General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
Sample
241114-3ln7ssvjfs
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
xworm
157.66.26.208:8848
45.66.231.231:7000
exonic-hacks.com:1920
-
install_file
USB.exe
Extracted
metasploit
windows/reverse_tcp
89.197.154.116:7810
Extracted
redline
newbundle2
185.215.113.67:15206
Extracted
asyncrat
0.5.8
Default
18.ip.gl.ply.gg:6606
18.ip.gl.ply.gg:7707
18.ip.gl.ply.gg:8808
18.ip.gl.ply.gg:9028
7U2HW8ZYjc9H
-
delay
3
-
install
true
-
install_file
Discord.exe
-
install_folder
%AppData%
Extracted
metasploit
windows/reverse_http
http://89.197.154.116:7810/VeM-buvtRWFTY1JiNZ2fGwUXc1CJXgbyOV5zM2vQ03kY7e4nGmyXkTKa8si-g-FfyAlpzs_FKQOSCtulsk34aryu-Ou9W2coAgl4jGnvIFVlgK-MlMyEitlm
Extracted
lumma
https://absorptioniw.site
https://mysterisop.site
https://snarlypagowo.site
https://treatynreit.site
https://chorusarorp.site
https://abnomalrkmu.site
https://soldiefieop.site
https://questionsmw.store
https://wrappyskmwio.store
Extracted
stealc
default2
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
quasar
1.4.1
WenzCordRat
nickhill112-22345.portmap.host:22345
7ee1db41-359a-46b2-bba3-791dc7cde5e1
-
encryption_key
985DB7D034DB1B5D52F524873569DDDE4080F31C
-
install_name
WenzCord.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update.exe
-
subdirectory
SubDir
Extracted
quasar
1.4.1
Aquarius
192.168.8.103:4782
192.168.8.105:4782
192.168.8.114:4782
a198a147-9efc-419d-9539-bac2108dc109
-
encryption_key
4CF458F992C472DE78F317085B34A8A1747FC32D
-
install_name
WindowsDataUpdater.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WindowsDataUpdater
-
subdirectory
WinBioData
Targets
-
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Detect Xworm Payload
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Phorphiex family
-
Phorphiex payload
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Async RAT payload
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Stops running service(s)
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Enumerates processes with tasklist
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Windows Management Instrumentation
1Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Indicator Removal
2File Deletion
2Modify Registry
1