Resubmissions
04-12-2024 19:44
241204-yftswatlcj 1028-11-2024 19:40
241128-ydqnfaxqgy 1020-11-2024 16:31
241120-t1tw6azjfy 1020-11-2024 06:05
241120-gtdv5ssnes 1020-11-2024 06:00
241120-gqchxascje 1020-11-2024 05:52
241120-gk2kvaxkgn 1018-11-2024 21:54
241118-1sd93a1lfr 1017-11-2024 11:03
241117-m55qwsyemr 316-11-2024 19:06
241116-xsbmdssbkd 1016-11-2024 18:38
241116-w913ya1jcy 10General
-
Target
4363463463464363463463463.exe.zip
-
Size
4KB
-
Sample
241116-w913ya1jcy
-
MD5
16d34133af438a73419a49de605576d9
-
SHA1
c3dbcd70359fdad8835091c714a7a275c59bd732
-
SHA256
e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1
-
SHA512
59c0272d6faa2682b7a6ce1cd414d53cc39f06035f4f38a2e206965805034bf8012b02d59f428973965136d70c89f87ac3b17b5db9c1b1d49844be182b47a3d7
-
SSDEEP
96:xBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEy:xBfwncSf8Cv3w9DZjKXjmBIKEvLs97D5
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.exe.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
4363463463464363463463463.exe.zip
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
4363463463464363463463463.exe.zip
Resource
win11-20241007-en
Malware Config
Extracted
xworm
5.0
0.tcp.eu.ngrok.io:10358
6.tcp.eu.ngrok.io:10358
4.tcp.eu.ngrok.io:10358
188.190.10.161:4444
nomorelife1.ddns.net:999
154.197.69.165:7000
104.219.239.11:6969
QvDYkhYsc5WBgCcl
-
Install_directory
%AppData%
-
install_file
XClient.exe
Extracted
asyncrat
0.5.8
Default
18.ip.gl.ply.gg:6606
18.ip.gl.ply.gg:7707
18.ip.gl.ply.gg:8808
18.ip.gl.ply.gg:9028
lmk8StbxTzvz
-
delay
3
-
install
true
-
install_file
Discord.exe
-
install_folder
%AppData%
Extracted
redline
TG CLOUD @RLREBORN Admin @FATHEROFCARDERS
89.105.223.196:29862
Extracted
asyncrat
0.5.7B
Default
1.tcp.ap.ngrok.io:21049
3.70.228.168:555
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
chrome.exe
-
install_folder
%AppData%
Extracted
vidar
11.3
a21440e9f7223be06be5f5e2f94969c7
https://t.me/asg7rd
https://steamcommunity.com/profiles/76561199794498376
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Extracted
xworm
3.1
profile-indians.gl.at.ply.gg:39017
-
Install_directory
%Port%
-
install_file
USB.exe
Extracted
quasar
1.4.1
sigorta
18.198.25.148:1604
af7e773d-541a-46fd-87d3-06bb0a26aab9
-
encryption_key
D306945220105109C86E6E257D749CE885E76091
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
redline
38.180.109.140:20007
38.180.203.208:14238
Extracted
asyncrat
AsyncRAT
Default
yyyson22.gleeze.com:4608
dw
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
vidar
11.5
321a707fa673780c2e4ab40d133f2899
https://t.me/gos90t
https://steamcommunity.com/profiles/76561199800374635
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Extracted
xworm
157.66.26.208:8848
https://pastebin.com/raw/LWUHVqrD:48602480
assistance-arbitration.gl.at.ply.gg:12152
-
install_file
USB.exe
Extracted
https://osecweb.ir/js/config_20.ps1
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
100 RND
91.92.243.191:5401
6871a79e-e4f7-4fb3-ae38-dc20c1d657a0
-
delay
1
-
install
true
-
install_file
hyperhostvc.exe
-
install_folder
%AppData%
Extracted
lokibot
http://bauxx.xyz/mtk1/w2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
redline
816FA
88.99.151.68:7200
Extracted
lumma
https://c0al1t1onmatch.cyou/api
Extracted
metasploit
windows/reverse_tcp
89.197.154.116:7810
129.151.210.233:4444
Extracted
lumma
https://ammycanedpors.shop/api
https://egorepetiiiosn.shop/api
https://faceddullinhs.shop/api
https://shootydowtqosm.shop/api
https://triallyforwhgh.shop/api
https://illnesmunxkza.shop/api
https://chequedxmznp.shop/api
https://shelterryujxo.shop/api
https://commisionipwn.shop/api
https://stitchmiscpaew.shop/api
https://ignoracndwko.shop/api
https://grassemenwji.shop/api
https://charistmatwio.shop/api
https://basedsymsotp.shop/api
https://complainnykso.shop/api
https://preachstrwnwjw.shop/api
https://hookybeamngwskow.xyz/api
https://delaylacedmn.site
https://writekdmsnu.site
https://agentyanlark.site
https://bellykmrebk.site
https://underlinemdsj.site
https://commandejorsk.site
https://possiwreeste.site
https://famikyjdiag.site
Extracted
stealc
7140196255
http://83.217.209.11
-
url_path
/fd2453cf4b7dd4a4.php
Extracted
stealc
default
http://95.217.96.249
-
url_path
/bc00174e4ec6d418.php
Extracted
quasar
1.4.1
Office04
192.168.100.18:4782
2cbe985c-9a4f-4f1f-a761-cd05d5feff4b
-
encryption_key
9493303F9F1D303190787B3D987F2DCB2BAF3CFD
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
quasar
1.4.0
Office04
192.168.31.99:4782
2001:4bc9:1f98:a4e::676:4782
255.255.255.0:4782
fe80::cabf:4cff:fe84:9572%17:4782
1f65a787-81b8-4955-95e4-b7751e10cd50
-
encryption_key
A0B82A50BBC49EC084E3E53A9E34DF58BD7050B9
-
install_name
Java Updater.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Java Updater
-
subdirectory
SubDir
Extracted
metasploit
metasploit_stager
144.34.162.13:3333
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.jhxkgroup.online - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@ - Email To:
[email protected]
Extracted
http://37.1.196.35/un2/botui.dat
Extracted
cryptbot
fivexc5sr.top
analforeverlovyu.top
-
url_path
/v1/upload.php
Extracted
vidar
11.4
7c37934964656ffad71319cfd3f70c69
https://t.me/asg7rd
https://steamcommunity.com/profiles/76561199794498376
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
62.113.117.95:4449
hwelcvbupaqfzors
-
delay
10
-
install
false
-
install_folder
%AppData%
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
82.193.104.21:5137
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Targets
-
-
Target
4363463463464363463463463.exe.zip
-
Size
4KB
-
MD5
16d34133af438a73419a49de605576d9
-
SHA1
c3dbcd70359fdad8835091c714a7a275c59bd732
-
SHA256
e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1
-
SHA512
59c0272d6faa2682b7a6ce1cd414d53cc39f06035f4f38a2e206965805034bf8012b02d59f428973965136d70c89f87ac3b17b5db9c1b1d49844be182b47a3d7
-
SSDEEP
96:xBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEy:xBfwncSf8Cv3w9DZjKXjmBIKEvLs97D5
Score10/10ammyyadminasyncratcobaltstrikephorphiexquasarredlinevidarxworm321a707fa673780c2e4ab40d133f2899a21440e9f7223be06be5f5e2f94969c7defaultsigortatg cloud @rlreborn admin @fatherofcardersbackdoorcredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerloaderpersistencepyinstallerransomwareratspywarestealertrojanwormlokibotlummaxmrig100 rnd816facollectionmineramadeyflawedammyymetasploitstealctroldeshvipkeyloggerwannacryzharkbot7140196255office04aspackv2bootkitbotnetkeyloggerprivilege_escalationthemidaupxvmprotectcryptbotmeduzamimikatznjratstormkitty7c37934964656ffad71319cfd3f70c69hacked-
Amadey family
-
AmmyyAdmin payload
-
Ammyyadmin family
-
Asyncrat family
-
Cobaltstrike family
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Cryptbot family
-
Detect Vidar Stealer
-
Detect Xworm Payload
-
Detects ZharkBot payload
ZharkBot is a botnet written C++.
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Flawedammyy family
-
Lokibot family
-
Lumma family
-
Meduza Stealer payload
-
Meduza family
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Mimikatz family
-
Modifies security service
-
Njrat family
-
Phorphiex family
-
Phorphiex payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Quasar family
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Stealc family
-
StormKitty payload
-
Stormkitty family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Troldesh family
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vidar family
-
Vipkeylogger family
-
Wannacry family
-
Xmrig family
-
Xworm family
-
Zharkbot family
-
Async RAT payload
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies boot configuration data using bcdedit
-
XMRig Miner payload
-
mimikatz is an open source tool to dump credentials on Windows
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Contacts a large (870) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Modifies file permissions
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Indicator Removal: Clear Persistence
Clear artifacts associated with previously established persistence like scheduletasks on a host.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
4PowerShell
3Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Power Settings
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
2Indicator Removal
4Clear Persistence
1File Deletion
3Modify Authentication Process
1Modify Registry
7Obfuscated Files or Information
1Command Obfuscation
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
5Credentials In Files
5Discovery
Browser Information Discovery
1Network Service Discovery
2Network Share Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
9Remote System Discovery
2System Information Discovery
8System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1System Time Discovery
1Virtualization/Sandbox Evasion
2