Family

stealc

Botnet

kora

C2

http://185.215.113.100

Attributes
  • url_path

    /e2b1563c6670f193.php

Extracted

Family

redline

Botnet

25072023

C2

185.215.113.67:40960

Extracted

Family

stealc

Botnet

default

C2

http://147.45.47.59

Attributes
  • url_path

    /d6f30af05ffe50bf.php

Extracted

Family

quasar

Version

1.4.1

Botnet

Bana

C2

104.207.135.238:4782

Mutex

561145fb-9ea1-428e-bdd4-5340d7a94daa

Attributes
  • encryption_key

    9D07386D7F5BA4F8C1D2DE8B3ADF355ABD3F47A0

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    MD Client Startup

  • subdirectory

    SubDir

Extracted

Path

C:\MNYHU2Jh1.README.txt

Ransom Note
~~~ LockBit 5.02 the world's fastest ransomware since 2024~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom BTC amount 0.02 BTC amount 0 , deleted all files from you PC, and post all infirmation to public. where send BTC: bc1qm7sg7p2jkgthv7pkjy856sh9lr5x3yrpzv099d Time just 12 hr, after everythink will be removed You can buy them on the exchange or at an ATM https://coinatmradar.com. You can find the addresses here buy with credit or debet card online https://www.moonpay.com/buy. After that, send a request with confirmation to e-mail , faster way! [email protected] or [email protected] If both email no answer, you need faster answer and unlock please use TOX You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, tox. Tox ID LockBitSupp: 47C90F99E92AC0ECEAD8C2BD15B21866EBC1195B6E2B0412CE3658E21B696843FF4A8D144B24
URLs

https://coinatmradar.com

https://www.moonpay.com/buy

https://tox.chat/download.html

Extracted

Family

redline

C2

38.180.203.208:14238

Targets

    • Target

      4363463463464363463463463.bin

    • Size

      10KB

    • MD5

      2a94f3960c58c6e70826495f76d00b85

    • SHA1

      e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

    • SHA256

      2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

    • SHA512

      fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

    • SSDEEP

      192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

    Score
    10/10
    metasploitphorphiexredlinestealc25072023korabackdoordiscoveryevasionexecutioninfostealerloaderpersistencepyinstallerstealertrojanwormquasarbanadefaultspywarelockbitcredential_accessdefense_evasionransomwarexmrigminer

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies security service

      evasion

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

      wormtrojanloaderphorphiex

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Windows security bypass

      evasiontrojan

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Renames multiple (604) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Contacts a large (1094) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Downloads MZ/PE file

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

3
T1562

Disable or Modify Tools

2
T1562.001

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

6
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Network Service Discovery

1
T1046

Query Registry

5
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Service Stop

1
T1489

Tasks