General
-
Target
4363463463464363463463463.exe (3).zip
-
Size
4KB
-
Sample
241028-xpl9qavfqp
-
MD5
3a174db0b8ea99669c7c2f96a62ee68f
-
SHA1
40f1c7874bcd9bbcca93fb4fce4193ffc80d465c
-
SHA256
2a856237a11dcf14b5f6ffd31ab9902c5b5353399bef296da68e1de8355dbda6
-
SHA512
a42cb2569c1561c41d3239847144aac9fad14444631a2f80146070f4d23c48c027854afc795611914c99d437db8bc6b2c0052bd387a7a02b1ef7f1ef84d06fb7
-
SSDEEP
96:IJJw44m9wvvlgV3Ld9tfjUDCe7RptKN9arTvYRkGn52I+nCYH5i:wJwFJvKV3LHtfjQCe7Lq9arsWdI+nCY8
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
xworm
163.5.215.245:9049
r3SLo8kx59hai6gX
Extracted
redline
Pizdun
94.142.138.219:20936
-
auth_value
20a1f7fe6575c6613ee7cc5d3025af70
Extracted
agenttesla
Protocol: smtp- Host:
mail.worlorderbillions.top - Port:
587 - Username:
[email protected] - Password:
3^?r?mtxk(kt - Email To:
[email protected]
Extracted
asyncrat
Venom RAT + HVNC + Receiving + Grabber v6.0.4
NewClient
157.20.182.183:4449
fsqshvwapaxdhwtdp
-
delay
1
-
install
false
-
install_file
Winup.exe
-
install_folder
%AppData%
Extracted
https://raw.githubusercontent.com/43a1723/test/refs/heads/main/shellcode/loaderclient.ps1
Extracted
xworm
5.0
110.164.203.191:7000
AExowENWrg3jY19C
-
Install_directory
%Temp%
-
install_file
windows32.exe
Extracted
phorphiex
http://185.215.113.84
Targets
-
-
Target
4363463463464363463463463.exe.bin
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Asyncrat family
-
Detect Xworm Payload
-
Modifies security service
-
Phorphiex family
-
Phorphiex payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Venomrat family
-
Xworm family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
2Indicator Removal
1File Deletion
1Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1