Resubmissions
28-11-2024 02:19
241128-cr9sks1kht 1027-11-2024 21:08
241127-zyzyaawqgn 1027-11-2024 20:16
241127-y145caymbs 1027-11-2024 20:13
241127-yzlxdavlen 1027-11-2024 19:53
241127-yl61dsxpcs 1027-11-2024 19:38
241127-ycrjcaxkfx 1027-11-2024 19:03
241127-xqsswsslej 1027-11-2024 19:03
241127-xqf44aslcr 327-11-2024 19:02
241127-xpxqfsslan 327-11-2024 18:32
241127-w6pkqs1mek 10General
-
Target
Downloaders.zip
-
Size
12KB
-
Sample
241127-y145caymbs
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Malware Config
Extracted
https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe
Extracted
Protocol: ftp- Host:
ftpcluster.loopia.se - Port:
21 - Username:
srbreferee.com - Password:
luka2005
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
127.0.0.1:4449
135.181.185.254:4449
fssssssshsfhs444fdf%dfs
-
delay
11
-
install
false
-
install_folder
%AppData%
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
82.193.104.21:5137
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Extracted
quasar
1.4.1
Main
tpinauskas-54803.portmap.host:54803
8422dcc2-b8bd-4080-a017-5b62524b6546
-
encryption_key
2EFF7393DC1BD9FBDDD61A780B994B8166BAB8EC
-
install_name
Win64.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Win64
-
subdirectory
SubDir
Extracted
xworm
127.0.0.1:6000
103.211.201.109:6000
-
Install_directory
%AppData%
-
install_file
XClient.exe
-
telegram
https://api.telegram.org/bot7929370892:AAGwrX5TeyxQidZdAEm_Z6-CDvPUOQzVY1M
Extracted
stealc
default
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
xworm
5.0
68.178.207.33:7000
sSM7p4MT4JctLnRS
-
install_file
USB.exe
Extracted
asyncrat
0.5.8
Default
107.175.202.158:6606
107.175.202.158:30814
107.175.202.158:25565
107.175.202.158:443
anQK5EUHL5vU
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
Downloaders.zip
-
Size
12KB
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Detect Xworm Payload
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Lokibot family
-
Njrat family
-
Phorphiex family
-
Phorphiex payload
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xmrig family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Async RAT payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Service Discovery
Attempt to gather information on host's network.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Indicator Removal
1File Deletion
1Modify Authentication Process
1Modify Registry
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
9Remote System Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2