Resubmissions

07-11-2024 16:29

241107-tzeqvawbpe 10

07-11-2024 06:54

241107-hpd6sazqap 10

General

  • Target

    dd6f0b9730529cfe145d5585eccfb6c68510758d16ffd02043bd1fe73842ee1b

  • Size

    2.6MB

  • Sample

    241107-tzeqvawbpe

  • MD5

    6112c5ef840aebcbd67f1a8e5242da62

  • SHA1

    2119c46a747c65af5fe3f0ce2af07946a3663026

  • SHA256

    dd6f0b9730529cfe145d5585eccfb6c68510758d16ffd02043bd1fe73842ee1b

  • SHA512

    ec9d7355ef2f18d66e4c90091082ab91344aa612a08e6a38f7ec63e1902ecdf695afa7fa776ee2c66c6295a776e00df1254d5538f84947878ea0569344f17227

  • SSDEEP

    49152:Nhb7HICi0LaXyacGy9gCdWfyFqPfaiu9dKrswCEXN3Apho5Yvr3o:Ri8aUWXy7Krshc3ABY

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

24.101.234.141:4782

mcserversetup.serveminecraft.net:4782

Mutex

aab349ae-4ff4-4729-b556-ac9cc2396c71

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    mcserversetup.serveminecraft.net

  • backup_dns_server

    84.200.70.40

  • buffer_size

    65535

  • build_time

    2021-04-19T21:05:14.073842536Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    4782

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    aab349ae-4ff4-4729-b556-ac9cc2396c71

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    24.101.234.141

  • primary_dns_server

    84.200.69.80

  • request_elevation

    false

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    false

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    7990

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

206.123.141.239:7777

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    12376w8q09dq.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/862165160868446228/lezUoxbmSKnQaLw4wvOac8i367NaU-u-NtZxLFuqODKoe-_rUnWLyrpHUCVBrouo6vPN

Extracted

Family

lokibot

C2

http://185.227.139.18/dsaicosaicasdi.php/nGBv5iZqdfzrl

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

redline

C2

newlife957.duckdns.org:7225

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

8.tcp.ngrok.io:12342

Mutex

602fdca88735a1a1338352d8ae49ef80

Attributes
  • reg_key

    602fdca88735a1a1338352d8ae49ef80

  • splitter

    |'|'|

Targets

    • Target

      15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa

    • Size

      49KB

    • MD5

      8cc63c91ed1bc3fa9202391e42364a50

    • SHA1

      ea335ad31b2c19892ddc5d46a3a14ff0d1be0850

    • SHA256

      15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa

    • SHA512

      8fa5112f444339a0a7bee333078cd162eeee7d3d80b3a362f3cc785addea8fa682de92081129ffde6ebb6c71b42db22ee8ad6526655cb5eb74c004429b72d057

    • SSDEEP

      1536:F/MwxLXpy3/pfZtwbjH/xwinmQb8b4znB:F/MwxLXpy3/pfZCuinDb8EnB

    Score
    6/10
    • Network Service Discovery

      Attempt to gather information on host's network.

    • Target

      304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b

    • Size

      203KB

    • MD5

      76b5931a8eab2e7e98023a43c489bbbf

    • SHA1

      033e6f5547c62a8650f449fc5b0034424f9b5f85

    • SHA256

      304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b

    • SHA512

      533f26e6379f35bf8aae578461b538ae891d9c00386476dab2235fc965655b35f0ca5433cd5c9c5c106b66369ef37c9e76c091e9635aad9dc2ca57af033344b1

    • SSDEEP

      3072:szEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIGXzDtCihaFue8Y1WRFj7KV7i:sLV6Bta6dtJmakIM5/NC5x8Y167Y7i

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Nanocore family

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Target

      43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb

    • Size

      876KB

    • MD5

      7e39e9345427ccc8be9a0137cef89742

    • SHA1

      f6f24e1b571a0089c05d5a1e00116742f9e98a93

    • SHA256

      43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb

    • SHA512

      9282a11b1a3be4bd721fd8f46c019a545b7ffe992f5daad7d50ab724094c30f807e3e96bac30c881760d1a66f080e69745284e5c46885181ce643383eb17af01

    • SSDEEP

      12288:WgD9eZ8DvlbUUp0qAMlyveojV0uGO27fY6WntFmPkTJCkoqDwlcbgQtRJd98f+se:WoeZUdUw2d8w6MXmPkckddH

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Suspicious use of SetThreadContext

    • Target

      61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd

    • Size

      1.4MB

    • MD5

      c58f3effb9efb892109332a676aae546

    • SHA1

      c1dced7e3e3b49f23cc0125589cc5b29d4055924

    • SHA256

      61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd

    • SHA512

      9c9329df603ad34b10437fc6313d61d273b603996a82f88e0d57af9e50ea86bb0cbb2134a3d4905b40fd73cd40222235739f4140cf4de19a3bea352af947adec

    • SSDEEP

      24576:a27mrhic6gvYbAKsy5Ulh3iXWl9557sK6X3ZO0GinMSvTNWfshnGmg/ykTPnewlm:anrhr/vAcWKv6X3o0GQN0s/g/ybDT

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6

    • Size

      118KB

    • MD5

      95c93ba88cbebbf97fa7aec965dac908

    • SHA1

      d71ca71cdcf375b7f55cf26d66e5f4b2b387bec4

    • SHA256

      78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6

    • SHA512

      4bddaca540dc9ea0039a735d254e4a30b06cd5a24dc696bcc9820126b00eae57977d80ffc3528e3c92b9981dbd241276132616e29ccf47a6adc044d65258f64a

    • SSDEEP

      3072:QjPR+2iJ6Cr/B+PHbsVLK3usN9bAeiLZU6pmoXX1:K+2i7/B+gMec9bdg

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Stormkitty family

    • Downloads MZ/PE file

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453

    • Size

      45KB

    • MD5

      5af5a9087ecf42eb83fb358d49b06e92

    • SHA1

      0d4a5c5d90e6306c476036ca097a01a17b4295db

    • SHA256

      878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453

    • SHA512

      d0608f648dd26b81d262741c373737dba3bfeb1508f86d8c448ec634a78bd9f86f52961d22cf027418c5012f2f7388928480495003dfeac7b94deb590bb7d22c

    • SSDEEP

      768:Qu08dTbAoeyWUE++Ymo2q8EpL2d78tPIAzjbygX3i46U44rylUVkBDZax:Qu08dTbfz2ESA3b1XSHULy9dax

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Async RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754

    • Size

      810KB

    • MD5

      16ddab2483d7281fb61fc3537fff886e

    • SHA1

      e33e073023d425e052c23f739c1fd8befa51476b

    • SHA256

      922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754

    • SHA512

      4e328a032763e8e8b3c133f24f0364c97f40eae25ebc288836ce1af6745b69baf08c00498223d1e0f6882dc9325a723e90d2960d389aa0a31a80282425c45de9

    • SSDEEP

      12288:zFE4TC330BjGSm2nIBQDNpSZY5fpbhQOtkd4CzySphGMyb9027C6yKbDSpX4Vu78:9EBOAT+ONkY8IBQmS8R6Nx

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

    • Target

      98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad

    • Size

      42KB

    • MD5

      97481bcfd96a1bee367aed197aaa62f6

    • SHA1

      407e6b50c111909067a630f4acbd86c0ca90512e

    • SHA256

      98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad

    • SHA512

      b46e1eab0ce7d0926c3970e1832db467b2c74959c5117641e7ae543df7d83f650f42d2e214c922ac47b6649969075fd48d62bd3e1313990a2926cb0367f06a87

    • SSDEEP

      768:LRhQkBZ6an8z5pDtshuZNL4qTjZKZKfgm3EhMZ:F1n8z5PsoL4qTlF7EyZ

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Mercurialgrabber family

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Target

      b67bc3d9578e037d7cf91795a1015008d2ee5629c5b8089a16ae3d3bac92168f

    • Size

      101KB

    • MD5

      4c8326862379b2d2d6fbc47a8c33777b

    • SHA1

      3d5d4d3f340ca4c1e004fa25588cff11f5034e3b

    • SHA256

      b67bc3d9578e037d7cf91795a1015008d2ee5629c5b8089a16ae3d3bac92168f

    • SHA512

      3cc74d73d8548a9a16d4cb3921c40a0641d5c0818c81d494f6fff5b16d9389c31da825dc9e1f3fa81d8b2a72b659a51c1f57047aac98cb56f1234bfab99d02e7

    • SSDEEP

      3072:j5j9XUQdkDsRDiqtNDLXMbPbNYLKGoNbCyfN:Vj1yWi2NPM9b

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

ratdefaultnanocorenjratstormkittyasyncratmercurialgrabber
Score
10/10

behavioral1

discovery
Score
6/10

behavioral2

discovery
Score
6/10

behavioral3

nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral4

nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral5

redlinesectopratdiscoveryinfostealerrattrojan
Score
10/10

behavioral6

redlinesectopratdiscoveryinfostealerrattrojan
Score
10/10

behavioral7

njrathackeddiscoveryevasionpersistenceprivilege_escalationspywarestealertrojan
Score
10/10

behavioral8

njratdiscoveryevasionpersistenceprivilege_escalationspywarestealertrojan
Score
10/10

behavioral9

stormkittydiscoverystealer
Score
10/10

behavioral10

stormkittydiscoverypersistenceprivilege_escalationspywarestealer
Score
10/10

behavioral11

asyncratdefaultdiscoveryrat
Score
10/10

behavioral12

asyncratdefaultdiscoveryrat
Score
10/10

behavioral13

lokibotcollectiondiscoveryspywarestealertrojan
Score
10/10

behavioral14

lokibotcollectiondiscoveryspywarestealertrojan
Score
10/10

behavioral15

mercurialgrabberevasionspywarestealer
Score
10/10

behavioral16

mercurialgrabberevasionspywarestealer
Score
10/10

behavioral17

evasionpersistenceprivilege_escalation
Score
8/10

behavioral18

evasionpersistenceprivilege_escalation
Score
8/10