Resubmissions

28-11-2024 02:19

241128-cr9sks1kht 10

27-11-2024 21:08

241127-zyzyaawqgn 10

27-11-2024 20:16

241127-y145caymbs 10

27-11-2024 20:13

241127-yzlxdavlen 10

27-11-2024 19:53

241127-yl61dsxpcs 10

27-11-2024 19:38

241127-ycrjcaxkfx 10

27-11-2024 19:03

241127-xqsswsslej 10

27-11-2024 19:03

241127-xqf44aslcr 3

27-11-2024 19:02

241127-xpxqfsslan 3

27-11-2024 18:32

241127-w6pkqs1mek 10

General

  • Target

    Downloaders.zip

  • Size

    12KB

  • Sample

    241127-a58fkayjav

  • MD5

    94fe78dc42e3403d06477f995770733c

  • SHA1

    ea6ba4a14bab2a976d62ea7ddd4940ec90560586

  • SHA256

    16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

  • SHA512

    add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff

  • SSDEEP

    384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://176.113.115.178/FF/2.png

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://176.113.115.178/FF/3.png

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/unvd01/unvmain/raw/main/un2/botprnt.dat

exe.dropper

http://unvdwl.com/un2/botprnt.dat

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    84.201.61.18
  • Port:
    21
  • Username:
    root

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    193.32.16.30
  • Port:
    21
  • Username:
    root
  • Password:
    7777777

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    162.241.101.43
  • Port:
    21
  • Username:
    user
  • Password:
    qwert

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    154.223.3.44
  • Port:
    21
  • Username:
    user
  • Password:
    walle

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    39.46.216.48
  • Port:
    21
  • Username:
    ftp
  • Password:
    killer

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    67.205.26.48
  • Port:
    21
  • Username:
    ftp
  • Password:
    emmanuel20

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    108.179.243.51
  • Port:
    21
  • Username:
    user
  • Password:
    egoiste

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    170.81.13.52
  • Port:
    21
  • Username:
    user
  • Password:
    asdasd

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    216.118.228.67
  • Port:
    21
  • Username:
    admin
  • Password:
    lol123

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    202.52.144.69
  • Port:
    21
  • Username:
    ftp
  • Password:
    abc123

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    108.167.146.82
  • Port:
    21
  • Username:
    admin
  • Password:
    ADMIN1

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    162.240.172.85
  • Port:
    21
  • Username:
    administrator
  • Password:
    matrix

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

C2

89.105.223.196:29862

Extracted

Family

vidar

Version

11.3

Botnet

a21440e9f7223be06be5f5e2f94969c7

C2

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Extracted

Family

cryptbot

C2

thizx13vt.top

analforeverlovyu.top

Attributes
  • url_path

    /v1/upload.php

Extracted

Family

lumma

C2

https://crib-endanger.sbs

https://faintbl0w.sbs

https://300snails.sbs

https://bored-light.sbs

https://3xc1aimbl0w.sbs

https://pull-trucker.sbs

https://fleez-inc.sbs

https://thicktoys.sbs

https://frogmen-smell.sbs

https://p3ar11fter.sbs

https://3xp3cts1aim.sbs

https://owner-vacat10n.sbs

https://peepburry828.sbs

https://p10tgrace.sbs

https://befall-sm0ker.sbs

https://librari-night.sbs

https://processhol.sbs

https://cook-rain.sbs

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

91.92.254.40:4782

Mutex

56928f7b-c5c9-4b24-af59-8c509ce1d27e

Attributes
  • encryption_key

    60574F1741A0786C827AF49C652AB3A7DA0533D1

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows System

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

C2

82.117.243.110:5173

Mutex

edH11NGQWIdCwvLx00

Attributes
  • encryption_key

    aGPuRaDerdUDJPrAfXtB

  • install_name

    csrss.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Framework

  • subdirectory

    SubDir

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

1.tcp.ap.ngrok.io:21049

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    chrome.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

C2

110.164.203.191:7000

62.113.117.95:5665

68.178.207.33:7000

Mutex

AExowENWrg3jY19C

Attributes
  • Install_directory

    %Temp%

  • install_file

    windows32.exe

aes.plain
aes.plain
aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

127.0.0.1:4449

135.181.185.254:4449

212.15.49.155:4449

Mutex

fssssssshsfhs444fdf%dfs

Attributes
  • delay

    11

  • install

    false

  • install_folder

    %AppData%

aes.plain
aes.plain

Extracted

Family

redline

C2

185.215.113.9:12617

Extracted

Family

xworm

C2

mylogsprvt.zapto.org:8899

Mutex

SmH2L0949LC6zVSS

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

redline

Botnet

newest

C2

mylogsprvt.zapto.org:45630

Extracted

Family

redline

Botnet

091024

C2

185.215.113.67:33160

Extracted

Family

xworm

Version

3.1

C2

18.181.154.24:7000

Mutex

w8DsMRIhXrOmk0Gn

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      Downloaders.zip

    • Size

      12KB

    • MD5

      94fe78dc42e3403d06477f995770733c

    • SHA1

      ea6ba4a14bab2a976d62ea7ddd4940ec90560586

    • SHA256

      16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

    • SHA512

      add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff

    • SSDEEP

      384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • Ammyy Admin

      Remote admin tool with various capabilities.

    • AmmyyAdmin payload

    • Ammyyadmin family

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Cryptbot family

    • Detect Vidar Stealer

    • Detect Xworm Payload

    • Detects ZharkBot payload

      ZharkBot is a botnet written C++.

    • FlawedAmmyy RAT

      Remote-access trojan based on leaked code for the Ammyy remote admin software.

    • Flawedammyy family

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Modifies WinLogon for persistence

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Nanocore family

    • Phorphiex family

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Rhadamanthys family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • UAC bypass

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • XMRig Miner payload

    • Xmrig family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • ZharkBot

      ZharkBot is a botnet written C++.

    • Zharkbot family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Async RAT payload

    • Contacts a large (7972) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to execute payload.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Indicator Removal: Network Share Connection Removal

      Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Sets service image path in registry

    • Stops running service(s)

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • A potential corporate email address has been identified in the URL: 7JCeW_Admin@DPGNQMQQ_report.wsr

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Network Share Discovery

      Attempt to gather information on host network.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks