General
-
Target
bbdfbae01162597428b8a4538245e09cb393945a54bea8cea69d6307ab60fe43
-
Size
90.2MB
-
Sample
241108-sezd3svbkn
-
MD5
a39f8cc07a7b3c6db1cfaad3e4b3383e
-
SHA1
8e7aeba56e32a4301bd1eb633ee1514e9d26a711
-
SHA256
bbdfbae01162597428b8a4538245e09cb393945a54bea8cea69d6307ab60fe43
-
SHA512
93186a07eb3aae69a12763a2e52212472ed42ad1110018ee6110e6be0b9d2312508e80c4f9383f0adc1a0c9c0eef1b99a2cf51ee81de8edbb74e3c89864b175d
-
SSDEEP
1572864:yv9864dtqYvtZ0Evj4a+LmNwnUgqezUogaeNy5vX9lvHAXbiAuUkhBH/i:699YVZFs9m2UgqeUacy5v9lYXmAHkvH6
Malware Config
Extracted
mirai
LZRD
Extracted
mirai
DEMONS
Extracted
mirai
LZRD
Extracted
mirai
DEMONS
Extracted
mirai
DEMONS
Extracted
mirai
LZRD
Extracted
mirai
DEMONS
Extracted
mirai
LZRD
Extracted
pony
http://afobal.cl/mine/gate.php
-
payload_url
http://myp0nysite.ru/shit.exe
Extracted
bitrat
1.38
212.192.241.41:6841
-
communication_password
e72610b23aa4dbaeb87425418271ad12
-
tor_process
tor
Extracted
mirai
LZRD
Extracted
mirai
DEMONS
Extracted
oski
aegismd.ca/cgi/
Extracted
mirai
LZRD
Extracted
mirai
DEMONS
Extracted
mirai
DEMONS
Extracted
mirai
LZRD
Extracted
mirai
DEMONS
Extracted
mirai
KYTON
Extracted
agenttesla
Protocol: smtp- Host:
webmail.ombakparadise.com - Port:
587 - Username:
[email protected] - Password:
ce$%^mirah
Extracted
raccoon
1.7.3
e593428d572f64087cbbaacf2f970ff1f26a86b7
-
url4cnc
https://telete.in/opa4kiprivatem
Extracted
redline
193.56.146.60:51431
Extracted
redline
26.07
185.215.113.15:61506
Extracted
lokibot
http://rnofinancial.com.au/wp01/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
00c50c96fd2b57f718d98eb68cbcfa47c01f585a05babdf1b2cbf8c6491cd39a.exe
-
Size
492KB
-
MD5
b53b50b3e0463aa12561ed9bbe79d0c7
-
SHA1
a841c492247ed3c9f74a71f319954e2a6da33a90
-
SHA256
00c50c96fd2b57f718d98eb68cbcfa47c01f585a05babdf1b2cbf8c6491cd39a
-
SHA512
47037e1e022b14a92ffdaf5a78a5c271276f2916d67bc77818c61b7c291a74f832240fe328a4c1663fc8295a0ed7027597e19c766af772bafb73e14c381bfcfb
-
SSDEEP
12288:up4NfMcjsHTXixKY9uPMsNguqrPBz/GQbVKUlHZGl/ymL:ZNUrixKY9kNGPBVb95EymL
Score10/10-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Raccoon Stealer V1 payload
-
Raccoon family
-
-
-
Target
024bf5f59189e5578dabdef60f55f1675f6563ba9f3cc028397596c0b3a58ce8.elf
-
Size
82KB
-
MD5
4ca737c5620dd9cbbcb53d2d9dfa83b2
-
SHA1
1c0623ae4e0c5bd95107934e1939b60ab097a216
-
SHA256
024bf5f59189e5578dabdef60f55f1675f6563ba9f3cc028397596c0b3a58ce8
-
SHA512
7b2795fe42bf1b484084fe9f27658abd6cf7ec4aacb14a2da6163e97715ae22f06277fb237a2c65c92916e81a363f8274c22699db6ae7e93d47b753791bf45b5
-
SSDEEP
1536:x5n2c+hLIS1s8F+a9Tp7dg1n8G7q7qUkweOfFC6yA5Dpkp:xBjZS1W+W18AALfFC6yA5Wp
Score1/10 -
-
-
Target
05a6f0219a5a1d798e6765a35d9e6c03160fb0153dcedec3b090e8237a1f8937.exe
-
Size
992KB
-
MD5
22b3832571cf3a8d67d972e318c3b30c
-
SHA1
3beeef7f246cbc69844de14fb737a0cc10708881
-
SHA256
05a6f0219a5a1d798e6765a35d9e6c03160fb0153dcedec3b090e8237a1f8937
-
SHA512
241a44c324eb547e72aef055f82074f0d0cb118e45514efb532ae45a90f99025d9f6a6e21a36fbd1ff6b974f43abb10aaafd990d4c97fceda8a3570492380bb6
-
SSDEEP
24576:pW5oaXpcB7mVSaccPuvcd5OGQT/1/0nS+7n4SYwqK4zf3RTsAHWAgqChJ+hu3A8b:wiecSS5+ijXLQgol
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Lokibot family
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
Bank Swift Xlsx.exe
-
Size
835KB
-
MD5
1d7ebed1baece67a31ce0a17a0320cb2
-
SHA1
f0b75348be8941ee8b1ce41bfa70dbec406b5cd4
-
SHA256
ace3a5e5849c1c00760dfe67add397775f5946333357f5f8dee25cd4363e36b6
-
SHA512
0ccc839f8394bc2b37d57b08dfd6e493c8d1863ab3a18c05eb7de371f4e1d579c1ef243399c1f1b478ead86cc33ceaca7600edbfc242c1f6a1b72cca58ba255d
-
SSDEEP
12288:QWtNVnLn/weHuJB5eL0Y+3hof+t5YCkFf6JqqXGr0Ql6:ptXLnoEpQKf+orFsqqXq0Qo
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
AgentTesla payload
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-
-
-
Target
07a5d8fbad6ee496b8ff07c1e8085a92a892b2788c5fa2a5d7e599080b6fd532.elf
-
Size
89KB
-
MD5
b6cc1d875a376de217f1d8f3f8e9ae4e
-
SHA1
d9b3ac59fe91b10619ece637287d61f8d3257946
-
SHA256
07a5d8fbad6ee496b8ff07c1e8085a92a892b2788c5fa2a5d7e599080b6fd532
-
SHA512
eb1daa441d99122b7a91cd82e8500b2d9443ed56456525f80db255f037162becf556c5e858e213f3554fb365885ad6a1bb8077ac178133424ee76b24777f87d1
-
SSDEEP
1536:NYCYxrXP40ODyPwHRQ9PlzTRfyToNoZq5i:qCYxrKDy46Ne
Score9/10-
Contacts a large (19928) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Enumerates active TCP sockets
Gets active TCP sockets from /proc virtual filesystem.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
-
-
Target
07f22e9c1e4b0a1fadcbc9c8e5fd33f396f4415fe88901bab89756521d765809.elf
-
Size
66KB
-
MD5
fadd45ac0861382c0451c23160a9eb40
-
SHA1
a1dd02367ea66751e6e94a557400304ae565833a
-
SHA256
07f22e9c1e4b0a1fadcbc9c8e5fd33f396f4415fe88901bab89756521d765809
-
SHA512
7fb705266db977a61f096de56218e1b6f00974fad28bea7abe0ad360c6ce506aa86a3a244e6a75b4d84e3c468a6a71f111d9adeb5f67e51fd86d5ab78109954c
-
SSDEEP
1536:HtDk+zX0QboUK99VB13wRaXb/E1WbIRVcxJa10q:qkE6pKPVB13oaX41WbIRVo4N
Score1/10 -
-
-
Target
083428863c14a04d4a179a3e0b21e9349805585226f971fc43c4784842271f74.elf
-
Size
43KB
-
MD5
70504e546caa3236769026e43226f444
-
SHA1
09f054c8ce8f655d8b6e1d075ffdf404b09f3378
-
SHA256
083428863c14a04d4a179a3e0b21e9349805585226f971fc43c4784842271f74
-
SHA512
b0adf569522f9e6f946ba5df5f3a42cc631f414a71e926ea8b65674f04af6ae3535600a2c8003dc83e777d1a1167e1bf98aa0fca20a3da4284c0860f6ed1613d
-
SSDEEP
768:NgG29vPG0qcgvRHMv6TONIFJibXyINWoE3RN548m0C9knVfqiGCHLRRQUCgq3U7A:NwtGhcgviv+vFAyoElxC8fqIHRVA
Score7/10-
Modifies Watchdog functionality
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Reads system routing table
Gets active network interfaces from /proc virtual filesystem.
-
-
-
Target
08f364a8accfbfc972aeca76586e11ab3367a663dd31e6d046cb9973b6da88b0.elf
-
Size
64KB
-
MD5
97878b01745d44d58b6d2a22e850fd35
-
SHA1
8d1ce62daa26d72c0af27481e1e3d10a4d65ee80
-
SHA256
08f364a8accfbfc972aeca76586e11ab3367a663dd31e6d046cb9973b6da88b0
-
SHA512
d310403b527b546f5fca71420cd8ad13ce206dfda5d5555c7ea1dacc9e34511a5cc5e5189692fb944c843c35090d0f4d1f02d3c80f4f2a21f6ff9cfc7006fabb
-
SSDEEP
1536:K/ue90IlCalyZyuhx+vACs2U/SO/Sfs3zO/QSwtPlCXGi:KGejAGyZyuhxaU/Sjf+iYdtPlg
Score1/10 -
-
-
Target
0a52f644a577430406569d01e8257e9d30917fa2e535a789b42e019fd132f30d.elf
-
Size
114KB
-
MD5
7bd98317b305d563ca8f0a939e2a1fc9
-
SHA1
684f6e5d876624311d1c5379f7820a6ed345efe5
-
SHA256
0a52f644a577430406569d01e8257e9d30917fa2e535a789b42e019fd132f30d
-
SHA512
d55ebfa4ffab192e3bd26d204f1b02579518eb1437541e1438344dd3b20c6459d14c4cced21bcb01edeafdbed7645e38d5ff1ff83519b91b235e554f3fa212eb
-
SSDEEP
3072:kLcBxe66f7vJqyX6HTYwsSY+CrvgMWFq:k/kHT3tbiuq
Score1/10 -
-
-
Target
0a9ff0b46182a441c0f9c021722817984ec884266c123d2fd6257f9c70d322ab.exe
-
Size
395KB
-
MD5
97e8e525e2fc27c2634da7d235f5ff5c
-
SHA1
63e628501bd54422ebfc6857039d50fd97cbe55d
-
SHA256
0a9ff0b46182a441c0f9c021722817984ec884266c123d2fd6257f9c70d322ab
-
SHA512
4cf5470c485449c02f48fface72e7e729916854399ca41f8fb2a701b73bed4b78a46233b9f0f79efda95874789b4d3953f4640272275fa823339eb970614fdb9
-
SSDEEP
12288:DcyFrVdwvwFGB3yVywS1B0a7OkeOMSBM:LVdwvwFi1eMeOMiM
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
Sectoprat family
-
-
-
Target
0b85f1a068b41f2529481734b5385e394f87d9da47c333327b23462b6e4ea29d.elf
-
Size
36KB
-
MD5
7481ff2091954fd2ab2fb4975488d789
-
SHA1
8cbbf87c2a2878bd72343afcd30d884f34268939
-
SHA256
0b85f1a068b41f2529481734b5385e394f87d9da47c333327b23462b6e4ea29d
-
SHA512
ebb90412d612c00eaf178deaa3a30e080209ac2f6d9938b4e81beeda8da42bef95fc359350fee4388e0d1a8dc0873f4b1fac4dd13628322ed3af54b6726ce75b
-
SSDEEP
768:BaNfTKoBrodeLmoSndj7FCsomkvBZCTCeqn/1v:BaNTaeyndjp8DqTCeqt
Score1/10 -
-
-
Target
0c16b313253259d25a77c5019df1985e6c356c56f4ce19f8119829efec7db43d.exe
-
Size
387KB
-
MD5
25b64c0bad59caa2bb89de749ce69e2b
-
SHA1
26bd53222cdce89e0ab183db7fa9df6dd489982b
-
SHA256
0c16b313253259d25a77c5019df1985e6c356c56f4ce19f8119829efec7db43d
-
SHA512
930569743201567d74d32e34361ad13b801c6ef492543d805a1ba1553a4aa037738214e4b8e3546a69187b72478072c78ee526e77ebb77d1113e463ea6e0e173
-
SSDEEP
6144:xGxKyQeB6QKtS676NFfVWHC7HVWTU7HSVAzi5EvCr3YtodCePW1C:t3eB9YS6uN3WizA4HSCWWubSC
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
Sectoprat family
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Network Service Discovery
2Query Registry
2System Information Discovery
2System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
2System Network Connections Discovery
1