Resubmissions
25-01-2025 23:19
250125-3a9dlavrfq 1025-01-2025 00:39
250125-azr7dswras 1025-01-2025 00:32
250125-avsblawpdx 1025-01-2025 00:29
250125-as5h5swnfv 1004-12-2024 19:44
241204-yftswatlcj 1028-11-2024 19:40
241128-ydqnfaxqgy 1020-11-2024 16:31
241120-t1tw6azjfy 1020-11-2024 06:05
241120-gtdv5ssnes 1020-11-2024 06:00
241120-gqchxascje 1020-11-2024 05:52
241120-gk2kvaxkgn 10General
-
Target
4363463463464363463463463.exe.zip
-
Size
4KB
-
Sample
241118-1sd93a1lfr
-
MD5
16d34133af438a73419a49de605576d9
-
SHA1
c3dbcd70359fdad8835091c714a7a275c59bd732
-
SHA256
e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1
-
SHA512
59c0272d6faa2682b7a6ce1cd414d53cc39f06035f4f38a2e206965805034bf8012b02d59f428973965136d70c89f87ac3b17b5db9c1b1d49844be182b47a3d7
-
SSDEEP
96:xBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEy:xBfwncSf8Cv3w9DZjKXjmBIKEvLs97D5
Malware Config
Extracted
xworm
exonic-hacks.com:1920
0.tcp.in.ngrok.io:15792
127.0.0.1:6000
103.211.201.109:6000
193.222.96.100:5555
-
Install_directory
%Userprofile%
-
install_file
Windows.exe
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
82.193.104.21:5137
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Extracted
redline
25072023
185.215.113.67:40960
Extracted
redline
TG@CVV88888
185.218.125.157:21441
Extracted
lumma
https://commisionipwn.shop/api
https://stitchmiscpaew.shop/api
https://ignoracndwko.shop/api
https://grassemenwji.shop/api
https://charistmatwio.shop/api
https://basedsymsotp.shop/api
https://complainnykso.shop/api
https://preachstrwnwjw.shop/api
https://hookybeamngwskow.xyz/api
https://weiggheticulop.shop/api
https://consciousourwi.shop/api
https://southedhiscuso.shop/api
https://deicedosmzj.shop/api
https://cagedwifedsozm.shop/api
https://charecteristicdxp.shop/api
https://interactiedovspm.shop/api
https://potentioallykeos.shop/api
Extracted
xworm
3.1
profile-indians.gl.at.ply.gg:39017
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
cryptbot
fivexc5sr.top
analforeverlovyu.top
-
url_path
/v1/upload.php
Extracted
quasar
1.4.0
Office04
192.168.31.99:4782
2001:4bc9:1f98:a4e::676:4782
255.255.255.0:4782
fe80::cabf:4cff:fe84:9572%17:4782
1f65a787-81b8-4955-95e4-b7751e10cd50
-
encryption_key
A0B82A50BBC49EC084E3E53A9E34DF58BD7050B9
-
install_name
Neverlose Loader.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Java Updater
-
subdirectory
SubDir
Extracted
xworm
5.0
enter-sierra.gl.at.ply.gg:55389
154.197.69.165:7000
lzS6Ul7Mo5UcN6CR
-
Install_directory
%AppData%
-
install_file
Wave.exe
Extracted
stealc
7140196255
http://83.217.209.11
-
url_path
/fd2453cf4b7dd4a4.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
redline
newbundle2
185.215.113.67:15206
Extracted
stealc
default2
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
redline
091024
185.215.113.67:33160
Extracted
metasploit
windows/reverse_tcp
89.197.154.116:7810
Extracted
quasar
1.4.1
Office04
192.168.1.101:4782
20f2b2b5-8392-4fbe-9585-0778c516b863
-
encryption_key
3A9499E06EC8E749CF7AE8F7D466BD97D9B2380C
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
stealc
default
http://95.217.96.249
-
url_path
/bc00174e4ec6d418.php
Extracted
redline
LiveTraffic
95.179.250.45:26212
Extracted
amadey
5.04
608ae0
http://185.208.159.121
-
install_dir
d71abd0bd9
-
install_file
Gxtuum.exe
-
strings_key
353f19792cc9942438e61b6e87ba3d87
-
url_paths
/8djjd3Shf2/index.php
Extracted
amadey
5.03
7c4393
http://185.215.113.217
-
install_dir
f9c76c1660
-
install_file
corept.exe
-
strings_key
9808a67f01d2f0720518035acbde7521
-
url_paths
/CoreOPT/index.php
Extracted
redline
38.180.109.140:20007
Extracted
quasar
1.4.1
newoffice
117.18.7.76:3782
d908c8ed-ea88-484e-a3d2-dcbe66ac7cfc
-
encryption_key
FD2DE574AF7E363A5304DF85B3475F93A948C103
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Client Startup
-
subdirectory
SubDir
Extracted
quasar
1.4.1
Main
tpinauskas-54803.portmap.host:54803
8422dcc2-b8bd-4080-a017-5b62524b6546
-
encryption_key
2EFF7393DC1BD9FBDDD61A780B994B8166BAB8EC
-
install_name
Win64.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Win64
-
subdirectory
SubDir
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:8080
127.0.0.1:17027
2.tcp.ngrok.io:6606
2.tcp.ngrok.io:7707
2.tcp.ngrok.io:8808
2.tcp.ngrok.io:8080
2.tcp.ngrok.io:17027
KSKA6RWWOYIu
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
https://osecweb.ir/js/config_20.ps1
Extracted
redline
Diamotrix
176.111.174.140:1912
Extracted
vidar
11.1
df523263f44cc8d55414a260a0197e4a
https://steamcommunity.com/profiles/76561199786602107
https://t.me/lpnjoke
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Targets
-
-
Target
4363463463464363463463463.exe.zip
-
Size
4KB
-
MD5
16d34133af438a73419a49de605576d9
-
SHA1
c3dbcd70359fdad8835091c714a7a275c59bd732
-
SHA256
e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1
-
SHA512
59c0272d6faa2682b7a6ce1cd414d53cc39f06035f4f38a2e206965805034bf8012b02d59f428973965136d70c89f87ac3b17b5db9c1b1d49844be182b47a3d7
-
SSDEEP
96:xBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEy:xBfwncSf8Cv3w9DZjKXjmBIKEvLs97D5
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload
-
Ammyyadmin family
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detect Neshta payload
-
Detect Vidar Stealer
-
Detect Xworm Payload
-
Detects ZharkBot payload
ZharkBot is a botnet written C++.
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Flawedammyy family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Modifies security service
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Njrat family
-
Phorphiex family
-
Phorphiex payload
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
Sectoprat family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Windows security bypass
-
Xmrig family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
ZharkBot
ZharkBot is a botnet written C++.
-
Zharkbot family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Async RAT payload
-
Contacts a large (48212) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Possible privilege escalation attempt
-
Stops running service(s)
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Windows security modification
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Service Discovery
Attempt to gather information on host's network.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
7Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Discovery
Browser Information Discovery
1Network Service Discovery
3Process Discovery
1Query Registry
7Remote System Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1Virtualization/Sandbox Evasion
1