General
-
Target
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.zip
-
Size
4KB
-
Sample
241118-pg2enswhpk
-
MD5
acdd529caa0275c64931ac2796e61f0f
-
SHA1
c40c28e55cc9597a8cfcff327eafc4fbc352261a
-
SHA256
2840a81e534aa9badebe491f4e4a860a137f8eeb6f70e51c6262d832c5f576eb
-
SHA512
86942d3666e58564990ea179e89d4f2e6066c227ee6c8ad2c7f73f02d05b093c04f3e8f4e9cf26435fbef7efa8aeee6cbfd56d73ed4a6a09ffe65dfea7da9ad1
-
SSDEEP
96:v+dd3RBTeK462K1bz2jldHF4YwYRIzN7oUekf2p8uxrQkSaHPuIqBJwM7+d:KNRVl2PjlddTR9oY8ySavuIqng
Malware Config
Extracted
xworm
5.0
event-dollar.gl.at.ply.gg:42627
178.215.224.96:7886
Vu8KDOzYd19RAWuh
-
Install_directory
%ProgramData%
-
install_file
Desktop Window Manager.exe
-
telegram
https://api.telegram.org/bot7269786725:AAF0IPx1BWTdW_vbZqP8HGNrxWWFpF5CvYs/sendMessage?chat_id=5465523859
Extracted
metasploit
windows/reverse_http
http://89.197.154.116:7810/dyn9SR6mQII2UzdSUKnrgwmYhskiaUB7jCBFjro2bJG8g6R2zHny4Po9miA-BSg8o5YtsnonLxNAPh2rwk7sISKT6cj
Extracted
phorphiex
http://185.215.113.66/
http://91.202.233.141/
0xCa90599132C4D88907Bd8E046540284aa468a035
TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6
qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
XryzFMFVpDUvU7famUGf214EXD3xNUSmQf
rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9
AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z
LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT
MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC
1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK
ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp
3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc
3ESHude8zUHksQg1h6hHmzY79BS36L91Yn
DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA
t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh
stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj
bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2
bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr
bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd
-
mutex
753f85d83d
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.2
Crypted
154.216.20.190:4449
iwrodgxclqca
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
phorphiex
http://185.215.113.66
http://185.215.113.84
-
mutex
Klipux
Extracted
quasar
1.4.1
Office04
192.168.1.101:4782
20f2b2b5-8392-4fbe-9585-0778c516b863
-
encryption_key
3A9499E06EC8E749CF7AE8F7D466BD97D9B2380C
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
quasar
1.4.1
rat1
unitedrat.ddns.net:4782
5100ab61-a5a5-407f-af55-9e7766b9d637
-
encryption_key
AB7A97D9E0F9B0A44190A0D500EAB7AF37629802
-
install_name
System32.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System32
-
subdirectory
System32
Extracted
asyncrat
AsyncRAT
Default
yyyson22.gleeze.com:4608
dw
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
quasar
1.4.1
Aquarius
192.168.8.103:4782
192.168.8.105:4782
192.168.8.114:4782
a198a147-9efc-419d-9539-bac2108dc109
-
encryption_key
4CF458F992C472DE78F317085B34A8A1747FC32D
-
install_name
WindowsDataUpdater.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WindowsDataUpdater
-
subdirectory
WinBioData
Extracted
redline
38.180.109.140:20007
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
62.113.117.95:4449
hwelcvbupaqfzors
-
delay
10
-
install
false
-
install_folder
%AppData%
Extracted
redline
@OLEH_PSP
65.21.18.51:45580
Extracted
lumma
https://c0al1t1onmatch.cyou/api
Extracted
quasar
1.4.1
mae-ware
maeluadev-48337.portmap.io:48337
3ef823dd-91ea-4e28-9981-34ebf5ff5883
-
encryption_key
684009117DF150EF232A2EE8AE172085964C1CF0
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svhost
-
subdirectory
Office
Extracted
asyncrat
| CRACKED BY https://t.me/xworm_v2
SolaraFake
anyone-blogging.gl.at.ply.gg:22284
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Windows.exe
-
install_folder
%Temp%
Extracted
metasploit
windows/reverse_tcp
47.236.122.191:7900
Extracted
stealc
7140196255
http://83.217.209.11
-
url_path
/fd2453cf4b7dd4a4.php
Extracted
xworm
return-carol.gl.at.ply.gg:53275
-
Install_directory
%AppData%
-
install_file
XClient.exe
Extracted
redline
TG CLOUD @RLREBORN Admin @FATHEROFCARDERS
89.105.223.196:29862
Targets
-
-
Target
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score10/10-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload
-
Ammyyadmin family
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Detect Socks5Systemz Payload
-
Detect Xworm Payload
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Flawedammyy family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Modifies security service
-
Njrat family
-
Phorphiex family
-
Phorphiex payload
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Socks5systemz family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Troldesh family
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Windows security bypass
-
Xmrig family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Async RAT payload
-
DCRat payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Sets service image path in registry
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Windows security modification
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3JavaScript
1PowerShell
2Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
8Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Discovery
Browser Information Discovery
1Process Discovery
1Query Registry
7Remote System Discovery
1System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
1