General
-
Target
take3.exe
-
Size
14.3MB
-
Sample
241129-j89bpsvnes
-
MD5
8a44ee98217bc81f0869d793eefab1f0
-
SHA1
4756ed10cbf5dbad09746a8fa2c2e62c2f2b7200
-
SHA256
c26e2475ef60ba969bb66c9b464b498efb1da0bf7360ff7545c1db3b707bdbed
-
SHA512
4f18f54d791929cb24c02e8865d520e6263c096bef7ebd422578bca0600cadb6ea4b046654ef007ba056bf568ff3a19b068bf4313b4a218953a5bd2ecb0e6a02
-
SSDEEP
393216:vOWd863huc1dQJlAwF3MnG3InVFedWm7NS/xHWgnHz:2893hr1dQ53MG4VAHsT
Malware Config
Extracted
https://osecweb.ir/js/config_20.ps1
Extracted
metasploit
encoder/shikata_ga_nai
Extracted
metasploit
metasploit_stager
144.34.162.13:3333
Extracted
lumma
https://preside-comforter.sbs
https://savvy-steereo.sbs
https://copper-replace.sbs
https://record-envyp.sbs
https://slam-whipp.sbs
https://wrench-creter.sbs
https://looky-marked.sbs
https://plastic-mitten.sbs
https://tail-cease.cyou
Extracted
quasar
1.4.1
SGVP
192.168.1.9:4782
150.129.206.176:4782
Ai-Sgvp-33452.portmap.host:33452
a35ec7b7-5a95-4207-8f25-7af0a7847fa5
-
encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
-
install_name
User Application Data.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windowns Client Startup
-
subdirectory
Quasar
Extracted
redline
Diamotrix
176.111.174.140:1912
Extracted
quasar
1.4.1
Office04
14.243.221.170:2654
a7b38fdd-192e-4e47-b9ba-ca9eb81cc7bd
-
encryption_key
8B9AD736E943A06EAF1321AD479071E83805704C
-
install_name
Runtime Broker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Runtime Broker
-
subdirectory
SubDir
Extracted
gh0strat
1.15.110.72
Targets
-
-
Target
take3.exe
-
Size
14.3MB
-
MD5
8a44ee98217bc81f0869d793eefab1f0
-
SHA1
4756ed10cbf5dbad09746a8fa2c2e62c2f2b7200
-
SHA256
c26e2475ef60ba969bb66c9b464b498efb1da0bf7360ff7545c1db3b707bdbed
-
SHA512
4f18f54d791929cb24c02e8865d520e6263c096bef7ebd422578bca0600cadb6ea4b046654ef007ba056bf568ff3a19b068bf4313b4a218953a5bd2ecb0e6a02
-
SSDEEP
393216:vOWd863huc1dQJlAwF3MnG3InVFedWm7NS/xHWgnHz:2893hr1dQ53MG4VAHsT
Score10/10-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload
-
Ammyyadmin family
-
Detect Xworm Payload
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Flawedammyy family
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Ramnit family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Xmrig family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Executes dropped EXE
-
Loads dropped DLL
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Legitimate hosting services abused for malware hosting/C2
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2JavaScript
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Accessibility Features
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Accessibility Features
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Modify Authentication Process
1