Overview

overview

10

Static

static

10

Bird.exe

windows7-x64

10

Bird.exe

windows10-2004-x64

10

Crystal.exe

windows7-x64

10

Crystal.exe

windows10-2004-x64

10

Install.exe

windows7-x64

10

Install.exe

windows10-2004-x64

10

Minecraft_v4.4.exe

windows7-x64

10

Minecraft_v4.4.exe

windows10-2004-x64

10

NewHacks.exe

windows7-x64

10

NewHacks.exe

windows10-2004-x64

10

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

10

Software p....5.exe

windows7-x64

9

Software p....5.exe

windows10-2004-x64

9

file3.exe

windows7-x64

8

file3.exe

windows10-2004-x64

8

forcenitro2.4.1.exe

windows7-x64

7

forcenitro2.4.1.exe

windows10-2004-x64

7

nitro_gen.exe

windows7-x64

10

nitro_gen.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c6897ee5e6e0c63e0cf1866460859894664359d397f9d453546adf12c7794818

  • Size

    94.7MB

  • Sample

    241109-exalsazpck

  • MD5

    b9b414f4e571e0c4f9da77661c1249ad

  • SHA1

    b01cb7b103fee5354a15726d5f88427fc93c9018

  • SHA256

    c6897ee5e6e0c63e0cf1866460859894664359d397f9d453546adf12c7794818

  • SHA512

    8861e3879418ceb6a689dc9cd7ec47616a8e36cf138f4f02bc4952bb92105e09273d7676bbf548351feef904a0f4ed9b86499f70cca611e4ae06377f9333910b

  • SSDEEP

    1572864:65IMON8lnLEZ6+pqWdAeC8NgZtzPUlAddpvapy4jnuMnmF7Fdh1kIC+qYlkVcsgk:UBLEg+pqWdSPtIIapyguMSJfOICIkusz

Score
10/10
44caliberechelonredlinesectopratasapboss8ninja0809collectiondiscoveryevasioninfostealerpyinstallerratspywarestealerthemidatrojan

Malware Config

Extracted

Family

redline

Botnet

Ninja0809

C2

185.92.73.140:80

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/854449200544481340/h9Qp-FHl7aROvxHN_j_GBe2W_7GEv-jYyr5ljRUrqO18MRY3RYt72njct-cF-n2sdbCe

Extracted

Family

redline

Botnet

asap

C2

45.14.49.109:54819

Extracted

Family

redline

Botnet

boss8

C2

109.248.201.150:63757

Targets

    • Target

      Bird.exe

    • Size

      1.9MB

    • MD5

      2ef0cc6f0f8aa2534e103b829e270e1d

    • SHA1

      c146681a98d585012791c2e9504caacba25becc9

    • SHA256

      822c95f975773e71f49d3ed2c9afa87d6d27d245c7f5a4a9439278e27ee0ae64

    • SHA512

      56efa1b2e849ad5d836034a3f7992edec6e24914a80a8a1a03b29953082a0e898bace35705a76ce6660188c3954370c0c63d105c3c51f03441aadb94d590ee4a

    • SSDEEP

      49152:UehSFpgl8ZovDXNVBECKYLNDMBp6/FMe/MoNgd:Ue4FpglOo5KMDMBp6/FB/+

    Score
    10/10
    sectopratdiscoveryevasionratthemidatrojan

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Crystal.exe

    • Size

      3.0MB

    • MD5

      d59c7cc6f109cb59fa55309f4f829692

    • SHA1

      18c2361058540fdf9684ba07cef04085d90dbaa2

    • SHA256

      a35bb31351cf385fe52b27c02642f2f99aed0d8fd472b4df12bf508faf3426d3

    • SHA512

      532d135a1009a4a4985cbf15ad1cd1fe35a2ea5bb1a8ce15da5c2f5f6d7cb9b07491715b24539ad36702c664fb71e98a4f3aca1753691de5a02d73caa87bbc00

    • SSDEEP

      49152:KDaBkTKFi1vosNsqTGmCOicY/TCJyMRrCUXVgGdCMKxdaFVOJjg5BRifqGkuPSXv:GaBEvo1qTga4AJTldCZmcUTRwkv1rlxB

    Score
    10/10
    sectopratdiscoveryevasionratthemidatrojan

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

    • Target

      Install.exe

    • Size

      317KB

    • MD5

      cf31bb1b26f00448ed2f1359d403fa59

    • SHA1

      22ab9cc3bdce1e177f5fac0e745229dacde1d07a

    • SHA256

      1d322ad6c295b0ee8a552e96ac231c4d9259141c9ed22f7319c7f169eaecee71

    • SHA512

      05541d9938c80c860e18cd29e3b708000fb90a89f217a1cf0faf2ced29c26dfb6dd395d12178e34f72ab386991f21cba71f8659fd99a649c81b4bf65ae86d998

    • SSDEEP

      6144:QJ5m8CQqj8bx5yoZQPg7nju+dEd7DhTd+IJN00nm7knGyHM:QJ5s8VkoZmg7fdEd7VhxZmI

    Score
    10/10
    redlinesectopratasapdiscoveryinfostealerrattrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat
    behavioral5behavioral6

    • Target

      Minecraft_v4.4.exe

    • Size

      1.3MB

    • MD5

      d60df4a3ea6bce524650ba94f6339e39

    • SHA1

      4805dc2d49d362028d48af9142f1abbe313e78c6

    • SHA256

      172b6209ca78d8006297f41fded71268689f8b9be88513673af4420c12176c75

    • SHA512

      8991e4b8b7b7602c8a8c2ea69bcb537d8d9c176ff79d151a7337334366dd9c637fc057f541298e92194f5a3a346423dfb7eca0a3e0b941b3bde59232ab5dce67

    • SSDEEP

      6144:BLlHHQKiZmkr2w1gwf4BuQLljN7geGR/6UkxChx4ZfAb7nC0WEG05iTemWT:BLlnQbx11f4ljGbFhkxChx4S95dmWT

    Score
    10/10
    redlinesectopratboss8discoveryinfostealerrattrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      NewHacks.exe

    • Size

      1.1MB

    • MD5

      d59bf492da2f21db13264aba7b40f464

    • SHA1

      c69eadf5aa174c34c90445548d5b2d5888957eae

    • SHA256

      4732655de9b6a0497a825ab53ef9e8c3db1a9d1520d1ae505ec2b07df305cef1

    • SHA512

      f781f75e84f88c9aa015644ba5744d5b360951fc753d054f2e999244907baae5a109563c5b4817a2e7ee2f91c2048366552d22364e593503ba8aec05ce4cef59

    • SSDEEP

      12288:74OAp4Hqw3QMrTM6TgMcnFO1sQATEQkhXdwWjgRNKjyjlG7bWsd:74OAp4KQrTMhOGRTodwWjWjlGes

    Score
    10/10
    echeloncollectiondiscoveryspywarestealer

    • Detects Echelon Stealer payload

    • Echelon

      Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

      stealerspywareechelon

    • Echelon family

      echelon

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral10behavioral9

    • Target

      Setup.exe

    • Size

      373KB

    • MD5

      362fdb2e05006cd91ae2d090179b4642

    • SHA1

      b369e9475eea2e950112592944df5f2b88468fb9

    • SHA256

      574e22b44f2b1a0af1e8344a2e674d62c246287fa41c9ee3725120bc329a8a89

    • SHA512

      03b049d1214d55e0f8c64b617a8ad04c4aed8a4d97a4bb141c8165fb4d77253291c599f949789b88b6c95fee0a84b4d88b4073e5526269a80dfb57aaab46adff

    • SSDEEP

      6144:YoJy3BwMMp7pjyp1UpjomkaKL0l7aRHeh/IpxA3q+/spImOc8ghwBmVea0lHC7aZ:5Lpj+Fmkz9ehQQ6sspImOc8owba0lRdf

    Score
    10/10
    redlinesectopratninja0809discoveryinfostealerrattrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      Software patch v2.0.5.exe

    • Size

      3.1MB

    • MD5

      d03337f5bb060e48c67e625084d48a84

    • SHA1

      89d89fe1aeb5b69b2e5e9fdea533c4e32e5ae887

    • SHA256

      010e5cf08f24b0b769747b20d38324e7ea5b3633cc72832a07cb8769b126dd0f

    • SHA512

      4106c6922d175bbaa947a0a03783d39fe44936fa7ec5079dafece596f8378f326b0f094c0433f3f363aaad9ed6f81c7da5273347abc18031c88be79fe3c4ea56

    • SSDEEP

      98304:VgQR+uxJXmATDLZIg9Bvk3/+49UlMuyTok:Os33Jsm4ARE

    Score
    9/10
    discoveryevasionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral13behavioral14

    • Target

      file3.exe

    • Size

      743KB

    • MD5

      4d4bc0c39fc901c1a86ef43fc3bf189a

    • SHA1

      4736a94c30917e695ebf58f674632575e383d571

    • SHA256

      1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494

    • SHA512

      62bcb7214a1f7c3143ee69f4b188cfea38369d2d7b736891bc1a280334cfd2c31d994f99a1da890203ea638ff17b82c4481f765de4bb9ff3b37dcdc11f46dee6

    • SSDEEP

      12288:pY20AljdZgBPfKf8+QxAogJfqsUsz0cX0eqUW7Yo63X7ZqNFi2fMM7Ms:e20gPgFKU+QxAVBbIcXT07YoCSNhp

    Score
    8/10
    discoveryevasion

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral15behavioral16

    • Target

      forcenitro2.4.1.exe

    • Size

      78.9MB

    • MD5

      d292c1fe9f36882b01bd70a2b0aa391c

    • SHA1

      72b0aa6d32e09ced66a3c10414e02e84569e009e

    • SHA256

      a5c3478916ed2c028f824b22b73fc10699be8640b308e5986b7490a1ac818da3

    • SHA512

      138acc03b072806327f03ab6149d2ca86e53ceee33420362047a2e86c800d6c7aaa21401c0a8c2eae627e42f17b2afb6a58e0a6a9eddffa2b330a85bf31a91e6

    • SSDEEP

      1572864:vBrTvQJaVQ3L6y14qMZJQsl6R7EYvrFn97PSAGJAVP5ieBmhxU:5rTvQJiQD14q4cRB7RVBFoxU

    Score
    7/10
    discoveryspywarestealer

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral17behavioral18

    • Target

      nitro_gen.exe

    • Size

      6.9MB

    • MD5

      fb4d683e3ae0f7d5e33df5bf301daa58

    • SHA1

      36a1de1d727c726aba7dab2b2937be337c538348

    • SHA256

      d684eb2255665b6953a3ce3f23721d4130987ffa61ad69482fd706392ab9bf3e

    • SHA512

      ccb13161a680f80fd6e93956bc50d3c070c344c36096118240b2159cdbf6ad866fb68b0257e8bbd156cec5dbf77195ef405ef1ddc0c92fa4d5166548b49d4554

    • SSDEEP

      196608:aaMDtIiXP2B0r3he64mCtabd1MEXltYYgsDG:aaUJtrReIHd1ME5Ri

    Score
    10/10
    44caliberdiscoverypyinstallerspywarestealer

    • 44Caliber

      An open source infostealer written in C#.

      stealer44caliber

    • 44Caliber family

      44caliber

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral19behavioral20

MITRE ATT&CK Enterprise v15

Tasks

static1

themidapyinstallerechelon
Score
10/10

behavioral1

sectopratdiscoveryevasionratthemidatrojan
Score
10/10

behavioral2

sectopratdiscoveryevasionratthemidatrojan
Score
10/10

behavioral3

sectopratdiscoveryevasionratthemidatrojan
Score
10/10

behavioral4

sectopratdiscoveryevasionratthemidatrojan
Score
10/10

behavioral5

redlinesectopratasapdiscoveryinfostealerrattrojan
Score
10/10

behavioral6

redlinesectopratasapdiscoveryinfostealerrattrojan
Score
10/10

behavioral7

redlinesectopratboss8discoveryinfostealerrattrojan
Score
10/10

behavioral8

redlinesectopratboss8discoveryinfostealerrattrojan
Score
10/10

behavioral9

echeloncollectiondiscoveryspywarestealer
Score
10/10

behavioral10

echeloncollectiondiscoveryspywarestealer
Score
10/10

behavioral11

redlinesectopratninja0809discoveryinfostealerrattrojan
Score
10/10

behavioral12

redlinesectopratninja0809discoveryinfostealerrattrojan
Score
10/10

behavioral13

discoveryevasionthemidatrojan
Score
9/10

behavioral14

discoveryevasionthemidatrojan
Score
9/10

behavioral15

discoveryevasion
Score
8/10

behavioral16

discoveryevasion
Score
8/10

behavioral17

Score
7/10

behavioral18

discoveryspywarestealer
Score
7/10

behavioral19

44caliberdiscoverypyinstallerspywarestealer
Score
10/10

behavioral20

44caliberdiscoverypyinstallerspywarestealer
Score
10/10