Overview

overview

10

Static

static

3

Dispam.exe

windows10-2004-x64

10

Dispam.pyc

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Dispam.exe

  • Size

    12.1MB

  • Sample

    240918-x871jazaja

  • MD5

    61aa26439a0e4cbd13d4f531e58eac20

  • SHA1

    d685cd48ce1e81ae574a3467628341140354573e

  • SHA256

    fa17bf64d800d3af2abbd959a45ece4d0e4c6c7831b9e148f41bca3aab424491

  • SHA512

    d7eaf0e99464987490ee1d97bcc532b18673054aacc706a74f180a47be0faf29065491d3d61818ad0fc49cbce3b6a8fb2ec77b55e682ef7b5b3caaab3dd30506

  • SSDEEP

    393216:zGV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:mYQZ2YwUlJn1QtIm28IKzo

Score
10/10
berbewblackmooncobaltstrikemydoomneshtasimdaxwormbackdoorbankerdefense_evasiondiscoveryevasionexecutionpersistencepyinstallerratspywarestealertrojanupxworm

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

Extracted

Family

cobaltstrike

C2

http://192.168.180.12:7810/vN3f

Attributes
  • user_agent

    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)

Extracted

Family

simda

Attributes
  • dga

    gatyfus.com

    lyvyxor.com

    vojyqem.com

    qetyfuv.com

    puvyxil.com

    gahyqah.com

    lyryfyd.com

    vocyzit.com

    qegyqaq.com

    purydyv.com

    gacyzuz.com

    lygymoj.com

    vowydef.com

    qexylup.com

    pufymoq.com

    gaqydeb.com

    lyxylux.com

    vofymik.com

    qeqysag.com

    puzylyp.com

    gadyniw.com

    lymysan.com

    volykyc.com

    qedynul.com

    pumypog.com

    galykes.com

    lysynur.com

    vonypom.com

    qekykev.com

    pupybul.com

Extracted

Family

xworm

Version

5.0

C2

white-blend.gl.at.ply.gg:10579

Mutex

HNiFUP1sOXubvYwz

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      Dispam.exe

    • Size

      12.1MB

    • MD5

      61aa26439a0e4cbd13d4f531e58eac20

    • SHA1

      d685cd48ce1e81ae574a3467628341140354573e

    • SHA256

      fa17bf64d800d3af2abbd959a45ece4d0e4c6c7831b9e148f41bca3aab424491

    • SHA512

      d7eaf0e99464987490ee1d97bcc532b18673054aacc706a74f180a47be0faf29065491d3d61818ad0fc49cbce3b6a8fb2ec77b55e682ef7b5b3caaab3dd30506

    • SSDEEP

      393216:zGV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:mYQZ2YwUlJn1QtIm28IKzo

    Score
    10/10
    berbewblackmooncobaltstrikemydoomneshtasimdaxwormbackdoorbankerdefense_evasiondiscoveryevasionexecutionpersistenceratspywarestealertrojanupxworm

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Detect Blackmoon payload

    • Detect Neshta payload

    • Detect Xworm Payload

    • Detects MyDoom family

    • Disables service(s)

      evasionexecution

    • MyDoom

      MyDoom is a Worm that is written in C++.

      wormmydoom

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • simda

      Simda is an infostealer written in C++.

      stealertrojansimda

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Modifies Windows Firewall

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral1

    • Target

      Dispam.pyc

    • Size

      4KB

    • MD5

      cf8c2d3338bf39744518e594875d2c8b

    • SHA1

      de162ad4e6033c31b87c27849b52622213f0be03

    • SHA256

      6833688986e290d66083e7a7ebf3b57e72a9ffe214911a6627499232a8e68d76

    • SHA512

      010676744ee7456953d99a5b0d07f7d01c392d0cda161a506fde1c2eb95a7efbbc86b2c82aea567e61d7f13e95d69e67f5fc76652039aa1aac8c24f1a423205d

    • SSDEEP

      48:Shbvazto0w2LgajpWhwRrgXALDA1D5PFgsjR5iBf79kLiLxGXA3wHZN:2bSzeELHtW2RrgQMNgsVe7srw2

    Score
    3/10
    behavioral2

MITRE ATT&CK Enterprise v15

Tasks