Overview

overview

10

Static

static

1

RNSM00289.7z

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00289.7z

  • Size

    14.9MB

  • Sample

    241119-v37fpszbpj

  • MD5

    68b02160792ed3b724be029d22b53cd5

  • SHA1

    da6bd91646185c7237dff572273b3ee1ef7f1459

  • SHA256

    05ff08303f072bd86cd817fd302e25c1571f145a015f1ee306b58c2048d9df27

  • SHA512

    0df3ad1723cdd640a77d800210af026f67727183342906d9026741f98622722d2c429a8c1026670cf90922701a4948b28bd731fc52aa1c6e65ba57b4ddf42d1a

  • SSDEEP

    393216:YhSZ5IDwaY+R/wpy6kJ2C/vqx2e7E9Ir1Da:GSZ5E3i/kJ2CK7Ec1W

Score
10/10
cerbergoziteslacrypttroldeshxtremeratbankerdefense_evasiondiscoveryevasionexecutionimpactisfbpersistenceprivilege_escalationransomwareratspywaretrojanupx

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    45.203.22.130
  • Port:
    21
  • Username:
    anonymous
  • Password:
    Admin

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    216.116.26.93
  • Port:
    21
  • Username:
    www-data
  • Password:
    ftp

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    195.181.223.73
  • Port:
    21
  • Username:
    admin

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    85.54.121.208
  • Port:
    21
  • Username:
    Admin
  • Password:
    www-data

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    121.160.124.55
  • Port:
    21
  • Username:
    anonymous
  • Password:
    Admin

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    156.226.50.97
  • Port:
    21
  • Username:
    admin
  • Password:
    www-data

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    101.100.241.183
  • Port:
    21
  • Username:
    admin
  • Password:
    Admin

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    138.91.88.14
  • Port:
    21
  • Username:
    ftp
  • Password:
    Admin

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    3.110.16.253
  • Port:
    21
  • Username:
    admin
  • Password:
    anonymous

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    35.212.40.22
  • Port:
    21
  • Username:
    ftp
  • Password:
    admin

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    150.254.230.192
  • Port:
    21
  • Username:
    admin
  • Password:
    admin

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    185.56.234.65
  • Port:
    21
  • Username:
    ftp

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    207.150.208.8
  • Port:
    21
  • Username:
    ftp
  • Password:
    Admin

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    154.195.64.102
  • Port:
    21
  • Username:
    ftp
  • Password:
    Admin

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    210.236.36.247
  • Port:
    21
  • Username:
    admin
  • Password:
    www-data

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    109.106.253.168
  • Port:
    21
  • Username:
    www-data
  • Password:
    www-data

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    38.239.157.218
  • Port:
    21
  • Username:
    ftp
  • Password:
    anonymous

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    50.115.172.243
  • Port:
    21
  • Username:
    Admin
  • Password:
    www-data

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    94.103.45.189
  • Port:
    21
  • Username:
    anonymous
  • Password:
    Admin

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    74.48.105.231
  • Port:
    21
  • Username:
    www-data
  • Password:
    anonymous

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    79.96.68.226
  • Port:
    21
  • Username:
    ftp

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    158.199.159.27
  • Port:
    21
  • Username:
    anonymous
  • Password:
    anonymous

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    156.241.157.57
  • Port:
    21
  • Username:
    anonymous
  • Password:
    www-data

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    38.207.18.137
  • Port:
    21
  • Username:
    admin
  • Password:
    Admin

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    35.213.171.71
  • Port:
    21
  • Username:
    ftp
  • Password:
    anonymous

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    38.11.68.48
  • Port:
    21
  • Username:
    www-data
  • Password:
    Admin

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    160.124.246.197
  • Port:
    21
  • Username:
    www-data
  • Password:
    anonymous

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    79.96.232.99
  • Port:
    21
  • Username:
    ftp

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    138.201.82.219
  • Port:
    21
  • Username:
    anonymous
  • Password:
    Admin

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    80.74.153.15
  • Port:
    21
  • Username:
    anonymous
  • Password:
    www-data

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    182.189.54.147
  • Port:
    21
  • Username:
    Admin
  • Password:
    www-data

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    161.53.35.23
  • Port:
    21
  • Username:
    admin
  • Password:
    Admin

Extracted

Family

gozi

Extracted

Family

xtremerat

C2

flashplayerupdate.sytes.net

Targets

    • Target

      RNSM00289.7z

    • Size

      14.9MB

    • MD5

      68b02160792ed3b724be029d22b53cd5

    • SHA1

      da6bd91646185c7237dff572273b3ee1ef7f1459

    • SHA256

      05ff08303f072bd86cd817fd302e25c1571f145a015f1ee306b58c2048d9df27

    • SHA512

      0df3ad1723cdd640a77d800210af026f67727183342906d9026741f98622722d2c429a8c1026670cf90922701a4948b28bd731fc52aa1c6e65ba57b4ddf42d1a

    • SSDEEP

      393216:YhSZ5IDwaY+R/wpy6kJ2C/vqx2e7E9Ir1Da:GSZ5E3i/kJ2CK7Ec1W

    Score
    10/10
    cerbergoziteslacrypttroldeshxtremeratbankerdefense_evasiondiscoveryevasionexecutionimpactisfbpersistenceprivilege_escalationransomwareratspywaretrojanupx

    • Cerber

      Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

      ransomwarecerber

    • Cerber family

      cerber

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Gozi family

      gozi

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • TeslaCrypt, AlphaCrypt

      Ransomware based on CryptoLocker. Shut down by the developers in 2016.

      ransomwareteslacrypt

    • Teslacrypt family

      teslacrypt

    • Troldesh family

      troldesh

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

      ransomwaretrojantroldesh

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

      persistencespywareratxtremerat

    • Xtremerat family

      xtremerat

    • Contacts a large (18944) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Stops running service(s)

      evasionexecution

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

1
T1569

Service Execution

1
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Direct Volume Access

1
T1006

Impair Defenses

1
T1562

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

2
T1112

Credential Access

Discovery

Network Service Discovery

2
T1046

Query Registry

1
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

3
T1490

Service Stop

1
T1489

Tasks