Resubmissions
27-11-2024 00:48
241127-a58fkayjav 1027-11-2024 00:33
241127-awglgstrbm 1026-11-2024 23:19
241126-3a6byavlhw 1026-11-2024 23:19
241126-3azt6a1pcm 1026-11-2024 23:11
241126-26h1va1mel 1026-11-2024 23:08
241126-24va4avjdt 1026-11-2024 23:06
241126-23m6ds1lcm 326-11-2024 23:05
241126-223jpatrgs 326-11-2024 23:04
241126-22q6natres 326-11-2024 22:59
241126-2ykvga1jdr 10General
-
Target
Downloaders.zip
-
Size
12KB
-
Sample
241127-a58fkayjav
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Malware Config
Extracted
https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe
Extracted
http://176.113.115.178/FF/2.png
Extracted
http://176.113.115.178/FF/3.png
Extracted
https://github.com/unvd01/unvmain/raw/main/un2/botprnt.dat
http://unvdwl.com/un2/botprnt.dat
Extracted
Protocol: ftp- Host:
84.201.61.18 - Port:
21 - Username:
root
Extracted
Protocol: ftp- Host:
193.32.16.30 - Port:
21 - Username:
root - Password:
7777777
Extracted
Protocol: ftp- Host:
162.241.101.43 - Port:
21 - Username:
user - Password:
qwert
Extracted
Protocol: ftp- Host:
154.223.3.44 - Port:
21 - Username:
user - Password:
walle
Extracted
Protocol: ftp- Host:
39.46.216.48 - Port:
21 - Username:
ftp - Password:
killer
Extracted
Protocol: ftp- Host:
67.205.26.48 - Port:
21 - Username:
ftp - Password:
emmanuel20
Extracted
Protocol: ftp- Host:
108.179.243.51 - Port:
21 - Username:
user - Password:
egoiste
Extracted
Protocol: ftp- Host:
170.81.13.52 - Port:
21 - Username:
user - Password:
asdasd
Extracted
Protocol: ftp- Host:
216.118.228.67 - Port:
21 - Username:
admin - Password:
lol123
Extracted
Protocol: ftp- Host:
202.52.144.69 - Port:
21 - Username:
ftp - Password:
abc123
Extracted
Protocol: ftp- Host:
108.167.146.82 - Port:
21 - Username:
admin - Password:
ADMIN1
Extracted
Protocol: ftp- Host:
162.240.172.85 - Port:
21 - Username:
administrator - Password:
matrix
Extracted
redline
TG CLOUD @RLREBORN Admin @FATHEROFCARDERS
89.105.223.196:29862
Extracted
vidar
11.3
a21440e9f7223be06be5f5e2f94969c7
https://t.me/asg7rd
https://steamcommunity.com/profiles/76561199794498376
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Extracted
cryptbot
thizx13vt.top
analforeverlovyu.top
-
url_path
/v1/upload.php
Extracted
lumma
https://crib-endanger.sbs
https://faintbl0w.sbs
https://300snails.sbs
https://bored-light.sbs
https://3xc1aimbl0w.sbs
https://pull-trucker.sbs
https://fleez-inc.sbs
https://thicktoys.sbs
https://frogmen-smell.sbs
https://p3ar11fter.sbs
https://3xp3cts1aim.sbs
https://owner-vacat10n.sbs
https://peepburry828.sbs
https://p10tgrace.sbs
https://befall-sm0ker.sbs
https://librari-night.sbs
https://processhol.sbs
https://cook-rain.sbs
Extracted
quasar
1.4.1
Office04
91.92.254.40:4782
56928f7b-c5c9-4b24-af59-8c509ce1d27e
-
encryption_key
60574F1741A0786C827AF49C652AB3A7DA0533D1
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows System
-
subdirectory
SubDir
Extracted
quasar
1.4.0.0
Office
82.117.243.110:5173
edH11NGQWIdCwvLx00
-
encryption_key
aGPuRaDerdUDJPrAfXtB
-
install_name
csrss.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Framework
-
subdirectory
SubDir
Extracted
asyncrat
0.5.7B
Default
1.tcp.ap.ngrok.io:21049
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
chrome.exe
-
install_folder
%AppData%
Extracted
xworm
5.0
110.164.203.191:7000
62.113.117.95:5665
68.178.207.33:7000
AExowENWrg3jY19C
-
Install_directory
%Temp%
-
install_file
windows32.exe
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
127.0.0.1:4449
135.181.185.254:4449
212.15.49.155:4449
fssssssshsfhs444fdf%dfs
-
delay
11
-
install
false
-
install_folder
%AppData%
Extracted
redline
185.215.113.9:12617
Extracted
xworm
mylogsprvt.zapto.org:8899
SmH2L0949LC6zVSS
-
install_file
USB.exe
Extracted
redline
newest
mylogsprvt.zapto.org:45630
Extracted
redline
091024
185.215.113.67:33160
Extracted
xworm
3.1
18.181.154.24:7000
w8DsMRIhXrOmk0Gn
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
Downloaders.zip
-
Size
12KB
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload
-
Ammyyadmin family
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detect Vidar Stealer
-
Detect Xworm Payload
-
Detects ZharkBot payload
ZharkBot is a botnet written C++.
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Flawedammyy family
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Lokibot family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies WinLogon for persistence
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Phorphiex family
-
Phorphiex payload
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
Sectoprat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
UAC bypass
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
XMRig Miner payload
-
Xmrig family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
ZharkBot
ZharkBot is a botnet written C++.
-
Zharkbot family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Async RAT payload
-
Contacts a large (7972) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to execute payload.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Indicator Removal: Network Share Connection Removal
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Sets service image path in registry
-
Stops running service(s)
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
A potential corporate email address has been identified in the URL: 7JCeW_Admin@DPGNQMQQ_report.wsr
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses 2FA software files, possible credential harvesting
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Service Discovery
Attempt to gather information on host's network.
-
Network Share Discovery
Attempt to gather information on host network.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2JavaScript
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Power Settings
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
1Indicator Removal
2File Deletion
1Network Share Connection Removal
1Modify Registry
6Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
7Credentials In Files
6Credentials in Registry
1Discovery
Browser Information Discovery
1Network Service Discovery
3Network Share Discovery
1Peripheral Device Discovery
2Process Discovery
1Query Registry
9Remote System Discovery
2System Information Discovery
8System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1Virtualization/Sandbox Evasion
2