General
-
Target
GangBeasts.exe
-
Size
7.6MB
-
Sample
241014-r67zvsvaqq
-
MD5
25ca0c07fa5e3b2fc1a30e5419a13c17
-
SHA1
0231b575d2f96de4a9f510b081e5f519c5bafabd
-
SHA256
a5ef976d928a096d7e298343b16ba54632411dc7fcb97f93e229ea24702578db
-
SHA512
d7d87ab9dd41c97289f94dfeb6141972c101942a0a466c5f1eda581b5ef81c5c9666bbd518bcb6db80d5ccbbc03db27c55a53cd1fd10845d89d49391d9bf91ab
-
SSDEEP
196608:n0+R+YMhI/tizvNSE28tpobqjglbxvb65j0iQtgcN+QiP1eggYej0WALg:n0+R+YMhI/tizvN88tpo28lFvWp0i2Zv
Behavioral task
behavioral1
Sample
GangBeasts.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
GangBeasts.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Built.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Built.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Gang Beasts.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Gang Beasts.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
kosomk.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
kosomk.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
njrat
0.7d
kosomk 555
dovelabobzgnan.ddns.net:5552
a8c0d4cf5cfc2cc1149b5e071c2ab5df
-
reg_key
a8c0d4cf5cfc2cc1149b5e071c2ab5df
-
splitter
|'|'|
Targets
-
-
Target
GangBeasts.exe
-
Size
7.6MB
-
MD5
25ca0c07fa5e3b2fc1a30e5419a13c17
-
SHA1
0231b575d2f96de4a9f510b081e5f519c5bafabd
-
SHA256
a5ef976d928a096d7e298343b16ba54632411dc7fcb97f93e229ea24702578db
-
SHA512
d7d87ab9dd41c97289f94dfeb6141972c101942a0a466c5f1eda581b5ef81c5c9666bbd518bcb6db80d5ccbbc03db27c55a53cd1fd10845d89d49391d9bf91ab
-
SSDEEP
196608:n0+R+YMhI/tizvNSE28tpobqjglbxvb65j0iQtgcN+QiP1eggYej0WALg:n0+R+YMhI/tizvN88tpo28lFvWp0i2Zv
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
Hide Artifacts: Hidden Files and Directories
-
-
-
Target
Built.exe
-
Size
7.4MB
-
MD5
5531aaf254a3ef858aa2808a87e6c3c0
-
SHA1
18a8a22cfa4f987dddef5ce39b2a6118ec32a196
-
SHA256
45567c82cc7277f5aa2cb693f6abfa0c0b91d2a472e91fe0643e17dab855d3a8
-
SHA512
2e880257c6da44836a19b2d8f7a47ea1d21d94b50eb61543f5b9478e274343d7367ccd3c62c645861c03089550c85fdd92df61dd94bd79381757521a9ea45d68
-
SSDEEP
196608:Q48PIdLjv+bhqNVoB0SEsucQZ41JBbIM11tR:z8PIlL+9qz80SJHQK1Jx1vR
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
Hide Artifacts: Hidden Files and Directories
-
-
-
Target
Gang Beasts.exe
-
Size
638KB
-
MD5
23d2ae54e204abdee7c3477a0eeaa93f
-
SHA1
99148c265a4b419855e4720ac802483b12568227
-
SHA256
621740b8a66c1b2432354dfbe2963c88902bca33d871ec919ad56470aff55d19
-
SHA512
d870ce4d6746675ef804a4a42177f664b54991ba6ea2c4ec751285d5a2b83479ed3f1c674913e8ff6f37099fa2c393848a878689dc25f333b2d27f2cc70c5568
-
SSDEEP
6144:rEbaWnBUCG6WlhZYFg26spvzxA3ixGkNru:roCC9WlhZYG26cvzx9Fu
Score1/10 -
-
-
Target
kosomk.exe
-
Size
23KB
-
MD5
926e2c78bcea51e5309db037b18b4202
-
SHA1
d4b80f95bfdc9c2ff860ac0cc2012a81b425801d
-
SHA256
1d74f423f423175189fbe07b34697cae04d6d48181efbed5c3b790a137145f10
-
SHA512
6962876b91bcf7d40d9250dde094ce560f3b3c7a4766ac5e810d27de46cd4167937042d5ae94b21f21a1b19dc4c39dc0107e2aac1fbcd17680345f2fe06354a1
-
SSDEEP
384:Ac6CqbFYh3odrVCGiHssDB4b6i6fgpEupNXRmRvR6JZlbw8hqIusZzZ0k:/IU0tw3RpcnuK
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Process Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1