Resubmissions

04-12-2024 19:44

241204-yftswatlcj 10

28-11-2024 19:40

241128-ydqnfaxqgy 10

20-11-2024 16:31

241120-t1tw6azjfy 10

20-11-2024 06:05

241120-gtdv5ssnes 10

20-11-2024 06:00

241120-gqchxascje 10

20-11-2024 05:52

241120-gk2kvaxkgn 10

18-11-2024 21:54

241118-1sd93a1lfr 10

17-11-2024 11:03

241117-m55qwsyemr 3

16-11-2024 19:06

241116-xsbmdssbkd 10

16-11-2024 18:38

241116-w913ya1jcy 10

General

  • Target

    4363463463464363463463463.exe.zip

  • Size

    4KB

  • Sample

    241120-t1tw6azjfy

  • MD5

    16d34133af438a73419a49de605576d9

  • SHA1

    c3dbcd70359fdad8835091c714a7a275c59bd732

  • SHA256

    e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1

  • SHA512

    59c0272d6faa2682b7a6ce1cd414d53cc39f06035f4f38a2e206965805034bf8012b02d59f428973965136d70c89f87ac3b17b5db9c1b1d49844be182b47a3d7

  • SSDEEP

    96:xBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEy:xBfwncSf8Cv3w9DZjKXjmBIKEvLs97D5

Malware Config

Extracted

Family

vidar

Version

11.3

Botnet

a21440e9f7223be06be5f5e2f94969c7

C2

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Extracted

Family

redline

Botnet

Diamotrix

C2

176.111.174.140:1912

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

73.62.14.5:4782

Mutex

3aaa11be-d135-4877-a61e-c409c29a7a60

Attributes
  • encryption_key

    BC9162791FD860195CF75664AE64885B64D5B5CE

  • install_name

    Client1.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Startup

  • subdirectory

    SubDir

Extracted

Family

metasploit

Version

metasploit_stager

C2

144.34.162.13:3333

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

62.113.117.95:4449

Mutex

hwelcvbupaqfzors

Attributes
  • delay

    10

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

C2

89.105.223.196:29155

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

ser.nrovn.xyz:6606

ser.nrovn.xyz:7707

ser.nrovn.xyz:8808

Mutex

nfMlxLKxWkbD

Attributes
  • delay

    3

  • install

    true

  • install_file

    http.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

C2

enter-sierra.gl.at.ply.gg:55389

Mutex

lzS6Ul7Mo5UcN6CR

Attributes
  • Install_directory

    %AppData%

  • install_file

    Wave.exe

aes.plain

Extracted

Family

redline

Botnet

@OLEH_PSP

C2

65.21.18.51:45580

Extracted

Family

redline

Botnet

14082024

C2

185.215.113.67:21405

Extracted

Family

xworm

C2

0.tcp.in.ngrok.io:15792

Attributes
  • Install_directory

    %AppData%

  • install_file

    svсhost.exe

Targets

    • Target

      4363463463464363463463463.exe.zip

    • Size

      4KB

    • MD5

      16d34133af438a73419a49de605576d9

    • SHA1

      c3dbcd70359fdad8835091c714a7a275c59bd732

    • SHA256

      e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1

    • SHA512

      59c0272d6faa2682b7a6ce1cd414d53cc39f06035f4f38a2e206965805034bf8012b02d59f428973965136d70c89f87ac3b17b5db9c1b1d49844be182b47a3d7

    • SSDEEP

      96:xBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEy:xBfwncSf8Cv3w9DZjKXjmBIKEvLs97D5

    • Ammyy Admin

      Remote admin tool with various capabilities.

    • AmmyyAdmin payload

    • Ammyyadmin family

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Avoslocker Ransomware

      Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.

    • Avoslocker family

    • Detect Vidar Stealer

    • Detect Xworm Payload

    • Detects ZharkBot payload

      ZharkBot is a botnet written C++.

    • FlawedAmmyy RAT

      Remote-access trojan based on leaked code for the Ammyy remote admin software.

    • Flawedammyy family

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Metasploit family

    • Modifies WinLogon for persistence

    • Modifies security service

    • Phorphiex family

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Windows security bypass

    • XMRig Miner payload

    • Xmrig family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • ZharkBot

      ZharkBot is a botnet written C++.

    • Zharkbot family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Async RAT payload

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (5379) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Stops running service(s)

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks