Overview

overview

10

Static

static

3

Downloaders.zip

windows11-21h2-x64

10

Resubmissions

28-11-2024 02:19

241128-cr9sks1kht 10

27-11-2024 21:08

241127-zyzyaawqgn 10

27-11-2024 20:16

241127-y145caymbs 10

27-11-2024 20:13

241127-yzlxdavlen 10

27-11-2024 19:53

241127-yl61dsxpcs 10

27-11-2024 19:38

241127-ycrjcaxkfx 10

27-11-2024 19:03

241127-xqsswsslej 10

27-11-2024 19:03

241127-xqf44aslcr 3

27-11-2024 19:02

241127-xpxqfsslan 3

27-11-2024 18:32

241127-w6pkqs1mek 10

Analysis

  • max time kernel
    751s
  • max time network
    2146s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    27-11-2024 19:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Downloaders.zip

  • Size

    12KB

  • MD5

    94fe78dc42e3403d06477f995770733c

  • SHA1

    ea6ba4a14bab2a976d62ea7ddd4940ec90560586

  • SHA256

    16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

  • SHA512

    add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff

  • SSDEEP

    384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Score
10/10
lummaxmrigxwormmicrosoftcollectioncredential_accessdefense_evasiondiscoveryevasionexecutionminerpersistencephishingprivilege_escalationratspywarestealertrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://176.113.115.178/FF/2.png

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://176.113.115.178/FF/3.png

Extracted

Language
hta
Source
URLs
hta.dropper

http://176.113.115.178/Windows-Update

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://176.113.115.178/FF/1.png

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    72.52.244.4
  • Port:
    21
  • Username:
    ftp
  • Password:
    999999

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    103.67.236.20
  • Port:
    21
  • Username:
    user
  • Password:
    !root!

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    193.227.116.49
  • Port:
    21
  • Username:
    user
  • Password:
    egoiste

Extracted

Family

lumma

C2

https://powerful-avoids.sbs

https://motion-treesz.sbs

https://disobey-curly.sbs

https://leg-sate-boat.sbs

https://story-tense-faz.sbs

https://blade-govern.sbs

https://occupy-blushi.sbs

https://frogs-severz.sbs

https://property-imper.sbs

https://p3ar11fter.sbs

https://3xp3cts1aim.sbs

https://owner-vacat10n.sbs

https://peepburry828.sbs

https://p10tgrace.sbs

https://befall-sm0ker.sbs

https://librari-night.sbs

https://processhol.sbs

https://cook-rain.sbs

Extracted

Family

xworm

Version

5.0

C2

68.178.207.33:7000

Mutex

sSM7p4MT4JctLnRS

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

xworm

Version

3.1

C2

18.181.154.24:7000

Mutex

w8DsMRIhXrOmk0Gn

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 6 IoCs
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Xmrig family
    xmrig
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Contacts a large (5745) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
    evasion
  • XMRig Miner payload 6 IoCs
    miner
  • Blocklisted process makes network request 21 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Using powershell.exe command.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
    persistence
  • Indicator Removal: Network Share Connection Removal 1 TTPs 3 IoCs

    Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

    defense_evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Uses browser remote debugging 2 TTPs 9 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 16 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 64 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Service Discovery 1 TTPs 3 IoCs

    Attempt to gather information on host's network.

    discovery
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Power Settings 1 TTPs 12 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Detected potential entity reuse from brand MICROSOFT.
    phishingmicrosoft
  • Drops file in System32 directory 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 7 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs
  • Suspicious use of SetThreadContext 33 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 18 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 14 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Detects videocard installed 1 TTPs 2 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Discovers systems in the same network 1 TTPs 2 IoCs
    discovery
  • Enumerates system info in registry 2 TTPs 15 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 37 IoCs
  • NTFS ADS 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 6 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs