Resubmissions
28-11-2024 02:19
241128-cr9sks1kht 1027-11-2024 21:08
241127-zyzyaawqgn 1027-11-2024 20:16
241127-y145caymbs 1027-11-2024 20:13
241127-yzlxdavlen 1027-11-2024 19:53
241127-yl61dsxpcs 1027-11-2024 19:38
241127-ycrjcaxkfx 1027-11-2024 19:03
241127-xqsswsslej 1027-11-2024 19:03
241127-xqf44aslcr 327-11-2024 19:02
241127-xpxqfsslan 327-11-2024 18:32
241127-w6pkqs1mek 10General
-
Target
Downloaders.zip
-
Size
12KB
-
Sample
241127-a58fkayjav
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Static task
static1
Behavioral task
behavioral1
Sample
Downloaders.zip
Resource
win11-20241007-en
Malware Config
Extracted
https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe
Extracted
http://176.113.115.178/FF/2.png
Extracted
http://176.113.115.178/FF/3.png
Extracted
https://github.com/unvd01/unvmain/raw/main/un2/botprnt.dat
http://unvdwl.com/un2/botprnt.dat
Extracted
Protocol: ftp- Host:
84.201.61.18 - Port:
21 - Username:
root
Extracted
Protocol: ftp- Host:
193.32.16.30 - Port:
21 - Username:
root - Password:
7777777
Extracted
Protocol: ftp- Host:
162.241.101.43 - Port:
21 - Username:
user - Password:
qwert
Extracted
Protocol: ftp- Host:
154.223.3.44 - Port:
21 - Username:
user - Password:
walle
Extracted
Protocol: ftp- Host:
39.46.216.48 - Port:
21 - Username:
ftp - Password:
killer
Extracted
Protocol: ftp- Host:
67.205.26.48 - Port:
21 - Username:
ftp - Password:
emmanuel20
Extracted
Protocol: ftp- Host:
108.179.243.51 - Port:
21 - Username:
user - Password:
egoiste
Extracted
Protocol: ftp- Host:
170.81.13.52 - Port:
21 - Username:
user - Password:
asdasd
Extracted
Protocol: ftp- Host:
216.118.228.67 - Port:
21 - Username:
admin - Password:
lol123
Extracted
Protocol: ftp- Host:
202.52.144.69 - Port:
21 - Username:
ftp - Password:
abc123
Extracted
Protocol: ftp- Host:
108.167.146.82 - Port:
21 - Username:
admin - Password:
ADMIN1
Extracted
Protocol: ftp- Host:
162.240.172.85 - Port:
21 - Username:
administrator - Password:
matrix
Extracted
redline
TG CLOUD @RLREBORN Admin @FATHEROFCARDERS
89.105.223.196:29862
Extracted
vidar
11.3
a21440e9f7223be06be5f5e2f94969c7
https://t.me/asg7rd
https://steamcommunity.com/profiles/76561199794498376
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Extracted
cryptbot
thizx13vt.top
analforeverlovyu.top
-
url_path
/v1/upload.php
Extracted
lumma
https://crib-endanger.sbs
https://faintbl0w.sbs
https://300snails.sbs
https://bored-light.sbs
https://3xc1aimbl0w.sbs
https://pull-trucker.sbs
https://fleez-inc.sbs
https://thicktoys.sbs
https://frogmen-smell.sbs
https://p3ar11fter.sbs
https://3xp3cts1aim.sbs
https://owner-vacat10n.sbs
https://peepburry828.sbs
https://p10tgrace.sbs
https://befall-sm0ker.sbs
https://librari-night.sbs
https://processhol.sbs
https://cook-rain.sbs
Extracted
quasar
1.4.1
Office04
91.92.254.40:4782
56928f7b-c5c9-4b24-af59-8c509ce1d27e
-
encryption_key
60574F1741A0786C827AF49C652AB3A7DA0533D1
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows System
-
subdirectory
SubDir
Extracted
quasar
1.4.0.0
Office
82.117.243.110:5173
edH11NGQWIdCwvLx00
-
encryption_key
aGPuRaDerdUDJPrAfXtB
-
install_name
csrss.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Framework
-
subdirectory
SubDir
Extracted
asyncrat
0.5.7B
Default
1.tcp.ap.ngrok.io:21049
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
chrome.exe
-
install_folder
%AppData%
Extracted
xworm
5.0
110.164.203.191:7000
62.113.117.95:5665
68.178.207.33:7000
AExowENWrg3jY19C
-
Install_directory
%Temp%
-
install_file
windows32.exe
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
127.0.0.1:4449
135.181.185.254:4449
212.15.49.155:4449
fssssssshsfhs444fdf%dfs
-
delay
11
-
install
false
-
install_folder
%AppData%
Extracted
redline
185.215.113.9:12617
Extracted
xworm
mylogsprvt.zapto.org:8899
SmH2L0949LC6zVSS
-
install_file
USB.exe
Extracted
redline
newest
mylogsprvt.zapto.org:45630
Extracted
redline
091024
185.215.113.67:33160
Extracted
xworm
3.1
18.181.154.24:7000
w8DsMRIhXrOmk0Gn
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
Downloaders.zip
-
Size
12KB
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Score10/10amadeyammyyadminasyncratcryptbotflawedammyylokibotlummananocorephorphiexquasarredlinerhadamanthyssectopratvidarxmrigxwormzharkbot091024a21440e9f7223be06be5f5e2f94969c7defaultnewestofficeoffice04tg cloud @rlreborn admin @fatherofcardersaspackv2bootkitbotnetcollectioncredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerkeyloggerloaderminerpersistencephishingprivilege_escalationpyinstallerratspywarestealerthemidatrojanupxworm-
Amadey family
-
AmmyyAdmin payload
-
Ammyyadmin family
-
Asyncrat family
-
Cryptbot family
-
Detect Vidar Stealer
-
Detect Xworm Payload
-
Detects ZharkBot payload
ZharkBot is a botnet written C++.
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Flawedammyy family
-
Lokibot family
-
Lumma family
-
Modifies WinLogon for persistence
-
Nanocore family
-
Phorphiex family
-
Phorphiex payload
-
Quasar family
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
SectopRAT payload
-
Sectoprat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar family
-
XMRig Miner payload
-
Xmrig family
-
Xworm family
-
Zharkbot family
-
Async RAT payload
-
Contacts a large (7972) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Indicator Removal: Network Share Connection Removal
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
-
Sets service image path in registry
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
A potential corporate email address has been identified in the URL: 7JCeW_Admin@DPGNQMQQ_report.wsr
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2JavaScript
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Power Settings
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
1Indicator Removal
2File Deletion
1Network Share Connection Removal
1Modify Registry
6Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
7Credentials In Files
6Credentials in Registry
1Discovery
Browser Information Discovery
1Network Service Discovery
3Network Share Discovery
1Peripheral Device Discovery
2Process Discovery
1Query Registry
9Remote System Discovery
2System Information Discovery
8System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1Virtualization/Sandbox Evasion
2