General
-
Target
4363463463464363463463463.exe.zip
-
Size
4KB
-
Sample
241116-w913ya1jcy
-
MD5
16d34133af438a73419a49de605576d9
-
SHA1
c3dbcd70359fdad8835091c714a7a275c59bd732
-
SHA256
e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1
-
SHA512
59c0272d6faa2682b7a6ce1cd414d53cc39f06035f4f38a2e206965805034bf8012b02d59f428973965136d70c89f87ac3b17b5db9c1b1d49844be182b47a3d7
-
SSDEEP
96:xBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEy:xBfwncSf8Cv3w9DZjKXjmBIKEvLs97D5
Malware Config
Extracted
xworm
5.0
0.tcp.eu.ngrok.io:10358
6.tcp.eu.ngrok.io:10358
4.tcp.eu.ngrok.io:10358
188.190.10.161:4444
nomorelife1.ddns.net:999
154.197.69.165:7000
104.219.239.11:6969
QvDYkhYsc5WBgCcl
-
Install_directory
%AppData%
-
install_file
XClient.exe
Extracted
asyncrat
0.5.8
Default
18.ip.gl.ply.gg:6606
18.ip.gl.ply.gg:7707
18.ip.gl.ply.gg:8808
18.ip.gl.ply.gg:9028
lmk8StbxTzvz
-
delay
3
-
install
true
-
install_file
Discord.exe
-
install_folder
%AppData%
Extracted
redline
TG CLOUD @RLREBORN Admin @FATHEROFCARDERS
89.105.223.196:29862
Extracted
asyncrat
0.5.7B
Default
1.tcp.ap.ngrok.io:21049
3.70.228.168:555
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
chrome.exe
-
install_folder
%AppData%
Extracted
vidar
11.3
a21440e9f7223be06be5f5e2f94969c7
https://t.me/asg7rd
https://steamcommunity.com/profiles/76561199794498376
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Extracted
xworm
3.1
profile-indians.gl.at.ply.gg:39017
-
Install_directory
%Port%
-
install_file
USB.exe
Extracted
quasar
1.4.1
sigorta
18.198.25.148:1604
af7e773d-541a-46fd-87d3-06bb0a26aab9
-
encryption_key
D306945220105109C86E6E257D749CE885E76091
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
redline
38.180.109.140:20007
38.180.203.208:14238
Extracted
asyncrat
AsyncRAT
Default
yyyson22.gleeze.com:4608
dw
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
vidar
11.5
321a707fa673780c2e4ab40d133f2899
https://t.me/gos90t
https://steamcommunity.com/profiles/76561199800374635
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Extracted
xworm
157.66.26.208:8848
https://pastebin.com/raw/LWUHVqrD:48602480
assistance-arbitration.gl.at.ply.gg:12152
-
install_file
USB.exe
Extracted
https://osecweb.ir/js/config_20.ps1
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
100 RND
91.92.243.191:5401
6871a79e-e4f7-4fb3-ae38-dc20c1d657a0
-
delay
1
-
install
true
-
install_file
hyperhostvc.exe
-
install_folder
%AppData%
Extracted
lokibot
http://bauxx.xyz/mtk1/w2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
redline
816FA
88.99.151.68:7200
Extracted
lumma
https://c0al1t1onmatch.cyou/api
Extracted
metasploit
windows/reverse_tcp
89.197.154.116:7810
129.151.210.233:4444
Extracted
lumma
https://ammycanedpors.shop/api
https://egorepetiiiosn.shop/api
https://faceddullinhs.shop/api
https://shootydowtqosm.shop/api
https://triallyforwhgh.shop/api
https://illnesmunxkza.shop/api
https://chequedxmznp.shop/api
https://shelterryujxo.shop/api
https://commisionipwn.shop/api
https://stitchmiscpaew.shop/api
https://ignoracndwko.shop/api
https://grassemenwji.shop/api
https://charistmatwio.shop/api
https://basedsymsotp.shop/api
https://complainnykso.shop/api
https://preachstrwnwjw.shop/api
https://hookybeamngwskow.xyz/api
https://delaylacedmn.site
https://writekdmsnu.site
https://agentyanlark.site
Extracted
stealc
7140196255
http://83.217.209.11
-
url_path
/fd2453cf4b7dd4a4.php
Extracted
stealc
default
http://95.217.96.249
-
url_path
/bc00174e4ec6d418.php
Extracted
quasar
1.4.1
Office04
192.168.100.18:4782
2cbe985c-9a4f-4f1f-a761-cd05d5feff4b
-
encryption_key
9493303F9F1D303190787B3D987F2DCB2BAF3CFD
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
quasar
1.4.0
Office04
192.168.31.99:4782
2001:4bc9:1f98:a4e::676:4782
255.255.255.0:4782
fe80::cabf:4cff:fe84:9572%17:4782
1f65a787-81b8-4955-95e4-b7751e10cd50
-
encryption_key
A0B82A50BBC49EC084E3E53A9E34DF58BD7050B9
-
install_name
Java Updater.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Java Updater
-
subdirectory
SubDir
Extracted
metasploit
metasploit_stager
144.34.162.13:3333
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.jhxkgroup.online - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@ - Email To:
[email protected]
Extracted
http://37.1.196.35/un2/botui.dat
Extracted
cryptbot
fivexc5sr.top
analforeverlovyu.top
-
url_path
/v1/upload.php
Extracted
vidar
11.4
7c37934964656ffad71319cfd3f70c69
https://t.me/asg7rd
https://steamcommunity.com/profiles/76561199794498376
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
62.113.117.95:4449
hwelcvbupaqfzors
-
delay
10
-
install
false
-
install_folder
%AppData%
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
82.193.104.21:5137
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Targets
-
-
Target
4363463463464363463463463.exe.zip
-
Size
4KB
-
MD5
16d34133af438a73419a49de605576d9
-
SHA1
c3dbcd70359fdad8835091c714a7a275c59bd732
-
SHA256
e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1
-
SHA512
59c0272d6faa2682b7a6ce1cd414d53cc39f06035f4f38a2e206965805034bf8012b02d59f428973965136d70c89f87ac3b17b5db9c1b1d49844be182b47a3d7
-
SSDEEP
96:xBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEy:xBfwncSf8Cv3w9DZjKXjmBIKEvLs97D5
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload
-
Ammyyadmin family
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Deletes Windows Defender Definitions
Uses mpcmdrun utility to delete all AV definitions.
-
Detect Vidar Stealer
-
Detect Xworm Payload
-
Detects ZharkBot payload
ZharkBot is a botnet written C++.
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Flawedammyy family
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Lokibot family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Meduza
Meduza is a crypto wallet and info stealer written in C++.
-
Meduza Stealer payload
-
Meduza family
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Modifies security service
-
Njrat family
-
Phorphiex family
-
Phorphiex payload
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Stormkitty family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Troldesh family
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Vipkeylogger family
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Windows security bypass
-
Xmrig family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
ZharkBot
ZharkBot is a botnet written C++.
-
Zharkbot family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Async RAT payload
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies boot configuration data using bcdedit
-
XMRig Miner payload
-
mimikatz is an open source tool to dump credentials on Windows
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Command and Scripting Interpreter: PowerShell
Powershell Invoke Web Request.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Contacts a large (870) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Modifies file permissions
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Windows security modification
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Indicator Removal: Clear Persistence
Clear artifacts associated with previously established persistence like scheduletasks on a host.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Service Discovery
Attempt to gather information on host's network.
-
Network Share Discovery
Attempt to gather information on host network.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
4PowerShell
3Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Power Settings
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
2Indicator Removal
4Clear Persistence
1File Deletion
3Modify Authentication Process
1Modify Registry
7Obfuscated Files or Information
1Command Obfuscation
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
5Credentials In Files
5Discovery
Browser Information Discovery
1Network Service Discovery
2Network Share Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
9Remote System Discovery
2System Information Discovery
8System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1System Time Discovery
1Virtualization/Sandbox Evasion
2