General
-
Target
4363463463464363463463463.exe (1).zip
-
Size
4KB
-
Sample
241028-xpjtlasrat
-
MD5
d4a31cfacebb15004dfebb6847c555a0
-
SHA1
e2f4fe84fb6e4e5a1d6eb8cf14f5f8c388025bd3
-
SHA256
48cdd34c1d5194805bb63e4d865ff8ce52d2c7a8aa2e0fbb24b8b73c00a28b6b
-
SHA512
75daf512110eff1a9b48f69bafb37141626025e02ff5a5a540939e6f241f3d6912ae2affda4bc78698e4b36bd05c29b20a9248ed41dd5f53fcbc5ac18105d62b
-
SSDEEP
96:9iJV6nM5MJTwyjit+AWBSj3bvhcKRBo86BDK7KK1wyE2gDB:9iJV6nC2TwaS+5BSj3bJNDX6BD+wyO1
Malware Config
Extracted
redline
Miles
194.49.94.43:3251
-
auth_value
e9df05a4c476aa612a10a6f3fc79043d
Extracted
quasar
1.4.0
Office04
137.184.144.245:4782
6cfe4a65-c41d-4b02-9ae9-e727a748ae84
-
encryption_key
B702BA239316FCF317B584A351F2EC1696EBE772
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
java updater
-
subdirectory
SubDir
Extracted
amadey
5.03
7c4393
http://185.215.113.217
-
install_dir
f9c76c1660
-
install_file
corept.exe
-
strings_key
9808a67f01d2f0720518035acbde7521
-
url_paths
/CoreOPT/index.php
Extracted
vidar
11.1
df523263f44cc8d55414a260a0197e4a
https://steamcommunity.com/profiles/76561199786602107
https://t.me/lpnjoke
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Extracted
agenttesla
Protocol: smtp- Host:
mail.worlorderbillions.top - Port:
587 - Username:
[email protected] - Password:
3^?r?mtxk(kt - Email To:
[email protected]
Targets
-
-
Target
4363463463464363463463463.exe.bin
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Detect Vidar Stealer
-
Modifies security service
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Phorphiex family
-
Phorphiex payload
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Windows security bypass
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Windows security modification
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Legitimate hosting services abused for malware hosting/C2
-
Network Service Discovery
Attempt to gather information on host's network.
-
Network Share Discovery
Attempt to gather information on host network.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
3Disable or Modify Tools
2Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Discovery
Browser Information Discovery
1Network Service Discovery
2Network Share Discovery
1Process Discovery
1Query Registry
4Remote System Discovery
1System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1System Network Connections Discovery
1