Overview
overview
10Static
static
3tmpfile-ma...r3.exe
windows7-x64
8tmpfile-ma...r3.exe
windows10-2004-x64
8tmpfile-ma...rm.exe
windows7-x64
10tmpfile-ma...rm.exe
windows10-2004-x64
10tmpfile-ma...ir.exe
windows7-x64
10tmpfile-ma...ir.exe
windows10-2004-x64
10tmpfile-ma...32.exe
windows7-x64
10tmpfile-ma...32.exe
windows10-2004-x64
10tmpfile-ma...63.exe
windows7-x64
3tmpfile-ma...63.exe
windows10-2004-x64
3tmpfile-ma...64.exe
windows7-x64
10tmpfile-ma...64.exe
windows10-2004-x64
10tmpfile-ma...ox.exe
windows7-x64
7tmpfile-ma...ox.exe
windows10-2004-x64
7tmpfile-ma...7I.exe
windows7-x64
1tmpfile-ma...7I.exe
windows10-2004-x64
1tmpfile-ma...8I.exe
windows7-x64
7tmpfile-ma...8I.exe
windows10-2004-x64
7General
-
Target
RetardedNigger2024.zip
-
Size
21.7MB
-
Sample
241117-v5a6aatqft
-
MD5
77c232adb4ab9f4919d82a3a2cc72246
-
SHA1
994efdf00f2f89ae57833de378c17a66ce94e643
-
SHA256
bd7a853e20ec918539038278bb788fea3314d1da09e7f75608d13a8cd2436362
-
SHA512
c939c5ad357ce18882c21b205d5fbcba20f7deaad6556229cdc5e265416168b74e6ebe214e2edfc91c6f248c88c436893eb215ce5e081d14bc96bccf91ad8057
-
SSDEEP
393216:aKiW0JS2OD2FNeBBEfxVKfcX5Vi+D2vXs2Ju8aDAGHimE//suXiYuX+wzsyrVG:aENbeNMqvDzF2Ju1AGHNjuXif+wzTw
Static task
static1
Behavioral task
behavioral1
Sample
tmpfile-main/0000000r00d000r3.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
tmpfile-main/0000000r00d000r3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
tmpfile-main/Exterm.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
tmpfile-main/Exterm.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
tmpfile-main/Gaming Chair.exe
Resource
win7-20241023-en
Behavioral task
behavioral6
Sample
tmpfile-main/Gaming Chair.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
tmpfile-main/Node32.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
tmpfile-main/Node32.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
tmpfile-main/Node63.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
tmpfile-main/Node63.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
tmpfile-main/Node64.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
tmpfile-main/Node64.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
tmpfile-main/Sobfox.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
tmpfile-main/Sobfox.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
tmpfile-main/stTfuo7I.exe
Resource
win7-20241023-en
Behavioral task
behavioral16
Sample
tmpfile-main/stTfuo7I.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
tmpfile-main/stTfuo8I.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
tmpfile-main/stTfuo8I.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
bdaejec
ddos.dnsnb8.net
Targets
-
-
Target
tmpfile-main/0000000r00d000r3.exe
-
Size
4.9MB
-
MD5
340753116751ef6f5212667501a0e562
-
SHA1
ad4d25b43964c1c54accdcbe97a3f2ca80d15894
-
SHA256
b61907b9081bb5d7125264c5e60de013c02b7b866148248de603fb55f8d39a18
-
SHA512
d9564e38ea4000c16ebacc4a4b95925c8998d2bce33b3ad7bd0aa0b220d60f372d798591f4365b1271085036055519e4a94afd47d51ad5a2c6002e1f54ffc2f2
-
SSDEEP
98304:w4KoSKQ6Kob7IdoOPn49MWTB9z2OuVIsFx6fZPELW4sF+JKcNWdZRM9b7:wAXQFob7Idj/4VTbaVIsSBfFoxMnsb
Score8/10-
Sets service image path in registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
tmpfile-main/Exterm.exe
-
Size
830KB
-
MD5
4b1fba57411e2fb9756f44a84bd74b43
-
SHA1
06305226e1d4e4fcca12d83d72dc8a4fe9f4d9ed
-
SHA256
4001b4e8a309eb8949f827d0b3ef572c79c1b21d96aa4c35436b0930bea8eec1
-
SHA512
ce491f3fcea8d270351825f0ac8e48994866d728db121b954c0fa2d16d7999d0f898c99b969f75521c5c827bc5437221e707f78e3fb68e70c8a6abd91775f113
-
SSDEEP
24576:75bRMyb2OEpAoC0HJ0EWRVW4ICikaZo8M:NbRMyb5YP0ny4xiNZoB
-
Bdaejec family
-
Detects Bdaejec Backdoor.
Bdaejec is backdoor written in C++.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
tmpfile-main/Gaming Chair.exe
-
Size
2.1MB
-
MD5
9503205a5f7581720f7fa6348c49a93b
-
SHA1
34453ec11bb30ae10519a468deaefbf3f965fe3a
-
SHA256
0dca41e17e4f286a420dd2e6fbbd9ad460f1dac1f3de83672fa9de977f6b6402
-
SHA512
0524cabf5d0b87bf6f34a1c2e2cc3eef85e95e5b3fdd66fc60e5e07e4c0ce7cdbeb9eca7778bae5b4a0302ce822a08ce30c346d62bdbd746e2c8c6c8fe015191
-
SSDEEP
49152:xMi7EDQljtuC9Ss8k9yi83GMB5rr3KJPjFJa9Ndcs8Mcs8Mcs8Mcs8M7Lbr7Lbr6:xBYDQ1th9SVk99scB
-
Bdaejec family
-
Detects Bdaejec Backdoor.
Bdaejec is backdoor written in C++.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
tmpfile-main/Node32.exe
-
Size
366KB
-
MD5
31be6f6a2cbf1c49790b490df463500a
-
SHA1
878a2fee90a2ceb49213a5b5742499ca8e14fec0
-
SHA256
6d4222db12dd717bef62cabc134fbbdad8033767780eeb6d7322a38b8a2a81de
-
SHA512
8b3c2e96ee85502d4ebd750e94397915370f47543cb7ce0c0b598407319387727678daac28dd843f0d61685b83fb8597cf473091774cdf74cdc9dd98f9a06d37
-
SSDEEP
6144:NClTCNaC5liBrWdzoRQJx9LDmaAF5kDERQp+QDW9WkkHp683KX:NUolitMIaAFkJ6
Score10/10-
Modifies security service
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
tmpfile-main/Node63.exe
-
Size
13KB
-
MD5
f04105a5ee0d0b440ab470546ac95400
-
SHA1
64cd0a16d842065336eb2e47f9a2a04339f187fe
-
SHA256
8788e01aa0ff4f299112ce04501a23d241522d8abe9663bfd09487adc8322d10
-
SHA512
fa5f41b2b0ec3c14b35b980147c40e7c1afd55729ced4280a70819a278dec265c7f37fe0faf69a96ca09a92f5e77073e54acf3dfd37017b69b928ae42148adce
-
SSDEEP
384:8TzzCX9HSjnpYNLLt3rYKHzMr2X1Vl6fnr:8Ta9yjWxxzg2X1Xk
Score3/10 -
-
-
Target
tmpfile-main/Node64.exe
-
Size
368KB
-
MD5
47fe2649cc2325a477fce08731aeb716
-
SHA1
268abf2cceac62263fe040dc40b8b4b9aa3592da
-
SHA256
d3808b41fe847339d9d69eaa05a5c7dea072b3e6325127a53b54c0d5e102f49b
-
SHA512
173bd39f32dc4c95309e8e23a33542f92bb1c22459be30e47b52ab92827f418c7ba59fd9b31606f7f40824366e949e7de89a851d1acb8425bbf7fd607632e0d4
-
SSDEEP
6144:dClTCNaC5liBrWdzoRQJx9LDmaAF5kDERQp+QDN9gkHp683KX:dUolitMIaAFkh6
Score10/10-
Modifies security service
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
tmpfile-main/Sobfox.exe
-
Size
5.2MB
-
MD5
a34a8c7f18a484aebc37cc67e86f8441
-
SHA1
c0fbef5f036d7b4bb1d9d350e24d6d99096f1ba1
-
SHA256
1f350ddd7b2d7cf5da7dd41b793d1d28642b7bfd4ddac2c278499b2d911bece5
-
SHA512
e8df773de29f73bf7b1e3915b842abcdb3f42185cfb632b60ae1f5c1fcf9cc0cad57d3f54f79f9ce6c94c9691e3f72e66efdec4f63ba5f5de908f318d2d9f9ab
-
SSDEEP
98304:j3GIi+v8hp0EI/mbrVVxAnPJ6hR0O+vk3nVcJGOLS:j3GIiMhubJVeQ5+k3nVYLS
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
tmpfile-main/stTfuo7I.exe
-
Size
4.9MB
-
MD5
6f179cb4399501b0aef6bed87067c461
-
SHA1
8cdfeebc4075540d4eb80403aab1c412ce1ff483
-
SHA256
caa64978428e81f087a0407398a5a0d47c1d5e6e438f220c2ea34de3aa0bcb0c
-
SHA512
20361366df3d0fe038a17230ab8002e784f5d10026375894b223b69cfde0c7885cefd294aecb5870fcd6dee12c5a427c98b0e086f96ae6c21120b2932893d2e2
-
SSDEEP
98304:Mxv9MTqUi2Rg7yxivn0jokds41Fh4bpgxAYDaRDzHM4TOFRAJSNfcFXN/D+HxowG:2v9mfi866AYafs4iITrmnhpDBzvTKS
Score1/10 -
-
-
Target
tmpfile-main/stTfuo8I.exe
-
Size
4.8MB
-
MD5
e9f9aaf1b165f0e1a0310cfe04b7deaf
-
SHA1
512b5d16ccc0a16619e69dda46382f346c1b1d51
-
SHA256
9ab3067a40f40f1e171a5ae3cd036ae9ef32d8cabb0e06502e56fe6df67d6feb
-
SHA512
d2940b5f86e731dae7df1d5f69cc138e03b50a19ff77843fdf61d92035f64449ba3e8948585cfeca709d871ccfd51aca8f734adc09dfde14c8e27d4c972f4d0c
-
SSDEEP
98304:5F+ssBEhz9Nq5s7ydXteaDJ/23nPl2ptbzfoHvoimaTFAeXzl:5Xs2Ju9eaD0tGHfoTmE/D
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1