Overview

overview

10

Static

static

10

Archive.zip

windows10-1703-x64

10

Resubmissions

12-09-2024 02:23

240912-cvfznswere 10

04-09-2024 00:09

240904-afvheascla 10

03-09-2024 18:57

240903-xl8csavfrb 10

03-09-2024 18:12

240903-ws828asgnm 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Archive.zip

  • Size

    25.8MB

  • Sample

    240912-cvfznswere

  • MD5

    83671dbfab2418604f11993fdc392094

  • SHA1

    5386d1fb94ec2974736a4d8895a2218855ffda69

  • SHA256

    60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

  • SHA512

    9cf982c9b2949f05ea4ab7d27b369924334cb9f8a0b85c374cf08ac059281ecf96c97088bb983f74033a1a8fba01f09c2f3f41ae3a60e7c79db8b6312edd5138

  • SSDEEP

    786432:+r/Da8WA3C5BENmtAWzdVTkvq+GY8NEXcJap4DFEME/:4/W8WAS5BENmtZ1kvq+GYi8pw+T

Score
10/10
agentteslablackmoonmodiloaderrevengeratsmokeloaderxwormzeppelinsystemagilenetbackdoorbankercryptonedefense_evasiondiscoveryevasionexecutionimpactkeyloggerpackerpersistenceransomwareratspywarestealertrojanupx

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • pastebin_url

    https://pastebin.com/raw/2jTT3Lnj

Extracted

Family

revengerat

Botnet

system

C2

yj233.e1.luyouxia.net:20645

Mutex

RV_MUTEX-GeVqDyMpzZJHO

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>TrEx/K0mZG7CkRIYYz35iwBcBdBcigykhfeQcWnzgVBXGms6gqADEsxFWp6PVUDsc9xZdyGWDKotQ6jgny+RQQCq6qU/NPqU6RxWED3ANLOugZh0+L9so5qeFQdBu8wkHlBCN+cZb4tjBRDiO7Q5c31qW4t4aVn5aPoqygSC/8qZAwq5g4q03YyoSLMuwuouo9kJstb9y3Cq56783ckbEG1/DMCkpZyJB8QZwl5SQ+dboXwaLoChq9ILyii3bqdvV0mC4CWmsUVhu4DelhS8Pr4CBqgGt8mE2AUDC4yu1ja2z//k/53dzaukewGlDYvPsUkliPJw3a+cPcAMZuILKw==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Targets

    • Target

      Archive.zip

    • Size

      25.8MB

    • MD5

      83671dbfab2418604f11993fdc392094

    • SHA1

      5386d1fb94ec2974736a4d8895a2218855ffda69

    • SHA256

      60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

    • SHA512

      9cf982c9b2949f05ea4ab7d27b369924334cb9f8a0b85c374cf08ac059281ecf96c97088bb983f74033a1a8fba01f09c2f3f41ae3a60e7c79db8b6312edd5138

    • SSDEEP

      786432:+r/Da8WA3C5BENmtAWzdVTkvq+GY8NEXcJap4DFEME/:4/W8WAS5BENmtZ1kvq+GYi8pw+T

    Score
    10/10
    agentteslablackmoonmodiloadersmokeloaderxwormagilenetbackdoorbankercryptonedefense_evasiondiscoveryevasionexecutionimpactkeyloggerpackerpersistenceransomwareratspywarestealertrojanupx

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Detect Blackmoon payload

    • Detect Xworm Payload

    • Disables service(s)

      evasionexecution

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • AgentTesla payload

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

      cryptonepacker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • ModiLoader Second Stage

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Scripting

1
T1064

System Services

2
T1569

Service Execution

2
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Direct Volume Access

1
T1006

File and Directory Permissions Modification

1
T1222

Impair Defenses

1
T1562

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

1
T1112

Scripting

1
T1064

Credential Access

Discovery

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Service Stop

2
T1489

Tasks