Overview

overview

10

Static

static

10

0c5b00311b...5e.exe

windows10-2004-x64

7

1618780b85...13.vbs

windows7-x64

8

1618780b85...13.vbs

windows10-2004-x64

8

31d2bac123...c0.exe

windows7-x64

10

31d2bac123...c0.exe

windows10-2004-x64

10

3e0a6e80d4...1c.xls

windows7-x64

3

3e0a6e80d4...1c.xls

windows10-2004-x64

1

5489a717a2...f8.exe

windows7-x64

10

5489a717a2...f8.exe

windows10-2004-x64

10

63f2e49bd1...c6.msi

windows7-x64

10

63f2e49bd1...c6.msi

windows10-2004-x64

10

719d53c106...d2.exe

windows7-x64

10

719d53c106...d2.exe

windows10-2004-x64

10

8411add8ba...e8.dll

windows7-x64

1

8411add8ba...e8.dll

windows10-2004-x64

1

88b0765750...b0.exe

windows7-x64

10

88b0765750...b0.exe

windows10-2004-x64

10

9cb1756afd...71.exe

windows7-x64

3

9cb1756afd...71.exe

windows10-2004-x64

3

REP_894198...17.doc

windows7-x64

10

REP_894198...17.doc

windows10-2004-x64

10

d472c89510...54.xls

windows7-x64

3

d472c89510...54.xls

windows10-2004-x64

1

dcc72f90c1...21.exe

windows7-x64

10

dcc72f90c1...21.exe

windows10-2004-x64

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    infected20241003.zip

  • Size

    21.1MB

  • Sample

    241202-tw7bpaxnel

  • MD5

    4f683ea6758686eb7d24ff3414212fdc

  • SHA1

    6c142b67527d954855519c22c1605bcee1557776

  • SHA256

    d07c95e8960c8d0a4de79e97afbbb836d73b8869dda97917bce1d0fa4ef88195

  • SHA512

    35561ab1d0bec21b2f2b5e6a071e0d9c89dfa9f6050e44b60dab06f2f1d10c6bff3421609ea3fcbcd79415593672aaf319896559653171bccab1f4d13abdb8b4

  • SSDEEP

    393216:RZfXx8TEAaz6PcwBb/1nQOjg4zfGv+sw7KOqxFTimGehtwq7BS44GPo:RZvx3AazEcwBb/dMaGrw7KOqPtL5o

Score
10/10
agentteslaateraagentdarkcloudlummasocks5systemzstealcdomabotnetdiscoveryevasionexecutionkeyloggermacropersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

lumma

C2

https://reinforcenh.shop/api

https://stogeneratmns.shop/api

https://fragnantbui.shop/api

https://drawzhotdog.shop/api

https://vozmeatillu.shop/api

https://offensivedzvju.shop/api

https://ghostreedmnu.shop/api

https://gutterydhowi.shop/api

https://thighfeingjywk.shop/api

Extracted

Family

darkcloud

Attributes

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://amelano.net/wp-includes/css/dist/2ew/
exe.dropper

http://911concept.com/images/i6ngX5/
exe.dropper

http://ayonschools.com/UBkoqn/
exe.dropper

http://beech.org/wayne/lldo/
exe.dropper

http://firelabo.com/wp-includes/mf6f4/

Extracted

Family

agenttesla

Credentials

Extracted

Family

stealc

Botnet

doma

C2

http://185.215.113.37

Attributes
  • url_path

    /e2b1563c6670f193.php

Targets

    • Target

      0c5b00311b9e7f3e749e8f2c2bb639ee32f2de89bedf1c572391dedcdd10765e.exe

    • Size

      3.6MB

    • MD5

      27d182a9df691a5f741a6eb59d8935d1

    • SHA1

      c9286c22657823271940407dcf5a5aae8411aa52

    • SHA256

      0c5b00311b9e7f3e749e8f2c2bb639ee32f2de89bedf1c572391dedcdd10765e

    • SHA512

      7aa8b59ccd34fa335324f2536ccc849515f7745be0a2a9d58a762f525aa8a512aff3eb7e0068d472c1ac791943649bf8b5322971b61f926391d62e7fca16f7a8

    • SSDEEP

      98304:PnvZSv4UrA2LCWu+DbnvrCHpzP9vePEjRs:PvcIWCW93ryzVWyRs

    Score
    7/10
    discoverypersistence

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      1618780b8570f9b44fdd73513c6aa8069eb8a9151a22d83b178c5be6eb125013.vbs

    • Size

      96KB

    • MD5

      456272f4cfecc56e5c7856bfba2bb77f

    • SHA1

      10b3f7f01cfc05b05910110c93eed15bc294444a

    • SHA256

      1618780b8570f9b44fdd73513c6aa8069eb8a9151a22d83b178c5be6eb125013

    • SHA512

      3aedfbf46d5247c16fda370514d4b847099e89e5cd3695ba947667a7efaf53da217203444a8089f998836770556a79bd2e8b7b4197178bbe5a228c0f3a0b627c

    • SSDEEP

      3072:7pAqCwlpbjrHFYWBxHEQdcpiE07Q/gsUo1wni3:KJw/bjZPbkPpL00/gsUEf

    Score
    8/10
    discoveryexecution

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery
    behavioral2behavioral3

    • Target

      31d2bac123d451caed79ced03b80592dacc3499f6c91a9e32630d3590d52a6c0.exe

    • Size

      7.9MB

    • MD5

      0396163369529cd5b010e3c35a2066c5

    • SHA1

      c3f58efd6dc957d0baf6eb71e0f6539e5eb3d596

    • SHA256

      31d2bac123d451caed79ced03b80592dacc3499f6c91a9e32630d3590d52a6c0

    • SHA512

      6805f80c0979432ff1e3adfed34fd8a30d8a79b839796dc94329b409892e4a5809df9728158dc782c78417badabbf20a058949814b37fc4f99a53c293d68e968

    • SSDEEP

      196608:dhd3YhVbbGfzH8dFXKH3ARHMjDB5braO5F5KMA7z0fCnIRBR:dnYTbuzH8dFaHfjVxronSCIPR

    Score
    10/10
    socks5systemzbotnetdiscovery

    • Detect Socks5Systemz Payload

    • Socks5Systemz

      Socks5Systemz is a botnet written in C++.

      botnetsocks5systemz

    • Socks5systemz family

      socks5systemz

    • Executes dropped EXE

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral4behavioral5

    • Target

      3e0a6e80d4427d22bc807628032ba1e1fbf9b733a8b5db26f5c2cc2bae55bb1c.xls

    • Size

      632KB

    • MD5

      63feceb35d3c38a3399ae68e661dbbec

    • SHA1

      cede8c37520c00efc171bbb2ea1541978767e98a

    • SHA256

      3e0a6e80d4427d22bc807628032ba1e1fbf9b733a8b5db26f5c2cc2bae55bb1c

    • SHA512

      348efe241e6654b29817934cca610011eed78227918ccb971c88625b5063be3d2066fafe4f4737d1d9897fafcdc69325862351685e450e0fba5738b2bf662d2b

    • SSDEEP

      12288:+AXahv8uc9vf+fviz1AczG68/R5GH9Ic70CzH9/KSdvydUY:FXs1crhjGvTGHdIGHk0q

    Score
    3/10
    discovery
    behavioral6behavioral7

    • Target

      5489a717a23f4b7e2f250429554bd8a3d744970e1bfabe2162c9eb2fa8c04df8.exe

    • Size

      982KB

    • MD5

      89768b71499c0eb974853e8e3f0cf5c4

    • SHA1

      be5b1ac72323e8e92643d3e0804d83b902ba486b

    • SHA256

      5489a717a23f4b7e2f250429554bd8a3d744970e1bfabe2162c9eb2fa8c04df8

    • SHA512

      badad67ac5109fe02d03f6685329ca30a057eb7b07706a1508854f86fd1339d578147e5beee0e084dc7eb6046288da26aefdbfea4e222eda005205307d962654

    • SSDEEP

      24576:gWTx232DgTe6ATI2Kw5JdnFjXX7juCCmOhsN:jAV3ATIts1VXPuBh

    Score
    10/10
    darkclouddiscoveryexecutionstealer

    • DarkCloud

      An information stealer written in Visual Basic.

      stealerdarkcloud

    • Darkcloud family

      darkcloud

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral8behavioral9

    • Target

      63f2e49bd14880bed0033cbf0878ee50f18555432d3ad1439b304e6a2dc00fc6.msi

    • Size

      2.9MB

    • MD5

      c4e4332cf78e92bef45cab4d8d9a29a8

    • SHA1

      e6f5aae7f231f9f108f0bbcc5c7240bee17a180e

    • SHA256

      63f2e49bd14880bed0033cbf0878ee50f18555432d3ad1439b304e6a2dc00fc6

    • SHA512

      7a486e162560c736533d23cf7863eda03f822aff0411fab40d70518026a5c7bb765990139f37bae416cfad05b700756521e165f07b951041e5fb806644a54c63

    • SSDEEP

      49152:4+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:4+lUlz9FKbsodq0YaH7ZPxMb8tT

    Score
    10/10
    ateraagentdiscoverypersistenceprivilege_escalationrat

    • AteraAgent

      AteraAgent is a remote monitoring and management tool.

      ratateraagent

    • Ateraagent family

      ateraagent

    • Detects AteraAgent

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral10behavioral11

    • Target

      719d53c1064f54fd79ea4a7844f079d2.exe

    • Size

      1.2MB

    • MD5

      719d53c1064f54fd79ea4a7844f079d2

    • SHA1

      08d3ecaa049dea3ea4eccbf10072180bc36b6fca

    • SHA256

      22fbefa1416f9ccc38791ac6198123e206f4e5b40590fe928f2a4148542c500c

    • SHA512

      23952acbb7a743fcd9ec37f62a18c6bc028f2e50f9168339ee6c4f8ab08ec7835f90b00ee259fc32c76288687defe52e6019187544e263570f6d18d8c9f4ce25

    • SSDEEP

      24576:wyIX57KMY8hlY4Zfoq9dXrqDFxvB1ynLY8bOVHyiBozZTnQ:T47Kv8RrqDFxTyLVOlFBL

    Score
    10/10
    lummadiscoverystealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of SetThreadContext

    behavioral12behavioral13

    • Target

      8411add8ba814509886e7ce5baee8e338f5955037623c768747cbc1b7ecc1de8.exe

    • Size

      275KB

    • MD5

      a143d675ff5ffc87cb7bc6b120abdac5

    • SHA1

      5334fe952a26aca795456005003c19b037b22cc1

    • SHA256

      8411add8ba814509886e7ce5baee8e338f5955037623c768747cbc1b7ecc1de8

    • SHA512

      fdeb1d5050bd6064a2837220f8395a84ee60306ec28c55100fec26e9ff88442aac5a46234aa82905f01f9e1001994ededcc4e893150dda6223c68cdc33a08ce8

    • SSDEEP

      6144:azdTTWyV4TosDLx4fYYIpjgsYQxTSOH8u+DRoowXOJNYYp:kdTTWyV43DLCwJEQF+GowXOJSY

    Score
    1/10
    behavioral14behavioral15

    • Target

      88b07657500a548ed8476fa415896d2179c307d4751917ca892119c3fff120b0.exe

    • Size

      981KB

    • MD5

      11e3eec9035239203976f9847453ece4

    • SHA1

      6198ac8abbf805341fe982dbb76f676fddb280bb

    • SHA256

      88b07657500a548ed8476fa415896d2179c307d4751917ca892119c3fff120b0

    • SHA512

      0a3e247cd1168bb91a37b8dfe50a2f20f3ef0d81e4edfe3a209ed7badd9caacdc639e2d0285ddfcdb0a75eaf90d37b21c57c838264b3f3431f3a27c560d1ab14

    • SSDEEP

      24576:bnOxmRc2cFD8ej9XqzazPMi9J3/KEYTVOSET:Cxm22c7XXN9J3fR

    Score
    10/10
    darkclouddiscoveryexecutionstealer

    • DarkCloud

      An information stealer written in Visual Basic.

      stealerdarkcloud

    • Darkcloud family

      darkcloud

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral16behavioral17

    • Target

      9cb1756afd35b77acc762f550857e271.exe

    • Size

      322KB

    • MD5

      9cb1756afd35b77acc762f550857e271

    • SHA1

      589ac47882c0c0c9d6c52fc2bc32bc946cf7ae7b

    • SHA256

      cb6e1f5595b852c377a54fb2e62d6be2d270ffa1f4388c45f88e48ced3456888

    • SHA512

      0b54478ee7944362a9af3d3f11fdb204d3b649bac50ad5c7c02ee953176c07cae4648f04481b412dd52a0f40609ffaa7c5fbb9249e9698832b72615ac7012855

    • SSDEEP

      3072:MLfreEDq0IVljprQbsvfDHdODvf4+W0B1zQQBBCcFaRkilrG5oOx8pljfrMSsUP6:MLTXDq0IXaIDs7Nj52kcO23oUCjr

    Score
    3/10
    discovery
    behavioral18behavioral19

    • Target

      REP_89419812646634117.doc

    • Size

      245KB

    • MD5

      1d6f0e7e30c1d9e3f64b0d36e602da50

    • SHA1

      895d6dd7f677e45e997b03cef761fc40e10b22ba

    • SHA256

      70b4dbed87a8be890a088d70057ce44413bf3a65df5c5c15d049de0b9c47ff8d

    • SHA512

      1d12056c0d91f07372c7575bec45a608ad21f2509331e4a5d8857ad578c6012557842835a21cbf78882f88df2a214faa7f7a10060cb37489e841b1244ca5e226

    • SSDEEP

      6144:H0Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+Bzm8tigOE+wH:H0E3dxtR/iU9mvUPBS8tigOE+w

    Score
    10/10
    discoveryexecution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Drops file in System32 directory

    behavioral20behavioral21

    • Target

      d472c895106cfebcb6eea8701416aed96b9770c256432ee7ee7a9b8a60a6d254.xls

    • Size

      939KB

    • MD5

      15d90d6aa9eb2c890494884bdaff2e91

    • SHA1

      d55134055fb68cab73e32d6ed70d936399484a3d

    • SHA256

      d472c895106cfebcb6eea8701416aed96b9770c256432ee7ee7a9b8a60a6d254

    • SHA512

      a4f10b41f37be48b3ddf83e6c0d133cd8ae8655c4a8fac3235be0dc961c5bf2e3e80d6b924b446ba44a07b7bbdbf99d87b308637332bbb050b4c51c25dab5c8e

    • SSDEEP

      12288:xmzHJEjwWYSqD3DERnLRmF8Dl3PTKuG44G24rBedMPQr6eyCQSEB9:gcwHSqbARM8B3ugedV7Q

    Score
    3/10
    discovery
    behavioral22behavioral23

    • Target

      dcc72f90c1d3aac382ba8965c68109986771562f49d4112c5be1a0e9b645f621.exe

    • Size

      1.1MB

    • MD5

      4459a7eb4a040e16e462aed9face5033

    • SHA1

      a6c388afbcfd0a2ae2810205be37c354b15feb86

    • SHA256

      dcc72f90c1d3aac382ba8965c68109986771562f49d4112c5be1a0e9b645f621

    • SHA512

      225ffbea03ace2d7a0943864c84ab41600266741b104f0e3a304b96f13a99476a75111f07e0ac906165a2d24fac3ceba60dadfac5a2ecaf8f73c4182a7c586f8

    • SSDEEP

      24576:WfmMv6Ckr7Mny5QbMp1LpiEYKRh/+EeNwEh:W3v+7/5QbMp1LpiEn1+EIwEh

    Score
    10/10
    agenttesladiscoverykeyloggerspywarestealertrojan
    behavioral24behavioral25

    • Target

      file.exe

    • Size

      1.8MB

    • MD5

      330afdcf0d6386bb023d396057ab76d3

    • SHA1

      930faeddd85c989f64325e68653bbe148b0c4b0d

    • SHA256

      0b233651726125dd45f1d1dbfe1b68359c3e7f7f5e05fe4c4fff196dd9818827

    • SHA512

      6d479807a6b92ccca7b5425f5cf7dc340778017999ba18f2c47e2738ad6188063aed7e08756b23abe17c4b393478f01e3839ad8e0f5ad23203fc6814c2d79d73

    • SSDEEP

      49152:fDBfY5H/L2BqxwCgMEGBvATCjT0edgWg6:fRIXgMElejweO6

    Score
    10/10
    stealcdomaevasionstealerdiscovery

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Stealc family

      stealc

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral26behavioral27

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

3
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

System Binary Proxy Execution

1
T1218

Msiexec

1
T1218.007

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Network Service Discovery

1
T1046

Peripheral Device Discovery

2
T1120

Process Discovery

1
T1057

Query Registry

10
T1012

System Information Discovery

7
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

macroateraagent
Score
10/10

behavioral1

discoverypersistence
Score
7/10

behavioral2

discoveryexecution
Score
8/10

behavioral3

discoveryexecution
Score
8/10

behavioral4

socks5systemzbotnetdiscovery
Score
10/10

behavioral5

socks5systemzbotnetdiscovery
Score
10/10

behavioral6

discovery
Score
3/10

behavioral7

Score
1/10

behavioral8

darkclouddiscoveryexecutionstealer
Score
10/10

behavioral9

darkclouddiscoveryexecutionstealer
Score
10/10

behavioral10

ateraagentdiscoverypersistenceprivilege_escalationrat
Score
10/10

behavioral11

ateraagentdiscoverypersistenceprivilege_escalationrat
Score
10/10

behavioral12

lummadiscoverystealer
Score
10/10

behavioral13

lummadiscoverystealer
Score
10/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

darkclouddiscoveryexecutionstealer
Score
10/10

behavioral17

darkclouddiscoveryexecutionstealer
Score
10/10

behavioral18

discovery
Score
3/10

behavioral19

discovery
Score
3/10

behavioral20

discoveryexecution
Score
10/10

behavioral21

execution
Score
10/10

behavioral22

discovery
Score
3/10

behavioral23

Score
1/10

behavioral24

agenttesladiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral25

discovery
Score
3/10

behavioral26

stealcdomaevasionstealer
Score
10/10

behavioral27

stealcdomadiscoveryevasionstealer
Score
10/10