Overview

overview

10

Static

static

3

4363463463...63.exe

windows10-ltsc 2021-x64

10

4363463463...63.exe

windows11-21h2-x64

10

Resubmissions

10/01/2025, 00:42 UTC

250110-a2rcwawlcz 8

08/01/2025, 13:31 UTC

250108-qsdnes1qb1 10

17/12/2024, 13:35 UTC

241217-qv6rzs1nhp 10

15/11/2024, 19:06 UTC

241115-xr6q5szdnf 10

14/11/2024, 23:35 UTC

241114-3lfknavfqg 10

14/11/2024, 23:26 UTC

241114-3eysnavfje 10

14/11/2024, 23:12 UTC

241114-26znlavdqq 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4363463463464363463463463.exe

  • Size

    10KB

  • Sample

    241114-26znlavdqq

  • MD5

    2a94f3960c58c6e70826495f76d00b85

  • SHA1

    e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

  • SHA256

    2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

  • SHA512

    fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

  • SSDEEP

    192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score
10/10
amadeyasyncratdcratdharmagurcuhivelummametasploitnjratphorphiexquasarredlinerhadamanthysvidarxmrigxredxworm1b47b87875b9774afdda9b2528e389d1321a707fa673780c2e4ab40d133f28997c4393a770ee12f3b037ae568cfe2254681c7ddefaultlogsnewclientoffice04testaspackv2backdoorbootkitcredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerloaderminerpersistenceprivilege_escalationpyinstallerransomwareratspywarestealertrojanupxworm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66

Attributes
  • mutex

    Klipux

Extracted

Family

xworm

C2

91.92.249.37:9049

https://pastebin.com/raw/LWUHVqrD:48602480

147.185.221.22:47930

127.0.0.1:47930

154.216.18.213:7000
Mutex

aMtkXNimPlkESDx9

aes.plain
1
5548

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

62.113.117.95:4449

Mutex

hwelcvbupaqfzors

Attributes
  • delay

    10

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
nsBwpZM9eXyJwjFOEPqQT7eVgQEXAQHF
aes.plain
1
ZHF9P7iFulHlWbWS68wXXEkz427S7oLd

Extracted

Family

vidar

Version

11.3

Botnet

a770ee12f3b037ae568cfe2254681c7d

C2

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Extracted

Family

vidar

Version

10.7

Botnet

1b47b87875b9774afdda9b2528e389d1

C2

https://steamcommunity.com/profiles/76561199751190313

https://t.me/pech0nk
Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36

Extracted

Family

amadey

Version

5.03

Botnet

7c4393

C2

http://185.215.113.217

Attributes
  • install_dir

    f9c76c1660

  • install_file

    corept.exe

  • strings_key

    9808a67f01d2f0720518035acbde7521

  • url_paths

    /CoreOPT/index.php

rc4.plain
1
c1ec479e5342a25940592acf24703eb2

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    xredline1@gmail.com

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

64.176.38.237:8139

Extracted

Family

xworm

Version

5.0

C2

62.113.117.95:5665

Mutex

oQNXB2TbsZoFMnfW

Attributes
  • install_file

    USB.exe

aes.plain
1
vJp0vi3w+o3lOnYW1JhWyA==

Extracted

Family

quasar

Version

1.4.1

Botnet

Test

C2

193.161.193.99:35184

67.205.154.243:35184
Mutex

9cabbafb-503b-49f1-ab22-adc756455c10

Attributes
  • encryption_key

    8B93C77AC1C58EA80A3327E9FD26246A79EF3B8E

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    MS Build Tools

  • subdirectory

    Microsoft-Build-Tools

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Receiving + Grabber v6.0.4

Botnet

NewClient

C2

157.20.182.183:4449

Mutex

fsqshvwapaxdhwtdp

Attributes
  • delay

    1

  • install

    false

  • install_file

    Winup.exe

  • install_folder

    %AppData%

aes.plain
1
WDBWTsqIAfn5iGlj8m2ZvUdxbqPb83Cw

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

73.62.14.5:4782

Mutex

3aaa11be-d135-4877-a61e-c409c29a7a60

Attributes
  • encryption_key

    BC9162791FD860195CF75664AE64885B64D5B5CE

  • install_name

    Client1.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Startup

  • subdirectory

    SubDir

Extracted

Family

redline

Botnet

Logs

C2

185.215.113.9:9137

Extracted

Family

metasploit

Version

metasploit_stager

C2

185.202.113.6:4243

144.34.162.13:3333

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7382558274:AAFZkCVTgYkuRWqDruBGK0C9eAD8ZoE6BOs/sendMessage?chat_id=966649672

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

vidar

Version

11.5

Botnet

321a707fa673780c2e4ab40d133f2899

C2

https://t.me/gos90t

https://steamcommunity.com/profiles/76561199800374635
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

3.70.228.168:555

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
BOzTyxr9bYgKT8G5j1veaeDZkyOFH6ZG

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

ser.nrovn.xyz:6606

ser.nrovn.xyz:7707

ser.nrovn.xyz:8808
Mutex

nfMlxLKxWkbD

Attributes
  • delay

    3

  • install

    true

  • install_file

    http.exe

  • install_folder

    %AppData%

aes.plain
1
R1WxdGqgUOkQsyPU5IJ0iylNecixPSdA

Extracted

Family

lumma

C2

https://caffegclasiqwp.shop/api

https://stamppreewntnq.shop/api

https://stagedchheiqwo.shop/api

https://millyscroqwp.shop/api

https://evoliutwoqm.shop/api

https://condedqpwqm.shop/api

https://traineiwnqo.shop/api

https://locatedblsoqp.shop/api

https://associationokeo.shop/api

https://turkeyunlikelyofw.shop/api

https://detectordiscusser.shop/api

https://technologyenterdo.shop/api

https://fieldtrollyeowskwe.shop/api

Extracted

Family

xworm

Version

3.0

C2

notes-congress.gl.at.ply.gg:24370

Mutex

xfgLgucyz0P7wfhC

Attributes
  • install_file

    USB.exe

aes.plain
1
N1x+RehCCCciTEKY9Oa/Uw==

Targets

    • Target

      4363463463464363463463463.exe

    • Size

      10KB

    • MD5

      2a94f3960c58c6e70826495f76d00b85

    • SHA1

      e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

    • SHA256

      2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

    • SHA512

      fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

    • SSDEEP

      192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

    Score
    10/10
    amadeyasyncratdharmagurcuhivemetasploitphorphiexquasarredlinevidarxmrigxredxworm1b47b87875b9774afdda9b2528e389d17c4393a770ee12f3b037ae568cfe2254681c7ddefaultlogsnewclientoffice04testbackdoorcredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerloaderminerpersistenceprivilege_escalationpyinstallerransomwareratspywarestealertrojanupxwormdcratlummanjratrhadamanthys321a707fa673780c2e4ab40d133f2899aspackv2bootkit

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Amadey family

      amadey

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Detect Vidar Stealer

      stealer

    • Detect Xworm Payload

    • Detects Go variant of Hive Ransomware

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Dharma family

      dharma

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

      stealergurcu

    • Hive

      A ransomware written in Golang first seen in June 2021.

      ransomwarehive

    • Hive family

      hive

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Metasploit family

      metasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies security service

      evasion

    • Njrat family

      njrat

    • Phorphiex family

      phorphiex

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

      wormtrojanloaderphorphiex

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Rhadamanthys family

      rhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • UAC bypass

      evasiontrojan

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Windows security bypass

      evasiontrojan

    • Xmrig family

      xmrig

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Async RAT payload

      rat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Renames multiple (182) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Indicator Removal: Network Share Connection Removal

      Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

      defense_evasion

    • Modifies Windows Firewall

      evasion

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Sets service image path in registry

      persistence

    • Stops running service(s)

      evasionexecution

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

JavaScript

1
T1059.007

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

2
T1569

Service Execution

2
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

5
T1543

Windows Service

5
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Modify Authentication Process

1
T1556

Power Settings

1
T1653

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

5
T1543

Windows Service

5
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Direct Volume Access

1
T1006

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

6
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

4
T1562.001

Indicator Removal

3
T1070

File Deletion

2
T1070.004

Network Share Connection Removal

1
T1070.005

Modify Authentication Process

1
T1556

Modify Registry

8
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

1
T1046

Network Share Discovery

1
T1135

Peripheral Device Discovery

2
T1120

Process Discovery

1
T1057

Query Registry

10
T1012

Remote System Discovery

1
T1018

System Information Discovery

8
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

4
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Service Stop

1
T1489

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.