Overview
overview
10Static
static
1015a83de318...fa.exe
windows7-x64
615a83de318...fa.exe
windows10-2004-x64
6304f9bc7de...1b.exe
windows7-x64
10304f9bc7de...1b.exe
windows10-2004-x64
1043087ea949...eb.exe
windows7-x64
1043087ea949...eb.exe
windows10-2004-x64
1061bb2c746d...fd.exe
windows7-x64
1061bb2c746d...fd.exe
windows10-2004-x64
1078ae7a93d9...b6.exe
windows7-x64
1078ae7a93d9...b6.exe
windows10-2004-x64
10878487e25e...53.exe
windows7-x64
10878487e25e...53.exe
windows10-2004-x64
10922135a10e...54.exe
windows7-x64
10922135a10e...54.exe
windows10-2004-x64
1098e12d1098...ad.exe
windows7-x64
1098e12d1098...ad.exe
windows10-2004-x64
10b67bc3d957...8f.exe
windows7-x64
8b67bc3d957...8f.exe
windows10-2004-x64
8General
-
Target
dd6f0b9730529cfe145d5585eccfb6c68510758d16ffd02043bd1fe73842ee1b
-
Size
2.6MB
-
Sample
241107-tzeqvawbpe
-
MD5
6112c5ef840aebcbd67f1a8e5242da62
-
SHA1
2119c46a747c65af5fe3f0ce2af07946a3663026
-
SHA256
dd6f0b9730529cfe145d5585eccfb6c68510758d16ffd02043bd1fe73842ee1b
-
SHA512
ec9d7355ef2f18d66e4c90091082ab91344aa612a08e6a38f7ec63e1902ecdf695afa7fa776ee2c66c6295a776e00df1254d5538f84947878ea0569344f17227
-
SSDEEP
49152:Nhb7HICi0LaXyacGy9gCdWfyFqPfaiu9dKrswCEXN3Apho5Yvr3o:Ri8aUWXy7Krshc3ABY
Behavioral task
behavioral1
Sample
15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
b67bc3d9578e037d7cf91795a1015008d2ee5629c5b8089a16ae3d3bac92168f.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
b67bc3d9578e037d7cf91795a1015008d2ee5629c5b8089a16ae3d3bac92168f.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
nanocore
1.2.2.0
24.101.234.141:4782
mcserversetup.serveminecraft.net:4782
aab349ae-4ff4-4729-b556-ac9cc2396c71
-
activate_away_mode
true
-
backup_connection_host
mcserversetup.serveminecraft.net
-
backup_dns_server
84.200.70.40
-
buffer_size
65535
-
build_time
2021-04-19T21:05:14.073842536Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4782
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
aab349ae-4ff4-4729-b556-ac9cc2396c71
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
24.101.234.141
-
primary_dns_server
84.200.69.80
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
7990
Extracted
asyncrat
0.5.7B
Default
206.123.141.239:7777
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
12376w8q09dq.exe
-
install_folder
%AppData%
Extracted
mercurialgrabber
https://discord.com/api/webhooks/862165160868446228/lezUoxbmSKnQaLw4wvOac8i367NaU-u-NtZxLFuqODKoe-_rUnWLyrpHUCVBrouo6vPN
Extracted
lokibot
http://185.227.139.18/dsaicosaicasdi.php/nGBv5iZqdfzrl
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
redline
newlife957.duckdns.org:7225
Extracted
njrat
0.7d
HacKed
8.tcp.ngrok.io:12342
602fdca88735a1a1338352d8ae49ef80
-
reg_key
602fdca88735a1a1338352d8ae49ef80
-
splitter
|'|'|
Targets
-
-
Target
15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa
-
Size
49KB
-
MD5
8cc63c91ed1bc3fa9202391e42364a50
-
SHA1
ea335ad31b2c19892ddc5d46a3a14ff0d1be0850
-
SHA256
15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa
-
SHA512
8fa5112f444339a0a7bee333078cd162eeee7d3d80b3a362f3cc785addea8fa682de92081129ffde6ebb6c71b42db22ee8ad6526655cb5eb74c004429b72d057
-
SSDEEP
1536:F/MwxLXpy3/pfZtwbjH/xwinmQb8b4znB:F/MwxLXpy3/pfZCuinDb8EnB
Score6/10 -
-
-
Target
304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b
-
Size
203KB
-
MD5
76b5931a8eab2e7e98023a43c489bbbf
-
SHA1
033e6f5547c62a8650f449fc5b0034424f9b5f85
-
SHA256
304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b
-
SHA512
533f26e6379f35bf8aae578461b538ae891d9c00386476dab2235fc965655b35f0ca5433cd5c9c5c106b66369ef37c9e76c091e9635aad9dc2ca57af033344b1
-
SSDEEP
3072:szEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIGXzDtCihaFue8Y1WRFj7KV7i:sLV6Bta6dtJmakIM5/NC5x8Y167Y7i
-
Nanocore family
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
-
-
Target
43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb
-
Size
876KB
-
MD5
7e39e9345427ccc8be9a0137cef89742
-
SHA1
f6f24e1b571a0089c05d5a1e00116742f9e98a93
-
SHA256
43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb
-
SHA512
9282a11b1a3be4bd721fd8f46c019a545b7ffe992f5daad7d50ab724094c30f807e3e96bac30c881760d1a66f080e69745284e5c46885181ce643383eb17af01
-
SSDEEP
12288:WgD9eZ8DvlbUUp0qAMlyveojV0uGO27fY6WntFmPkTJCkoqDwlcbgQtRJd98f+se:WoeZUdUw2d8w6MXmPkckddH
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT payload
-
Sectoprat family
-
Suspicious use of SetThreadContext
-
-
-
Target
61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd
-
Size
1.4MB
-
MD5
c58f3effb9efb892109332a676aae546
-
SHA1
c1dced7e3e3b49f23cc0125589cc5b29d4055924
-
SHA256
61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd
-
SHA512
9c9329df603ad34b10437fc6313d61d273b603996a82f88e0d57af9e50ea86bb0cbb2134a3d4905b40fd73cd40222235739f4140cf4de19a3bea352af947adec
-
SSDEEP
24576:a27mrhic6gvYbAKsy5Ulh3iXWl9557sK6X3ZO0GinMSvTNWfshnGmg/ykTPnewlm:anrhr/vAcWKv6X3o0GQN0s/g/ybDT
-
Njrat family
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6
-
Size
118KB
-
MD5
95c93ba88cbebbf97fa7aec965dac908
-
SHA1
d71ca71cdcf375b7f55cf26d66e5f4b2b387bec4
-
SHA256
78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6
-
SHA512
4bddaca540dc9ea0039a735d254e4a30b06cd5a24dc696bcc9820126b00eae57977d80ffc3528e3c92b9981dbd241276132616e29ccf47a6adc044d65258f64a
-
SSDEEP
3072:QjPR+2iJ6Cr/B+PHbsVLK3usN9bAeiLZU6pmoXX1:K+2i7/B+gMec9bdg
-
StormKitty payload
-
Stormkitty family
-
Downloads MZ/PE file
-
Deletes itself
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453
-
Size
45KB
-
MD5
5af5a9087ecf42eb83fb358d49b06e92
-
SHA1
0d4a5c5d90e6306c476036ca097a01a17b4295db
-
SHA256
878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453
-
SHA512
d0608f648dd26b81d262741c373737dba3bfeb1508f86d8c448ec634a78bd9f86f52961d22cf027418c5012f2f7388928480495003dfeac7b94deb590bb7d22c
-
SSDEEP
768:Qu08dTbAoeyWUE++Ymo2q8EpL2d78tPIAzjbygX3i46U44rylUVkBDZax:Qu08dTbfz2ESA3b1XSHULy9dax
-
Asyncrat family
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754
-
Size
810KB
-
MD5
16ddab2483d7281fb61fc3537fff886e
-
SHA1
e33e073023d425e052c23f739c1fd8befa51476b
-
SHA256
922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754
-
SHA512
4e328a032763e8e8b3c133f24f0364c97f40eae25ebc288836ce1af6745b69baf08c00498223d1e0f6882dc9325a723e90d2960d389aa0a31a80282425c45de9
-
SSDEEP
12288:zFE4TC330BjGSm2nIBQDNpSZY5fpbhQOtkd4CzySphGMyb9027C6yKbDSpX4Vu78:9EBOAT+ONkY8IBQmS8R6Nx
-
Lokibot family
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad
-
Size
42KB
-
MD5
97481bcfd96a1bee367aed197aaa62f6
-
SHA1
407e6b50c111909067a630f4acbd86c0ca90512e
-
SHA256
98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad
-
SHA512
b46e1eab0ce7d0926c3970e1832db467b2c74959c5117641e7ae543df7d83f650f42d2e214c922ac47b6649969075fd48d62bd3e1313990a2926cb0367f06a87
-
SSDEEP
768:LRhQkBZ6an8z5pDtshuZNL4qTjZKZKfgm3EhMZ:F1n8z5PsoL4qTlF7EyZ
Score10/10-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
-
-
Target
b67bc3d9578e037d7cf91795a1015008d2ee5629c5b8089a16ae3d3bac92168f
-
Size
101KB
-
MD5
4c8326862379b2d2d6fbc47a8c33777b
-
SHA1
3d5d4d3f340ca4c1e004fa25588cff11f5034e3b
-
SHA256
b67bc3d9578e037d7cf91795a1015008d2ee5629c5b8089a16ae3d3bac92168f
-
SHA512
3cc74d73d8548a9a16d4cb3921c40a0641d5c0818c81d494f6fff5b16d9389c31da825dc9e1f3fa81d8b2a72b659a51c1f57047aac98cb56f1234bfab99d02e7
-
SSDEEP
3072:j5j9XUQdkDsRDiqtNDLXMbPbNYLKGoNbCyfN:Vj1yWi2NPM9b
Score8/10-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
1Peripheral Device Discovery
2Query Registry
8System Information Discovery
8System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Wi-Fi Discovery
1Virtualization/Sandbox Evasion
2