Overview

overview

10

Static

static

10

The-MALWAR...de.txt

windows10-1703-x64

1

The-MALWAR....A.exe

windows10-1703-x64

7

The-MALWAR....E.exe

windows10-1703-x64

9

The-MALWAR....a.exe

windows10-1703-x64

The-MALWAR...ks.exe

windows10-1703-x64

1

The-MALWAR...lc.exe

windows10-1703-x64

10

The-MALWAR...re.txt

windows10-1703-x64

1

The-MALWAR....l.exe

windows10-1703-x64

3

The-MALWAR...ck.exe

windows10-1703-x64

3

The-MALWAR....A.exe

windows10-1703-x64

3

The-MALWAR....B.exe

windows10-1703-x64

3

The-MALWAR...de.txt

windows10-1703-x64

1

Resubmissions

25-08-2024 18:37

240825-w9lm9aybld 10

25-08-2024 18:31

240825-w6eqjazcpm 10

25-08-2024 18:25

240825-w2whgsxgjb 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    The-MALWARE-Repo-master.zip

  • Size

    198.8MB

  • Sample

    240825-w9lm9aybld

  • MD5

    af60ad5b6cafd14d7ebce530813e68a0

  • SHA1

    ad81b87e7e9bbc21eb93aca7638d827498e78076

  • SHA256

    b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1

  • SHA512

    81314363d5d461264ed5fdf8a7976f97bceb5081c374b4ee6bbea5d8ce3386822d089d031234ddd67c5077a1cc1ed3f6b16139253fbb1b3d34d3985f9b97aba3

  • SSDEEP

    6291456:wNl3aFW2h9/fiTwCzCLS6iilVkLZgAEtknRzq:wDaFd//Orcpi4VkL6AfRG

Score
10/10
darkcometmetasploitmodiloadermydoomnjratremcosrevengeratwipelockgeforceguesthostaspackv2backdoordiscoveryevasionmacromacro_on_actionpersistenceprivilege_escalationstealertrojanupx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Geforce

C2

startitit2-23969.portmap.host:1604

Mutex

b9584a316aeb9ca9b31edd4db18381f5

Attributes
  • reg_key

    b9584a316aeb9ca9b31edd4db18381f5

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

nickman12-46565.portmap.io:46565

nickman12-46565.portmap.io:1735
Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    Userdata.exe

  • copy_folder

    Userdata

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %WinDir%\System32

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %WinDir%\System32

  • mouse_option

    false

  • mutex

    remcos_vcexssuhap

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

revengerat

Botnet

Guest

C2

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      The-MALWARE-Repo-master/Net-Worm/Blaster/Blaser.C.sourcecode.txt

    • Size

      57B

    • MD5

      d1d3280b12efbe2eea097d8ec9162b9b

    • SHA1

      15351d4d88cb99d582626bb8dbb627b2364c2c0c

    • SHA256

      604619efb204c92db0a983ef0c120080610ebbc2c1ea6637230f78024efc46c8

    • SHA512

      f560f7e77aa86f90b2e74620b76707c770ace6703bce26f4c47d791a7a5c614e62ce8502bf14133f2cba1e7a5fd6273fe595f0b029577d1205caf3819b394dd3

    Score
    1/10
    behavioral1

    • Target

      The-MALWARE-Repo-master/Net-Worm/Blaster/Blaster.A.exe

    • Size

      6KB

    • MD5

      5ae700c1dffb00cef492844a4db6cd69

    • SHA1

      bed8e439f28a1a0d3876366cbd76a43cdccf60fa

    • SHA256

      258f82166d20c68497a66d82349fc81899fde8fe8c1cc66e59f739a9ea2c95a9

    • SHA512

      2cc1ec68df94edc561dd08c4e3e498f925907955b6e54a877b8bc1fb0dd48a6276f41e44756ed286404f6a54f55edb03f8765b21e88a32fd4ca1eb0c6b422980

    • SSDEEP

      96:R+sKQYu8u0J81Pyd6jgqC9Upq1CKPYKSa1aqDOJ9kq1R/X7Dw3YXmI:R+szB8G1PO6jgVFLYo1S9k6Xw3smI

    Score
    7/10
    discoverypersistenceupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      The-MALWARE-Repo-master/Net-Worm/Blaster/Blaster.E.exe

    • Size

      6KB

    • MD5

      8676210e6246948201aa014db471de90

    • SHA1

      86b30d1a8b7515dcab6c8d2781b85c6983709dbf

    • SHA256

      2e481059b9bc9686c676d69a80202eed5022c9a53ecd8cac215e70c601dd7fdc

    • SHA512

      5130e6ea6c5e1924af7d630a7b1c6e614b1482edcad3117a8dc56371269260b97793a7ccdbf3249054815b7c3b9c364b30e73e0f8e4cc230502b01d0d2f70bda

    • SSDEEP

      192:P+szB8G1PO6jgVFpXbWMBpbw/jsaW6HmI:P+szyLVFdbWsbKtWqmI

    Score
    9/10
    discoverypersistence

    • Contacts a large (3326) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      The-MALWARE-Repo-master/Net-Worm/CodeRed.a.exe

    • Size

      3KB

    • MD5

      6f5767ec5a9cc6f7d195dde3c3939120

    • SHA1

      4605a2d0aae8fa5ec0b72973bea928762cc6d002

    • SHA256

      59fe169797953f2046b283235fe80158ebf02ba586eabfea306402fba8473dae

    • SHA512

      c0fbba6ecaef82d04157c5fcf458817bf11ce29cdaf3af6cac56724efcf4305565c6e665cdcf2106c675ba0574c60606be81d9baafe804fc7d2d3a50fed0baf6

    Score
    1/10
    behavioral4

    • Target

      The-MALWARE-Repo-master/Net-Worm/EternalRocks.exe

    • Size

      5.0MB

    • MD5

      c52f20a854efb013a0a1248fd84aaa95

    • SHA1

      8a2cfe220eebde096c17266f1ba597a1065211ab

    • SHA256

      cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30

    • SHA512

      07b057d4830d3e2d17c7400d56f969c614a8bae4ba1a13603bb53decd1890ddcfbaad452c59cc88e474e2fd3abd62031bf399c2d7cf6dc69405dc8afcea55b9a

    • SSDEEP

      98304:oix7H2smW+eW/4oEAxd1jzOYGYSXmNjT2opEqH+IHK:XGW2dpOXoFWqrH

    Score
    1/10
    behavioral5

    • Target

      The-MALWARE-Repo-master/Net-Worm/Kolabc/Kobalc.exe

    • Size

      185KB

    • MD5

      15717cd327a723820d71900611545917

    • SHA1

      99184ec149d329e98cd3e600cfaba22a2f9a0156

    • SHA256

      db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747

    • SHA512

      a0de435db809e3e79f89411017e244c76145e010c67f894d41e265804c832f5514ac2f31cc9a0c667afa77aaaf3eccecac148279ca5a0feba492b222d5481a49

    • SSDEEP

      3072:LoixrduqW9Goin4lZoD9d16zVfMZ2KKNRdTaB:0W5jOA96xrRd

    Score
    10/10
    metasploitbackdoordiscoveryevasionpersistenceprivilege_escalationtrojan

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Modifies security service

      evasion

    • Windows security bypass

      evasiontrojan

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Looks for VMWare Tools registry key

      evasion

    • Modifies Windows Firewall

      evasion

    • Deletes itself

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral6

    • Target

      The-MALWARE-Repo-master/Net-Worm/Loveware.txt

    • Size

      313B

    • MD5

      9f59e4d545e1a16ec4ad1b11291c5346

    • SHA1

      9986d8713336097fa96f41a557a20222e21bf6fb

    • SHA256

      cd41eb3b411abd314e90d980f4e05d7d2db60fb8a9616f84754b4e1eeb10f290

    • SHA512

      ba4e1168428671ce721c3026b0b873e5e179aa0af84f1b58fb82a9d72d67b2554c718b6a781ba5031a77cfefbde07b484fdd4ef7eac68c3755cd4510189f6b34

    Score
    1/10
    behavioral7

    • Target

      The-MALWARE-Repo-master/Net-Worm/Opaserv.l.exe

    • Size

      28KB

    • MD5

      71c981d4f5316c3ad1deefe48fddb94a

    • SHA1

      8e59bbdb29c4234bfcd0465bb6526154bd98b8e4

    • SHA256

      de709dacac623c637448dc91f6dfd441a49c89372af2c53e2027e4af5310b95d

    • SHA512

      e6ed88ce880e0bbb96995140df0999b1fb3bd45b3d0976e92f94be042d63b8f5030d346f3d24fbadd9822a98690a6d90ba000d9188b3946807fd77735c65c2b1

    • SSDEEP

      768:6AAhTSe5L5gNRy0V3eU8HtsoeohmhwZRGX8:6AAXL5gNRy0ViHtsoe+gX8

    Score
    3/10
    discovery
    behavioral8

    • Target

      The-MALWARE-Repo-master/Net-Worm/Rahack/Rahack.exe

    • Size

      86KB

    • MD5

      70089174cf0b97d4e4de889f03e97a7a

    • SHA1

      c87c555b412929ab73562a048893bffc529436d9

    • SHA256

      400c72ef312e3b46fe417aa82d6691d18a07c0708e94b6fa7b47934909d3db7c

    • SHA512

      29c52942edf46ee11e4bae6837d632ed76372c13f1c5811546ea964bbb81e2076c596cd93936a34e7f4a45e0741c7ce90c7cf871a613747ebd329b174fb33538

    • SSDEEP

      1536:+RYXfuc7irz4OQ7K0+ezvio7GDW/1CD+xD+xljEErxTWDTMqhGKYIZTET8JsE:+2XfscKAv8WNCDgDgljBkMqhGKZTbP

    Score
    3/10
    discovery
    behavioral9

    • Target

      The-MALWARE-Repo-master/Net-Worm/Sasser/Sasser.A.exe

    • Size

      104KB

    • MD5

      ef1952b755ba912b9f60b2ed8dd68d30

    • SHA1

      dcabadcf6f4a6079c8373ab2eb94b8ffeebd8d96

    • SHA256

      b2fa6edaa5ffc51d12150424355a0c86ac9f46d7ec772d35ab8d9f4fe7996d91

    • SHA512

      dd088f3ba5f97ae379d005ab252dd6aa98e10f81ef70d3029bfb4ece7bad5dde7558f25711c229bee6f5901bed980159fa82f217f281ce7476ee30e90a598729

    • SSDEEP

      384:k/exp+OvWEcAB9KybxgUamOUOtTMmlTD1DtkzyQ+dTXr9421qYGI6s37uP:k/WpR606UahvXDDkuRBXr9115Gq37uP

    Score
    3/10
    discovery
    behavioral10

    • Target

      The-MALWARE-Repo-master/Net-Worm/Sasser/Sasser.B.exe

    • Size

      104KB

    • MD5

      fa3348956253f9f733b28b4cf1d45942

    • SHA1

      7185d2d017370978c757956be1bfaa4c787867b8

    • SHA256

      00808f00ec970e3ed518ed40ba77f64be2b9761b02fbaea2047c5ac82d8b8f99

    • SHA512

      7805fd530dbc37f72c39f729982a16cb03314ad1b1e115fd16e1679c54d90a3cbc2f2404fcb0f6d0196a919395d1842fd75fae8c0b97d2af06a94c57f3251add

    • SSDEEP

      384:b/5zyD8MpMCi/8Zn4y5xsjmhaBs8DT0ml1j+/YPSfudTXrQ4PdGAWa8:b/lgpr4K2jm0+8Dk/YqGBXrQMGAWd

    Score
    3/10
    discovery
    behavioral11

    • Target

      The-MALWARE-Repo-master/Net-Worm/Sasser/Sasser.c.sourcecode.txt

    • Size

      38B

    • MD5

      28fad72d643985282fb85ca9b7892dfb

    • SHA1

      72d02699e508d6ba0ed18625f4cc696f5abad8ed

    • SHA256

      febbf809124ed9d5771ca2da4f2d8fd23643970becc3d6b062e14cc97faee4b7

    • SHA512

      52352f29b50f15d100fbf4f57e72eaf2e208d117b5909dc42acf67a28b9e1c0d3568dd7f97e8998584870928da9dced51789396cf07ea4546839329494505bda

    Score
    1/10
    behavioral12

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

5
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Winlogon Helper DLL

1
T1547.004

Active Setup

1
T1547.014

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

5
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Winlogon Helper DLL

1
T1547.004

Active Setup

1
T1547.014

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Modify Registry

9
T1112

Impair Defenses

4
T1562

Disable or Modify Tools

2
T1562.001

Disable or Modify System Firewall

2
T1562.004

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

System Location Discovery

7
T1614

System Language Discovery

7
T1614.001

Network Service Discovery

1
T1046

Query Registry

1
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks