Resubmissions
04-12-2024 19:44
241204-yftswatlcj 1028-11-2024 19:40
241128-ydqnfaxqgy 1020-11-2024 16:31
241120-t1tw6azjfy 1020-11-2024 06:05
241120-gtdv5ssnes 1020-11-2024 06:00
241120-gqchxascje 1020-11-2024 05:52
241120-gk2kvaxkgn 1018-11-2024 21:54
241118-1sd93a1lfr 1017-11-2024 11:03
241117-m55qwsyemr 316-11-2024 19:06
241116-xsbmdssbkd 1016-11-2024 18:38
241116-w913ya1jcy 10General
-
Target
4363463463464363463463463.exe.zip
-
Size
4KB
-
Sample
241120-gtdv5ssnes
-
MD5
16d34133af438a73419a49de605576d9
-
SHA1
c3dbcd70359fdad8835091c714a7a275c59bd732
-
SHA256
e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1
-
SHA512
59c0272d6faa2682b7a6ce1cd414d53cc39f06035f4f38a2e206965805034bf8012b02d59f428973965136d70c89f87ac3b17b5db9c1b1d49844be182b47a3d7
-
SSDEEP
96:xBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEy:xBfwncSf8Cv3w9DZjKXjmBIKEvLs97D5
Malware Config
Extracted
cryptbot
thizx13vt.top
analforeverlovyu.top
-
url_path
/v1/upload.php
Extracted
risepro
3.36.173.8:50500
Extracted
xworm
sound-vietnam.gl.at.ply.gg:52575
rondtimes.top:1940
45.66.231.231:7000
-
Install_directory
%LocalAppData%
-
install_file
Terraria-Multiplayer-Fix-Online.exe
Extracted
redline
TG CLOUD @RLREBORN Admin @FATHEROFCARDERS
89.105.223.196:29862
Extracted
quasar
1.4.1
Office04
91.92.254.40:4782
56928f7b-c5c9-4b24-af59-8c509ce1d27e
-
encryption_key
60574F1741A0786C827AF49C652AB3A7DA0533D1
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows System
-
subdirectory
SubDir
Extracted
phorphiex
http://185.215.113.66
http://185.215.113.84
-
mutex
Klipux
Extracted
quasar
1.4.1
Java
dez345-37245.portmap.host:37245
f0e53bcd-851e-44af-8fd5-07d8ab5ed968
-
encryption_key
65439CE7DEF3E0FAF01C526FEA90388C9FD487A1
-
install_name
java.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
java ©
-
subdirectory
Programfiles
Extracted
lokibot
http://94.156.177.41/maxzi/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
cobaltstrike
http://192.168.180.12:7810/vN3f
-
user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)
Extracted
stealc
LogsDiller
http://194.15.46.65
-
url_path
/7f031eb0d257b290.php
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
62.113.117.95:4449
hwelcvbupaqfzors
-
delay
10
-
install
false
-
install_folder
%AppData%
Extracted
quasar
1.4.1
Aryszx
Apichat:4782
181f4a12-4cad-46a9-9896-1001033c5b69
-
encryption_key
F4F359BEF442D9221F73F7D64267E0E300CC68CE
-
install_name
Runtime Broker.exe
-
log_directory
Logs
-
reconnect_delay
1
-
startup_key
Runtime Broker
Extracted
asyncrat
0.5.8
Default
stuff-data.gl.at.ply.gg:54296
u81wDUVoFHib
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
redline
Diamotrix
176.111.174.140:1912
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Extracted
gurcu
https://api.telegram.org/bot962023231:AAG4by19NbHDMl2hPuMLesCOvrR264-4hSg/sendMessag
https://api.telegram.org/bot7414426785:AAGjcWvGORe1_ToCk6Lpu9MSjNamkIOlrLs/sendDocumen
Extracted
metasploit
windows/reverse_tcp
89.197.154.116:7810
Extracted
quasar
1.4.0
Office04
192.168.31.99:4782
2001:4bc9:1f98:a4e::676:4782
255.255.255.0:4782
fe80::cabf:4cff:fe84:9572%17:4782
1f65a787-81b8-4955-95e4-b7751e10cd50
-
encryption_key
A0B82A50BBC49EC084E3E53A9E34DF58BD7050B9
-
install_name
Neverlose Loader.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Java Updater
-
subdirectory
SubDir
Extracted
amadey
4.41
1176f2
http://185.215.113.19
-
install_dir
417fd29867
-
install_file
ednfoki.exe
-
strings_key
183201dc3defc4394182b4bff63c4065
-
url_paths
/CoreOPT/index.php
Extracted
vidar
10.6
1a72eb06939ea478753d5c4df4b2bd32
https://steamcommunity.com/profiles/76561199747278259
https://t.me/armad2a
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
Extracted
asyncrat
AsyncRAT
Default
yyyson22.gleeze.com:4608
dw
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
0.5.7B
Default
ratlordvc.ddns.net:6606
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
tesst.exe
-
install_folder
%AppData%
Extracted
metasploit
metasploit_stager
144.34.162.13:3333
Extracted
xworm
5.0
188.190.10.161:4444
TSXTkO0pNBdN2KNw
-
install_file
USB.exe
Extracted
redline
091024
185.215.113.67:33160
Extracted
quasar
1.4.0
svhost
151.177.61.79:4782
a148a6d8-1253-4e62-bc5f-c0242dd62e69
-
encryption_key
5BEC1A8BC6F8F695D1337C51454E0B7F3A4FE968
-
install_name
svhost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svhost
-
subdirectory
svhost
Targets
-
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score10/10-
Adds autorun key to be loaded by Explorer.exe on startup
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
-
Avoslocker family
-
Berbew
Berbew is a backdoor written in C++.
-
Berbew family
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Detect Neshta payload
-
Detect Vidar Stealer
-
Detect Xworm Payload
-
Detects ZharkBot payload
ZharkBot is a botnet written C++.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Lokibot family
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Modifies Windows Defender Real-time Protection settings
-
Modifies security service
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Njrat family
-
Phorphiex family
-
Phorphiex payload
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Risepro family
-
Rule to detect Lockbit 3.0 ransomware Windows payload
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Windows security bypass
-
XMRig Miner payload
-
Xmrig family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
ZharkBot
ZharkBot is a botnet written C++.
-
Zharkbot family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Async RAT payload
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Looks for VirtualBox Guest Additions in registry
-
Modifies boot configuration data using bcdedit
-
Renames multiple (517) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
mimikatz is an open source tool to dump credentials on Windows
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Contacts a large (612) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Looks for VMWare Tools registry key
-
Modifies Windows Firewall
-
Server Software Component: Terminal Services DLL
-
Sets service image path in registry
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Windows security modification
-
Accesses 2FA software files, possible credential harvesting
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: Clear Persistence
Clear artifacts associated with previously established persistence like scheduletasks on a host.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Network Service Discovery
Attempt to gather information on host's network.
-
Network Share Discovery
Attempt to gather information on host network.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
4JavaScript
1PowerShell
3Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
5Windows Service
5Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Power Settings
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
5Windows Service
5Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Indicator Removal
5Clear Persistence
1Clear Windows Event Logs
1File Deletion
3Modify Registry
12Obfuscated Files or Information
1Command Obfuscation
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
4Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
6Credentials In Files
5Credentials in Registry
1Discovery
Browser Information Discovery
1Network Service Discovery
2Network Share Discovery
1Peripheral Device Discovery
3Process Discovery
1Query Registry
13Remote System Discovery
2System Information Discovery
11System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1Virtualization/Sandbox Evasion
4