Resubmissions
28-11-2024 02:19
241128-cr9sks1kht 1027-11-2024 21:08
241127-zyzyaawqgn 1027-11-2024 20:16
241127-y145caymbs 1027-11-2024 20:13
241127-yzlxdavlen 1027-11-2024 19:53
241127-yl61dsxpcs 1027-11-2024 19:38
241127-ycrjcaxkfx 1027-11-2024 19:03
241127-xqsswsslej 1027-11-2024 19:03
241127-xqf44aslcr 327-11-2024 19:02
241127-xpxqfsslan 327-11-2024 18:32
241127-w6pkqs1mek 10General
-
Target
Downloaders.zip
-
Size
12KB
-
Sample
241127-w6pkqs1mek
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Static task
static1
Behavioral task
behavioral1
Sample
Downloaders.zip
Resource
win11-20241023-en
Malware Config
Extracted
https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe
Extracted
http://176.113.115.178/FF/3.png
Extracted
http://176.113.115.178/FF/2.png
Extracted
Protocol: ftp- Host:
216.146.202.21 - Port:
21 - Username:
admin - Password:
11111
Extracted
asyncrat
0.5.8
Default
ser.nrovn.xyz:6606
ser.nrovn.xyz:7707
ser.nrovn.xyz:8808
nfMlxLKxWkbD
-
delay
3
-
install
true
-
install_file
http.exe
-
install_folder
%AppData%
Extracted
metasploit
encoder/shikata_ga_nai
Extracted
metasploit
metasploit_stager
144.34.162.13:3333
Extracted
cobaltstrike
http://�'�)���@��@'��u�.Qt�,��R�y��b� ��6��'\�<C+xS��ǎ}���0IޭQ�}�W��x��R8�&w�}�+yq����R.�kem:2470497230)���@��@'��u�.Qt�,��R�y��b� ��6��'\�<C+xS��ǎ}���0IޭQ�}�W��x��R8�&w�}�+yq����R.�kem
Extracted
cryptbot
fivexc5pt.top
analforeverlovyu.top
-
url_path
/v1/upload.php
Extracted
quasar
1.3.0.0
sigorta
128.0.1.24:1604
QSR_MUTEX_rVykraFS4RvYG92h8I
-
encryption_key
Yjb2TFL9st7uVjRJpP63
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
xworm
147.185.221.22:47930
127.0.0.1:47930
-
Install_directory
%AppData%
-
install_file
svchost.exe
Extracted
xworm
5.0
68.178.207.33:7000
sSM7p4MT4JctLnRS
-
install_file
USB.exe
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
127.0.0.1:4449
135.181.185.254:4449
212.15.49.155:4449
fssssssshsfhs444fdf%dfs
-
delay
11
-
install
false
-
install_folder
%AppData%
Extracted
lumma
https://p3ar11fter.sbs
https://3xp3cts1aim.sbs
https://owner-vacat10n.sbs
https://peepburry828.sbs
https://p10tgrace.sbs
https://befall-sm0ker.sbs
https://librari-night.sbs
https://processhol.sbs
https://cook-rain.sbs
Extracted
xworm
3.1
18.181.154.24:7000
w8DsMRIhXrOmk0Gn
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
Downloaders.zip
-
Size
12KB
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
-
Asyncrat family
-
Cobaltstrike family
-
Cryptbot family
-
Detect Xworm Payload
-
Gh0st RAT payload
-
Gh0strat family
-
Lumma family
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Phorphiex family
-
Phorphiex payload
-
Purplefox family
-
Quasar family
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xmrig family
-
Xworm family
-
Async RAT payload
-
Contacts a large (2234) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Indicator Removal: Network Share Connection Removal
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Enumerates processes with tasklist
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3JavaScript
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Indicator Removal
2File Deletion
1Network Share Connection Removal
1Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Network Service Discovery
2Network Share Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
8Remote System Discovery
2System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2