Resubmissions

12-12-2024 18:20

241212-wy4dxsvkcp 10

12-12-2024 18:03

241212-wnfvwatqgp 10

28-11-2024 00:38

241128-ay5fbstmfp 10

General

  • Target

    Downloaders.zip

  • Size

    12KB

  • Sample

    241128-ay5fbstmfp

  • MD5

    94fe78dc42e3403d06477f995770733c

  • SHA1

    ea6ba4a14bab2a976d62ea7ddd4940ec90560586

  • SHA256

    16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

  • SHA512

    add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff

  • SSDEEP

    384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Malware Config

Extracted

Family

redline

Botnet

Diamotrix

C2

176.111.174.140:1912

Extracted

Family

asyncrat

Botnet

Default

C2

technical-southwest.gl.at.ply.gg:58694

forums-appliances.gl.at.ply.gg:1962

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
aes.plain

Extracted

Family

mercurialgrabber

C2

https://discordapp.com/api/webhooks/1308883657456619530/0_Ad9EyrLZrIMKH4vjM6XHyvCJJtKddsiohDSyvCWZ8HIxpyNxmVJgrKb_zO-jqSHSO0

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

3.70.228.168:555

Mutex

bslxturcmlpmyqrv

Attributes
  • delay

    1

  • install

    true

  • install_file

    atat.exe

  • install_folder

    %AppData%

aes.plain
aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

3.70.228.168:555

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

66.66.146.74:9511

Mutex

nwJFeGdDXcL2

Attributes
  • delay

    3

  • install

    true

  • install_file

    System32.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe

Targets

    • Target

      4363463463464363463463463.exe

    • Size

      10KB

    • MD5

      2a94f3960c58c6e70826495f76d00b85

    • SHA1

      e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

    • SHA256

      2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

    • SHA512

      fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

    • SSDEEP

      192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      New Text Document mod.exe

    • Size

      8KB

    • MD5

      69994ff2f00eeca9335ccd502198e05b

    • SHA1

      b13a15a5bea65b711b835ce8eccd2a699a99cead

    • SHA256

      2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

    • SHA512

      ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

    • SSDEEP

      96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Detect Umbral payload

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Mercurialgrabber family

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Umbral family

    • Async RAT payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Looks for VirtualBox Guest Additions in registry

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Looks for VMWare Tools registry key

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      New Text Document mod.exse

    • Size

      8KB

    • MD5

      69994ff2f00eeca9335ccd502198e05b

    • SHA1

      b13a15a5bea65b711b835ce8eccd2a699a99cead

    • SHA256

      2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

    • SHA512

      ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

    • SSDEEP

      96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Detect Umbral payload

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Mercurialgrabber family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Umbral family

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Async RAT payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Looks for VirtualBox Guest Additions in registry

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Looks for VMWare Tools registry key

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Enumerates processes with tasklist

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks