Resubmissions
04-12-2024 19:44
241204-yftswatlcj 1028-11-2024 19:40
241128-ydqnfaxqgy 1020-11-2024 16:31
241120-t1tw6azjfy 1020-11-2024 06:05
241120-gtdv5ssnes 1020-11-2024 06:00
241120-gqchxascje 1020-11-2024 05:52
241120-gk2kvaxkgn 1018-11-2024 21:54
241118-1sd93a1lfr 1017-11-2024 11:03
241117-m55qwsyemr 316-11-2024 19:06
241116-xsbmdssbkd 1016-11-2024 18:38
241116-w913ya1jcy 10General
-
Target
4363463463464363463463463.exe.zip
-
Size
4KB
-
Sample
241120-t1tw6azjfy
-
MD5
16d34133af438a73419a49de605576d9
-
SHA1
c3dbcd70359fdad8835091c714a7a275c59bd732
-
SHA256
e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1
-
SHA512
59c0272d6faa2682b7a6ce1cd414d53cc39f06035f4f38a2e206965805034bf8012b02d59f428973965136d70c89f87ac3b17b5db9c1b1d49844be182b47a3d7
-
SSDEEP
96:xBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEy:xBfwncSf8Cv3w9DZjKXjmBIKEvLs97D5
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.exe.zip
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
4363463463464363463463463.exe.zip
Resource
win11-20241007-en
Malware Config
Extracted
vidar
11.3
a21440e9f7223be06be5f5e2f94969c7
https://t.me/asg7rd
https://steamcommunity.com/profiles/76561199794498376
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Extracted
redline
Diamotrix
176.111.174.140:1912
Extracted
quasar
1.4.1
Office04
73.62.14.5:4782
3aaa11be-d135-4877-a61e-c409c29a7a60
-
encryption_key
BC9162791FD860195CF75664AE64885B64D5B5CE
-
install_name
Client1.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Startup
-
subdirectory
SubDir
Extracted
metasploit
metasploit_stager
144.34.162.13:3333
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
62.113.117.95:4449
hwelcvbupaqfzors
-
delay
10
-
install
false
-
install_folder
%AppData%
Extracted
redline
TG CLOUD @RLREBORN Admin @FATHEROFCARDERS
89.105.223.196:29155
Extracted
asyncrat
0.5.8
Default
ser.nrovn.xyz:6606
ser.nrovn.xyz:7707
ser.nrovn.xyz:8808
nfMlxLKxWkbD
-
delay
3
-
install
true
-
install_file
http.exe
-
install_folder
%AppData%
Extracted
xworm
5.0
enter-sierra.gl.at.ply.gg:55389
lzS6Ul7Mo5UcN6CR
-
Install_directory
%AppData%
-
install_file
Wave.exe
Extracted
redline
@OLEH_PSP
65.21.18.51:45580
Extracted
redline
14082024
185.215.113.67:21405
Extracted
xworm
0.tcp.in.ngrok.io:15792
-
Install_directory
%AppData%
-
install_file
svсhost.exe
Targets
-
-
Target
4363463463464363463463463.exe.zip
-
Size
4KB
-
MD5
16d34133af438a73419a49de605576d9
-
SHA1
c3dbcd70359fdad8835091c714a7a275c59bd732
-
SHA256
e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1
-
SHA512
59c0272d6faa2682b7a6ce1cd414d53cc39f06035f4f38a2e206965805034bf8012b02d59f428973965136d70c89f87ac3b17b5db9c1b1d49844be182b47a3d7
-
SSDEEP
96:xBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEy:xBfwncSf8Cv3w9DZjKXjmBIKEvLs97D5
Score10/10ammyyadminasyncratavoslockerflawedammyymetasploitphorphiexquasarredlinevidarxmrigxwormzharkbot14082024@oleh_pspa21440e9f7223be06be5f5e2f94969c7defaultdiamotrixoffice04tg cloud @rlreborn admin @fatherofcardersbackdoorbotnetcredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerloaderminerpersistencepyinstallerransomwareratspywarestealerthemidatrojanupxworm-
AmmyyAdmin payload
-
Ammyyadmin family
-
Asyncrat family
-
Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
-
Avoslocker family
-
Detect Vidar Stealer
-
Detect Xworm Payload
-
Detects ZharkBot payload
ZharkBot is a botnet written C++.
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Flawedammyy family
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Modifies WinLogon for persistence
-
Modifies security service
-
Phorphiex family
-
Phorphiex payload
-
Quasar family
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar family
-
XMRig Miner payload
-
Xmrig family
-
Xworm family
-
Zharkbot family
-
Async RAT payload
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (5379) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Authentication Process
1Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4