Overview

overview

10

Static

static

3

4363463463...63.exe

windows11-21h2-x64

10

New Text D...od.exe

windows11-21h2-x64

10

New Text D...od.exe

windows11-21h2-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Downloaders.zip

  • Size

    12KB

  • Sample

    241128-ay5fbstmfp

  • MD5

    94fe78dc42e3403d06477f995770733c

  • SHA1

    ea6ba4a14bab2a976d62ea7ddd4940ec90560586

  • SHA256

    16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

  • SHA512

    add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff

  • SSDEEP

    384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Score
10/10
asyncratmercurialgrabberredlineumbralxmrigdefaultdiamotrixcollectioncredential_accessdiscoveryevasionexecutioninfostealerminerpersistencepyinstallerratspywarestealerupx

Malware Config

Extracted

Family

redline

Botnet

Diamotrix

C2

176.111.174.140:1912

Extracted

Family

asyncrat

Botnet

Default

C2

technical-southwest.gl.at.ply.gg:58694

forums-appliances.gl.at.ply.gg:1962
Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
aes.plain

Extracted

Family

mercurialgrabber

C2

https://discordapp.com/api/webhooks/1308883657456619530/0_Ad9EyrLZrIMKH4vjM6XHyvCJJtKddsiohDSyvCWZ8HIxpyNxmVJgrKb_zO-jqSHSO0

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

3.70.228.168:555

Mutex

bslxturcmlpmyqrv

Attributes
  • delay

    1

  • install

    true

  • install_file

    atat.exe

  • install_folder

    %AppData%

aes.plain
aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

3.70.228.168:555

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

66.66.146.74:9511

Mutex

nwJFeGdDXcL2

Attributes
  • delay

    3

  • install

    true

  • install_file

    System32.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe

Targets

    • Target

      4363463463464363463463463.exe

    • Size

      10KB

    • MD5

      2a94f3960c58c6e70826495f76d00b85

    • SHA1

      e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

    • SHA256

      2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

    • SHA512

      fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

    • SSDEEP

      192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

    Score
    10/10
    redlinediamotrixdiscoveryinfostealerpersistencepyinstaller

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      New Text Document mod.exe

    • Size

      8KB

    • MD5

      69994ff2f00eeca9335ccd502198e05b

    • SHA1

      b13a15a5bea65b711b835ce8eccd2a699a99cead

    • SHA256

      2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

    • SHA512

      ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

    • SSDEEP

      96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

    Score
    10/10
    asyncratmercurialgrabberumbraldefaultcollectioncredential_accessdiscoveryevasionexecutionratspywarestealerupx

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect Umbral payload

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

      stealermercurialgrabber

    • Mercurialgrabber family

      mercurialgrabber

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral

    • Async RAT payload

      rat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Looks for VMWare Tools registry key

      evasion

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral2

    • Target

      New Text Document mod.exse

    • Size

      8KB

    • MD5

      69994ff2f00eeca9335ccd502198e05b

    • SHA1

      b13a15a5bea65b711b835ce8eccd2a699a99cead

    • SHA256

      2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

    • SHA512

      ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

    • SSDEEP

      96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

    Score
    10/10
    asyncratmercurialgrabberumbralxmrigdefaultcollectioncredential_accessdiscoveryevasionexecutionminerratspywarestealerupx

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect Umbral payload

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

      stealermercurialgrabber

    • Mercurialgrabber family

      mercurialgrabber

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Async RAT payload

      rat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Looks for VMWare Tools registry key

      evasion

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Modify Authentication Process

1
T1556

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Authentication Process

1
T1556

Modify Registry

2
T1112

Virtualization/Sandbox Evasion

4
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Process Discovery

1
T1057

Query Registry

11
T1012

Remote System Discovery

1
T1018

System Information Discovery

7
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

4
T1497

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks