Overview

overview

10

Static

static

3

Downloaders.zip

windows11-21h2-x64

10

Resubmissions

28-11-2024 02:19

241128-cr9sks1kht 10

27-11-2024 21:08

241127-zyzyaawqgn 10

27-11-2024 20:16

241127-y145caymbs 10

27-11-2024 20:13

241127-yzlxdavlen 10

27-11-2024 19:53

241127-yl61dsxpcs 10

27-11-2024 19:38

241127-ycrjcaxkfx 10

27-11-2024 19:03

241127-xqsswsslej 10

27-11-2024 19:03

241127-xqf44aslcr 3

27-11-2024 19:02

241127-xpxqfsslan 3

27-11-2024 18:32

241127-w6pkqs1mek 10

Analysis

  • max time kernel
    1007s
  • max time network
    1321s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241023-en
  • resource tags

    arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    27-11-2024 18:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Downloaders.zip

  • Size

    12KB

  • MD5

    94fe78dc42e3403d06477f995770733c

  • SHA1

    ea6ba4a14bab2a976d62ea7ddd4940ec90560586

  • SHA256

    16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

  • SHA512

    add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff

  • SSDEEP

    384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Score
10/10
asyncratcobaltstrikecryptbotgh0stratlummametasploitphorphiexpurplefoxquasarredlinexmrigxwormdefaultsigortabackdoormicrosoftdefense_evasiondiscoveryevasionexecutioninfostealerloaderminerpersistencephishingprivilege_escalationpyinstallerransomwareratrootkitspywarestealertrojanupxworm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://176.113.115.178/FF/3.png

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://176.113.115.178/FF/2.png

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    216.146.202.21
  • Port:
    21
  • Username:
    admin
  • Password:
    11111

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

ser.nrovn.xyz:6606

ser.nrovn.xyz:7707

ser.nrovn.xyz:8808
Mutex

nfMlxLKxWkbD

Attributes
  • delay

    3

  • install

    true

  • install_file

    http.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

metasploit_stager

C2

144.34.162.13:3333

Extracted

Family

cobaltstrike

C2

http://�'�)���@��@'��u�.Qt�,��R�y��b� ��6��'\�<C+xS��ǎ}���0IޭQ�}�W��x��R8�&w� }�+yq����R.�kem:2470497230)���@��@'��u�.Qt�,��R�y��b� ��6��'\�<C+xS��ǎ}���0IޭQ�}�W��x��R8�&w� }�+yq����R.�kem

Extracted

Family

cryptbot

C2

fivexc5pt.top

analforeverlovyu.top
Attributes
  • url_path

    /v1/upload.php

Extracted

Family

quasar

Version

1.3.0.0

Botnet

sigorta

C2

128.0.1.24:1604

Mutex

QSR_MUTEX_rVykraFS4RvYG92h8I

Attributes
  • encryption_key

    Yjb2TFL9st7uVjRJpP63

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

xworm

C2

147.185.221.22:47930

127.0.0.1:47930
Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Extracted

Family

xworm

Version

5.0

C2

68.178.207.33:7000

Mutex

sSM7p4MT4JctLnRS

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

127.0.0.1:4449

135.181.185.254:4449

212.15.49.155:4449
Mutex

fssssssshsfhs444fdf%dfs

Attributes
  • delay

    11

  • install

    false

  • install_folder

    %AppData%

aes.plain
aes.plain

Extracted

Family

lumma

C2

https://p3ar11fter.sbs

https://3xp3cts1aim.sbs

https://owner-vacat10n.sbs

https://peepburry828.sbs

https://p10tgrace.sbs

https://befall-sm0ker.sbs

https://librari-night.sbs

https://processhol.sbs

https://cook-rain.sbs

Extracted

Family

xworm

Version

3.1

C2

18.181.154.24:7000

Mutex

w8DsMRIhXrOmk0Gn

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Cobaltstrike family
    cobaltstrike
  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Cryptbot family
    cryptbot
  • Detect PurpleFox Rootkit 4 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Detect Xworm Payload 5 IoCs
  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Phorphiex family
    phorphiex
  • Phorphiex payload 1 IoCs
  • Phorphiex, Phorpiex

    Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • Quasar RAT 3 IoCs

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar