Resubmissions
16-12-2024 05:27
241216-f5kx6awmh1 1014-12-2024 20:23
241214-y6jqlasrhy 1014-12-2024 20:22
241214-y51bysvmbk 1014-12-2024 20:13
241214-yzc98svkfr 1014-12-2024 13:14
241214-qgw1masrcy 1014-12-2024 13:12
241214-qfk7qsvlaq 312-12-2024 18:19
241212-wymq6ssnat 1012-12-2024 18:16
241212-www7tssmet 10General
-
Target
241127-xqsswsslej_pw_infected.zip
-
Size
12KB
-
Sample
241128-a4gw8atpak
-
MD5
79fd058f7d06cc022de1786507eb26e3
-
SHA1
86590ec8ed73fd2951587561dff5387e9e0e18e6
-
SHA256
cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d
-
SHA512
8316ac3782c05a3ebea4ca0868e33512e5ef29b251498f3af5ab261cd2010dec6b0eca8a57adcadb0d70653be2e22c0c2c137c7a38ec7b3d5ebbdd02e09c0227
-
SSDEEP
384:sBfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWT:wfACW6Dr8HWTHWT
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
New Text Document mod.exe
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
New Text Document mod.exe
Resource
win11-20241007-en
Malware Config
Extracted
xworm
5.0
104.219.239.11:6969
68.178.207.33:7000
7UYGUkFPl0vXivrC
-
Install_directory
%AppData%
-
install_file
OneDrive.exe
Extracted
phorphiex
http://185.215.113.84
Extracted
redline
38.180.109.140:20007
Extracted
asyncrat
Shadow X RAT & HVNC 1.0.0
reWASD
sayo0w.duckdns.org:7173
2318923179jj27139792813j721983j7213987j98213j97823j789213j978213j978j12391239j913278321
-
delay
1
-
install
true
-
install_file
svchost.exe
-
install_folder
C:\WIndows
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
85.198.108.36:7667
3.70.228.168:555
127.0.0.1:4449
135.181.185.254:4449
212.15.49.155:4449
egghlcckqridunl
-
delay
6
-
install
false
-
install_folder
%Temp%
Extracted
redline
Diamotrix
176.111.174.140:1912
Extracted
lumma
https://scriptyprefej.store
https://navygenerayk.store
https://founpiuer.store
https://necklacedmny.store
https://thumbystriw.store
https://fadehairucw.store
https://crisiwarny.store
https://presticitpo.store
https://preside-comforter.sbs
https://savvy-steereo.sbs
https://copper-replace.sbs
https://record-envyp.sbs
https://slam-whipp.sbs
https://wrench-creter.sbs
https://looky-marked.sbs
https://plastic-mitten.sbs
https://hallowed-noisy.sbs
https://p3ar11fter.sbs
https://3xp3cts1aim.sbs
https://owner-vacat10n.sbs
https://peepburry828.sbs
https://p10tgrace.sbs
https://befall-sm0ker.sbs
https://librari-night.sbs
https://processhol.sbs
https://cook-rain.sbs
Extracted
quasar
1.4.1
SGVP
192.168.1.9:4782
150.129.206.176:4782
Ai-Sgvp-33452.portmap.host:33452
a35ec7b7-5a95-4207-8f25-7af0a7847fa5
-
encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
-
install_name
User Application Data.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windowns Client Startup
-
subdirectory
Quasar
Extracted
quasar
1.4.1
Office04
14.243.221.170:2654
a7b38fdd-192e-4e47-b9ba-ca9eb81cc7bd
-
encryption_key
8B9AD736E943A06EAF1321AD479071E83805704C
-
install_name
Runtime Broker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Runtime Broker
-
subdirectory
SubDir
Extracted
quasar
1.4.1
ZJEB
VIPEEK1990-25013.portmap.host:25013
ad21b115-2c1b-40cb-adba-a50736b76c21
-
encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Security Service
-
subdirectory
SubDir
Extracted
asyncrat
Default
technical-southwest.gl.at.ply.gg:58694
forums-appliances.gl.at.ply.gg:1962
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
mercurialgrabber
https://discordapp.com/api/webhooks/1308883657456619530/0_Ad9EyrLZrIMKH4vjM6XHyvCJJtKddsiohDSyvCWZ8HIxpyNxmVJgrKb_zO-jqSHSO0
Extracted
asyncrat
0.5.8
Default
66.66.146.74:9511
nwJFeGdDXcL2
-
delay
3
-
install
true
-
install_file
System32.exe
-
install_folder
%AppData%
Extracted
https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe
Extracted
http://176.113.115.178/FF/2.png
Extracted
http://176.113.115.178/FF/3.png
Extracted
Protocol: ftp- Host:
195.239.74.9 - Port:
21 - Username:
ftp - Password:
walle
Extracted
Protocol: ftp- Host:
154.221.143.10 - Port:
21 - Username:
administrator - Password:
F00tb@11
Extracted
Protocol: ftp- Host:
162.255.165.13 - Port:
21 - Username:
ftp - Password:
Password1
Extracted
Protocol: ftp- Host:
104.223.44.14 - Port:
21 - Username:
user - Password:
root
Extracted
asyncrat
0.5.7B
Default
3.70.228.168:555
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
xworm
3.1
18.181.154.24:7000
w8DsMRIhXrOmk0Gn
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
-
Asyncrat family
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
Detects ZharkBot payload
ZharkBot is a botnet written C++.
-
Lokibot family
-
Lumma family
-
Njrat family
-
Phorphiex family
-
Phorphiex payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
StormKitty payload
-
Stormkitty family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xworm family
-
Zharkbot family
-
Async RAT payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
A potential corporate email address has been identified in the URL: abistal_640.gif@webp
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
New Text Document mod.exe
-
Size
8KB
-
MD5
69994ff2f00eeca9335ccd502198e05b
-
SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead
-
SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
-
SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
SSDEEP
96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
-
Asyncrat family
-
Detect Umbral payload
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Njrat family
-
Quasar family
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Umbral family
-
Xmrig family
-
Async RAT payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Looks for VirtualBox Guest Additions in registry
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Looks for VMWare Tools registry key
-
Modifies Windows Firewall
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
New Text Document mod.exse
-
Size
8KB
-
MD5
69994ff2f00eeca9335ccd502198e05b
-
SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead
-
SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
-
SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
SSDEEP
96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
-
Asyncrat family
-
Detect Umbral payload
-
Detect Xworm Payload
-
Lokibot family
-
Lumma family
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Njrat family
-
Quasar family
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Umbral family
-
Xmrig family
-
Xworm family
-
Async RAT payload
-
Contacts a large (2748) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Looks for VirtualBox Guest Additions in registry
-
XMRig Miner payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Indicator Removal: Network Share Connection Removal
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
-
Looks for VMWare Tools registry key
-
Modifies Windows Firewall
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3JavaScript
1PowerShell
2Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
1Indicator Removal
2File Deletion
1Network Share Connection Removal
1Modify Authentication Process
1Modify Registry
3Obfuscated Files or Information
1Command Obfuscation
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
5Credentials In Files
5Discovery
Browser Information Discovery
1Network Service Discovery
2Network Share Discovery
1Peripheral Device Discovery
3Process Discovery
1Query Registry
12Remote System Discovery
2System Information Discovery
9System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1System Time Discovery
1Virtualization/Sandbox Evasion
4