Overview

overview

10

Static

static

10

002d23802f...a9.elf

ubuntu-24.04-amd64

006e75ccf3...e6.exe

windows7-x64

3

006e75ccf3...e6.exe

windows10-2004-x64

3

010b63314e...17.exe

windows7-x64

10

010b63314e...17.exe

windows10-2004-x64

10

017f252187...45.exe

windows7-x64

10

017f252187...45.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Unmonument...GL.dll

windows7-x64

1

Unmonument...GL.dll

windows10-2004-x64

1

025a7cc996...12.exe

windows7-x64

10

025a7cc996...12.exe

windows10-2004-x64

10

026a0d5ada...ed.exe

windows7-x64

10

026a0d5ada...ed.exe

windows10-2004-x64

10

0296e49137...b6.exe

windows7-x64

10

0296e49137...b6.exe

windows10-2004-x64

10

0382436149...62.exe

windows7-x64

10

0382436149...62.exe

windows10-2004-x64

10

039b7cbbe0...f4.exe

windows7-x64

039b7cbbe0...f4.exe

windows10-2004-x64

03a0e7298d...43.exe

windows7-x64

10

03a0e7298d...43.exe

windows10-2004-x64

10

044d4141fa...83.apk

android-9-x86

6

044d4141fa...83.apk

android-10-x64

6

044d4141fa...83.apk

android-11-x64

1

0488488429...83.exe

windows7-x64

10

0488488429...83.exe

windows10-2004-x64

10

04ba453903...df.elf

ubuntu-22.04-amd64

8

054c0c0eb0...5c.exe

windows7-x64

10

054c0c0eb0...5c.exe

windows10-2004-x64

10

058c3a111c...0bc.js

windows7-x64

10

Resubmissions

10-11-2024 21:28

241110-1bhk6avgrr 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3a2e31f2844df5cb91eedbf24c0b93de4b0aa08525f733132c2bce0d7ab81acc

  • Size

    973.8MB

  • Sample

    241110-1bhk6avgrr

  • MD5

    0523322523fc2607b21cf06ee2c06e2f

  • SHA1

    49924c11f7b22dbb1fec51402214a4b62f0c4da0

  • SHA256

    3a2e31f2844df5cb91eedbf24c0b93de4b0aa08525f733132c2bce0d7ab81acc

  • SHA512

    a6ca6c07ece8ad4f4c832cf40bf35e267bfc56f34d0aa252b2cfdcc75ee7fd2b9aa55b547b849820163ca48bd05c9061c76d80756427950d2e5181ebace1ebae

  • SSDEEP

    25165824:cbjDAJklOVFPCJ4jMrhQVzccWZYSXn4yPPGwnSQuw:cbj8Sl66PhncWZYyWw6w

Score
10/10
agentteslaandrmonitorasyncratauroradcraterbiumgafgytgcleanerguloaderiratalaplasmiraineshtanjratpurecrypterraccoonrhadamanthyssmokeloadersnakekeyloggersocelarsstormkittysystembctofseevjw0rmxredbrouteursd1d6daf7a5018968dea23d67c142f047defaultlzrdmiraipub2androidbackdoorbotnetcollectioncredential_accessdefense_evasiondiscoverydownloaderevasionexecutioninfostealerkeyloggerlinuxloaderpersistenceprivilege_escalationpyinstallerratspywarestealerthemidatrojanupxvmprotectworm

Malware Config

Extracted

Family

gafgyt

C2

185.28.39.15:839

Extracted

Family

irata

C2

https://iuskmmdm.ml

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

purecrypter

C2

http://41.216.183.235/Ogrogk.jpeg

https://cdn.discordapp.com/attachments/1033689147958902804/1033916196451516516/Njnwwomqhh.bmp

https://cdn.discordapp.com/attachments/1033689147958902804/1033908505989628004/Dfygmnwx.png

http://45.139.105.228/Pinkptlahbx.bmp

https://onedrive.live.com/download?cid=A091E1A18B960958&resid=A091E1A18B960958%21160&authkey=AP6mjbZ6I7me0us

http://185.216.71.120/Dsysssji.bmp

https://onedrive.live.com/download?cid=A091E1A18B960958&resid=A091E1A18B960958%21159&authkey=AFru6OsgFq10mzo

https://onedrive.live.com/download?cid=BD9480D014FE52E5&resid=BD9480D014FE52E5%21322&authkey=AHyzW5kyN2MBgPo

https://fullline.com.my/loader/uploads/Cofucfwmi.bmp

https://onedrive.live.com/download?cid=96F930A16702BA42&resid=96F930A16702BA42%21110&authkey=AMJ1Am8lmlZPVrM

http://185.216.71.120/Ypvoi.png

https://transfer.sh/get/afXUmU/Uyofoxfltd.jpeg

http://185.216.71.120/Eztxeazszv.png

https://onedrive.live.com/download?cid=A091E1A18B960958&resid=A091E1A18B960958%21165&authkey=AKz2N-2upLtVH0U

http://www.ugr.leszczynskie.net/mapa/Upfhbfhbavc.png

http://185.216.71.120/Yqnvktamyg.png

http://194.180.48.203/Uhprtckm.bmp

http://45.139.105.228/Ittogj.bmp

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

andrmonitor

C2

https://anmon.ru/download_checker.html

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

aurora

C2

176.124.220.67:8081

Extracted

Family

rhadamanthys

C2

http://104.161.119.221:8899/live-edge/nft.png

Extracted

Family

socelars

C2

https://hdbywe.s3.us-west-2.amazonaws.com/sadew1013/

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

systembc

C2

95.179.146.128:443

146.70.53.169:443

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

njrat

Version

0.7d

Botnet

Brouteurs

C2

forthewin.ddns.net:13337

Mutex

fc4dbf906d35a96ddea0300f5b82bfb3

Attributes
  • reg_key

    fc4dbf906d35a96ddea0300f5b82bfb3

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

asyncrat

Version

XSSYE 1.0.8

Botnet

Default

C2

open.imgov.cn:8443

Mutex

91e5d29b47a7d36802e6e1151434cd02

Attributes
  • delay

    30

  • install

    false

  • install_file

    1111game.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

raccoon

Botnet

d1d6daf7a5018968dea23d67c142f047

C2

http://5.255.103.158/

Attributes
  • user_agent

    x

xor.plain

Extracted

Family

laplas

C2

clipper.guru

Attributes
  • api_key

    f9ff07c5a5e00d26196b3460b72ad41c90dbd24c7405de597560a9a72e3582dd

Extracted

Family

snakekeylogger

Credentials
C2

https://api.telegram.org/bot5542941782:AAFlsn_FCfYT7D_ZthXK_Udd4a15AE58_Wg/sendMessage?chat_id=2054148913

Extracted

Family

erbium

C2

http://77.73.133.53/cloud/index.php

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.valvulasthermovalve.cl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    LILKOOLL14!!

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.valvulasthermovalve.cl/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    LILKOOLL14!!
C2

https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/sendDocument

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

gcleaner

C2

45.139.105.171

85.31.46.167

107.182.129.235

171.22.30.106

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.hebcongroup.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Hebron4567##@

Targets

    • Target

      002d23802f5e90492a340a0202f8082ddf84d3abdb7834bf7cb771c81161e0a9.elf

    • Size

      97KB

    • MD5

      1e8cc9f4c16c374177f461329237786f

    • SHA1

      f35fe030f7d0517ab756c9d58656bedba26b2b28

    • SHA256

      002d23802f5e90492a340a0202f8082ddf84d3abdb7834bf7cb771c81161e0a9

    • SHA512

      7742e6f72499d5062dfe515e1c4f8dbb58468ed7a9d25e11a15c9889d84ad468c1daae283dcecdfad239c8a8fc9d19ffbbe446b589a3f11d0112c82dccfc9f3b

    • SSDEEP

      3072:2K5ejA4jB4h89HOPQzM9FqVyH9W9vmrYuOHy+ZNzX:sHjBzuPQQtk9vmrYuOHy+ZNzX

    Score
    1/10
    behavioral1

    • Target

      006e75ccf30448182c69a7f7bc7a4308caa78a87e6d834926599ce6b11e222e6.exe

    • Size

      17KB

    • MD5

      a61cf98f6e6632ad9bd479099d9d927b

    • SHA1

      e7ae73b6d1d13880987cf3a5c521d29cccee13b1

    • SHA256

      006e75ccf30448182c69a7f7bc7a4308caa78a87e6d834926599ce6b11e222e6

    • SHA512

      943dfac58f3de927537b223bc342b91a243e2928b83c9cfba2dd2e1df7ac11a7df3ccb977cabd1b4f4f8516c22dcf79c3c0d61009d0cf96e666264ac9dd0d923

    • SSDEEP

      96:Zsxdyk6qzopysGLr/AmXJ+D1sAUisxhlkmkJpW1ss8jn5VyoFELLSEzNt:Z+jop6Lr/Am5ayBiehlkhJzjfyoWau

    Score
    3/10
    discovery
    behavioral2behavioral3

    • Target

      010b63314edf0d096b2c259cfc5b95fe28cae4d983e0ea547e13f8b16ff42c17.exe

    • Size

      828KB

    • MD5

      d4d95f3f533854c1c1ed9bebee0f2a90

    • SHA1

      f699decb2287964b748823e228110049e41a7f01

    • SHA256

      010b63314edf0d096b2c259cfc5b95fe28cae4d983e0ea547e13f8b16ff42c17

    • SHA512

      a2431065e17f5724146263b53419f1b6b1814e76f8db9b4d66dc59fcfb7b3e862197316691470ec62d30190e1119651b7ec38b8fe888772d47c26fbc817df5af

    • SSDEEP

      12288:Py10PPJaxEOCf5lpLR6AlADyjRkfsPzZ5EhH20tcLUh78ls1ufB5oR/yw1oQXRlX:WYufm5PCzhWs1QjotCRqt

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral4behavioral5

    • Target

      017f252187d69448ce91bef978fabdd931c56a7f57d43ba3557da5c49b133e45.exe

    • Size

      505KB

    • MD5

      6884dcbdd39eaf2bff3a0e90b6e523b0

    • SHA1

      8564777f7a85ad39774f0ef36f53010fc5fca92c

    • SHA256

      017f252187d69448ce91bef978fabdd931c56a7f57d43ba3557da5c49b133e45

    • SHA512

      9c0dc0c3aa14dcfae8dcd5a3830931cdb7ae00110951699deb596d2a05f26782a556934cdb9cbd864cc3f6bed48d8ff14c9524f7615db60157a6c146f6ca98eb

    • SSDEEP

      12288:84VAalM2IxVuVb1vw5h3JvyOeEHMDmE2x:84eaxI32bWh3QOeEHMyE2x

    Score
    10/10
    guloaderdiscoverydownloader

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral6behavioral7

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      792b6f86e296d3904285b2bf67ccd7e0

    • SHA1

      966b16f84697552747e0ddd19a4ba8ab5083af31

    • SHA256

      c7a20bcaa0197aedddc8e4797bbb33fdf70d980f5e83c203d148121c2106d917

    • SHA512

      97edc3410b88ca31abc0af0324258d2b59127047810947d0fb5e7e12957db34d206ffd70a0456add3a26b0546643ff0234124b08423c2c9ffe9bdec6eb210f2c

    • SSDEEP

      192:rFiQJ771Jt17C8F1A5xjGNNvgFOiLb7lrT/L93:X71Jt48F2eNvgFF/L

    Score
    3/10
    discovery
    behavioral8behavioral9

    • Target

      Unmonumented/libEGL.dll

    • Size

      38KB

    • MD5

      52e5236766e1af45225031f69ecb87d0

    • SHA1

      20bd842e511ac01353f318042fb2a3edc24ea026

    • SHA256

      2f2f45c4719ac1e64440a49b7838a81c2a24de7662cf759ec1335017902a6f92

    • SHA512

      c4890f7127b880350af6b61d6735afcff9ba1854b1018864b87ab878c304c8a1d9c6701ef7cbd88f75050da071c78e9fe19e7c4a3156bc87ef00d9292372cb27

    • SSDEEP

      384:vzNSHR1I7jygakPISPMtVux5VDVYhwbRJER0n2JwK92uAvDG/GhqsC:vBSHkISPMtV2bV6iER0Wwe2pDGehZC

    Score
    1/10
    behavioral10behavioral11

    • Target

      025a7cc996fdece05721b7ac336a6e2e614f7a76b59f0a3aff2278e374ac7b12.exe

    • Size

      839KB

    • MD5

      afa883652b9ab9f8a9b711ee9293cd0b

    • SHA1

      4da0634c3923e7e917917a9934860f61180ed4a8

    • SHA256

      025a7cc996fdece05721b7ac336a6e2e614f7a76b59f0a3aff2278e374ac7b12

    • SHA512

      bf166b019961e6d00d5a8197dd3e3ecb6fe9384349c36b56559c271f02d0c228c8368dd52bceb53a01717d91da637a215645c0d73ebd1d1c2ae504b9055792a0

    • SSDEEP

      12288:X8/JndTo6no3kem8yYOiYI6JFsbCKRU6EfiY5J/17WtYA0Nvj:X8NdGUpdR26PyXU6Siq9paQp

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral12behavioral13

    • Target

      026a0d5ada04432b47b8f00e05304f11c2f72374b522d0c906f919d115c4b0ed.exe

    • Size

      680KB

    • MD5

      f88ea086f3fd04ffc7e6fecd5ccaf4dd

    • SHA1

      6389ff2a136b9e3654e399f7f4d89b8ec82efbcb

    • SHA256

      026a0d5ada04432b47b8f00e05304f11c2f72374b522d0c906f919d115c4b0ed

    • SHA512

      de32cd5474628cd8f2cab211807370fc6bf698c5a98336df332b3c8a3a0d5d52da56517b77a3b2224bf833c327cb35c84e9e55812be95fcebf5e120737d7b4a1

    • SSDEEP

      12288:+kPr7VoCKqXP1iIvotWJLb+j0C2dk7oY0IvX94wB357Q0o4DWTSKGtj8kvCy1Q:+WiClNiIAWdo7Go77o4UUjvKy1Q

    Score
    10/10
    agentteslacollectiondiscoverykeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • AgentTesla payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral14behavioral15

    • Target

      0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe

    • Size

      788KB

    • MD5

      832c021d3b613ebd74524020c358fa47

    • SHA1

      518c62a254a2776c8858703503210e23e96edfa1

    • SHA256

      0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6

    • SHA512

      94145ce70a55710bdcd3a20c04bc3e3ff80b32243dbb77ea7ee3f5f55b52d1a799d3f1d7109101f727483f8c5133e992ae5abb078bb9761115a0ac71acdd2297

    • SSDEEP

      12288:IxguJdDoxGc4nHzZVX49UGGHvGvGgx+C09Dqj:IxbdExGcEHzTI9UGPGAnj

    Score
    10/10
    snakekeyloggerdiscoveryexecutionkeyloggerstealercollectioncredential_access

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral16behavioral17

    • Target

      038243614941cbef3abaa0524ae4c26cef4b8c902b0f674ebc77b04b1e035662.exe

    • Size

      228KB

    • MD5

      88e1648c9994c349f03f166388743f37

    • SHA1

      a4fc1edcf601aface7cc6f0c1dfad642b93e37b7

    • SHA256

      038243614941cbef3abaa0524ae4c26cef4b8c902b0f674ebc77b04b1e035662

    • SHA512

      63499e1c65594925b4a531c71986bfaddfd9f45a152cca2b66ce3b310269f6e79ad9a16369b5a6a5b5792c5ea5339ddd46507455e0bbbbeb728a38408b9fec23

    • SSDEEP

      3072:qY2jOeB4iRbSRouLzYsriQw6iteLWqYCLwiUjY8MvtD23qyJuxD:qYSdMLzY8iLn4d9/UYD23nO

    Score
    10/10
    tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Tofsee family

      tofsee

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistenceexecution

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral18behavioral19

    • Target

      039b7cbbe00107f02b5004f4e2560b6d3f8c9e7c81a01ddd3c85a3c94b311bf4.exe

    • Size

      87KB

    • MD5

      d86f012be2a0bf6656356775f2b847a4

    • SHA1

      18f30e1b369c0464fd77941e39aa8b90242cbe40

    • SHA256

      039b7cbbe00107f02b5004f4e2560b6d3f8c9e7c81a01ddd3c85a3c94b311bf4

    • SHA512

      d02d55484f19bed8ddcd643149aa240798a7af1f754279319a634bb9564d5a05e1913e1f2ef123b5125b3250612b5d13ac682d18b564e8df83e11a0fd44ebd27

    • SSDEEP

      1536:vonBB23/71LL4rNpOWPpc1HQN3G+hLrQggXc:vonS9L4rNMw5G8LUw

    Score
    1/10
    behavioral20behavioral21

    • Target

      03a0e7298d12838300b55acae66e5c132a980bd33ff63703d1657632326db543.exe

    • Size

      224KB

    • MD5

      25f3f533c6bd186c32f457db41c59e2c

    • SHA1

      c359c5beef54f379dd054935a596920907ecfb9d

    • SHA256

      03a0e7298d12838300b55acae66e5c132a980bd33ff63703d1657632326db543

    • SHA512

      231b10ea2097979669c9aa4016c9294030cf878560f0a2f9eaf25f1047cf9dffa839fc6209b262876fa72d77b9b0ea33410d5f6a9a4d6bd9959fbc08b6472257

    • SSDEEP

      3072:x9fH9d11sIzlKlLV4WUg6OWP5XEfvmRtSb0ppTGWqT1gK6l6:bfFSLVqgvWCf2bbSWqT1k

    Score
    10/10
    smokeloaderpub2backdoordiscoverytrojan
    behavioral22behavioral23

    • Target

      044d4141fa14d7abac6f282b72e4d4a6f0fec56df3d0d1650e2db3a1a5c80783.apk

    • Size

      3.5MB

    • MD5

      c126af541f25c0a689dea5f44d598764

    • SHA1

      68e1772c5bf7a0db611063205b2b6f90718893a5

    • SHA256

      044d4141fa14d7abac6f282b72e4d4a6f0fec56df3d0d1650e2db3a1a5c80783

    • SHA512

      eba66c60d7a38a18c57278aefaa7c235fb744b460ed7d9f59724ec68366af6eb6d31333c0be17e92faf91ffefd8629e8e0697771fb13cb3d16cfcb9ad556e215

    • SSDEEP

      49152:3/NUASHe5UQtHy1fffEcy317sc1x7B3l0ZL7ZhJqowVSvsEFP2R7QBub9e3g5zpd:vqp6efffnRcj7jGPJqikVQI5Dhpdns3E

    Score
    6/10
    discoveryevasionpersistence

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      evasionpersistence

    • Queries information about active data network

      discovery

    • Reads information about phone network operator.

      discovery
    behavioral24behavioral25behavioral26

    • Target

      0488488429b7776b837be76cef378782ec22ebbd71fe37ae16b3f325e0742283.exe

    • Size

      221KB

    • MD5

      e3e5f8674ae7edbda17de024898ec0ce

    • SHA1

      de218079278eec481f86423fe30d66ad07b190b1

    • SHA256

      0488488429b7776b837be76cef378782ec22ebbd71fe37ae16b3f325e0742283

    • SHA512

      4630b561ff915fb42e971c302a6932373cd2a218e14021f96beff80f890fa150b65fe568df5496370bf509d8da0a65dd6818fcaaa287342a5e9f9799b3e9b670

    • SSDEEP

      3072:9fYc8VpKgQNLMFBwG62k5/qlYmpIAuvE6rEvGOZqns3mnnK:9fuQLnGUxmpIAuvxwWs3Gn

    Score
    10/10
    tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Tofsee family

      tofsee

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistenceexecution

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      04ba4539039a535365ac32abf01cb409f0efbc33545a864865a073e09d7500df.elf

    • Size

      57KB

    • MD5

      6766a5ebb3bc9ac3660010b64f352278

    • SHA1

      d3a89e39cfc205af5bb59001e59ab36369507abd

    • SHA256

      04ba4539039a535365ac32abf01cb409f0efbc33545a864865a073e09d7500df

    • SHA512

      5428da59fd856c3cc34af8e92d5ddcab1d604471b861408765a4bbe90846c83a481a8ba1629d46fb45a63014d5c6d3819b7a274f1705d62d224e62bf8112ba18

    • SSDEEP

      1536:UO9Q+iBMnYioCIgyFGaPSWY/aKVv76SXIVVS:UP+6MnYiouyFGaPSWY/bVT6oIVI

    Score
    8/10
    defense_evasiondiscovery

    • Contacts a large (1920) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

      defense_evasion

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

      discovery

    • Enumerates running processes

      Discovers information about currently running processes on the system

    behavioral29

    • Target

      054c0c0eb0f5db96a0f5c39dfc6c822377462a12aff74bc86150d450aa880e5c.exe

    • Size

      2.4MB

    • MD5

      a8e71596bc629472791535548003291d

    • SHA1

      c0eec30c7de85dffa7c9d7d7cfc05f5924fdf078

    • SHA256

      054c0c0eb0f5db96a0f5c39dfc6c822377462a12aff74bc86150d450aa880e5c

    • SHA512

      90af83e07ee37cafc9757b4fb0883ac3429e1f1f0157e825d5f934659385f8c73cbfd7f0b252ee8b207cbc149d75dd2aab90b50c3fbdc1376ed02cce1fcd275b

    • SSDEEP

      49152:Z2+w9jlsiQDoARbXvDxyuIMmcc4KBREfOYW4RwkWaWZVxFcS65EG3OjTA5hq:MROoARjDEpMmccRBRERqkKFcS6Gdj0Dq

    Score
    10/10
    dcratgcleanermiraibotnetdiscoveryinfostealerloaderrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Gcleaner family

      gcleaner

    • Mirai

      Mirai is a prevalent Linux malware infecting exposed network devices.

      botnetmirai

    • Mirai family

      mirai

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral30behavioral31

    • Target

      058c3a111cb50601c15b4410b3770720b948702207b5ad6492b82e1c4fd310bc.js

    • Size

      38KB

    • MD5

      b6dd12e8207cb20a56c9063d8ae13403

    • SHA1

      81c8d38e92d3861e5f938e1e0e73ce109f52b317

    • SHA256

      058c3a111cb50601c15b4410b3770720b948702207b5ad6492b82e1c4fd310bc

    • SHA512

      a2d08ecdca6e0245c0583deddba9b131d7bd1c065cf5f70463cd845b758c53b5f5c98a0790d328fc8ae1714b8864b565db6a70d4d0d38f2ac08f8ecb4b338599

    • SSDEEP

      768:24BT+QfokmOQ4Fw1y3g3xkMwx1WsKH+pPA7MBwuqLO37jI0:hINV6w1yw36Mwx1W7+pPA7uwLOLjI0

    Score
    10/10
    vjw0rmexecutionpersistencetrojanworm

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • Vjw0rm family

      vjw0rm

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

JavaScript

1
T1059.007

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Network Service Discovery

1
T1046

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

System Network Connections Discovery

1
T1049

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

MITRE ATT&CK Mobile v15

Tasks

static1

miraiupxvmprotectlzrdratpyinstallerbrouteursthemidadefaultd1d6daf7a5018968dea23d67c142f047gafgytiratamiraipurecrypterdcratandrmonitoraurorarhadamanthyssocelarsstormkittysystembcxrednjratasyncratneshtaraccoonlaplassnakekeyloggererbium
Score
10/10

behavioral1

Score
1/10

behavioral2

discovery
Score
3/10

behavioral3

discovery
Score
3/10

behavioral4

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral5

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral6

guloaderdiscoverydownloader
Score
10/10

behavioral7

guloaderdiscoverydownloader
Score
10/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral13

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral14

agentteslacollectiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral15

agentteslacollectiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral16

snakekeyloggerdiscoveryexecutionkeyloggerstealer
Score
10/10

behavioral17

snakekeyloggercollectioncredential_accessdiscoveryexecutionkeyloggerstealer
Score
10/10

behavioral18

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral19

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

smokeloaderpub2backdoordiscoverytrojan
Score
10/10

behavioral23

smokeloaderpub2backdoordiscoverytrojan
Score
10/10

behavioral24

discovery
Score
6/10

behavioral25

discoveryevasionpersistence
Score
6/10

behavioral26

Score
1/10

behavioral27

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral28

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral29

defense_evasiondiscovery
Score
8/10

behavioral30

dcratgcleanermiraibotnetdiscoveryinfostealerloaderrat
Score
10/10

behavioral31

gcleanerdiscoveryloader
Score
10/10

behavioral32

vjw0rmexecutionpersistencetrojanworm
Score
10/10