Resubmissions

04-12-2024 19:31

241204-x8wmhaxmcv 10

04-12-2024 11:47

241204-nybd5szkdq 10

04-12-2024 11:40

241204-nsybqazjek 10

04-12-2024 11:35

241204-np1bxatqgz 10

03-12-2024 19:23

241203-x381msvpgj 10

03-12-2024 16:27

241203-tyez8atjdv 10

General

  • Target

    241105-dtxrgatbpg_pw_infected.zip

  • Size

    132.7MB

  • Sample

    241204-np1bxatqgz

  • MD5

    136b5aad00be845ec166ae8f6343b335

  • SHA1

    e51860dfb734c9715b6c9b74d9c582abe03ca90c

  • SHA256

    38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

  • SHA512

    ed56b1afa85e304d6973d69e289631f15955d1619c6943a376d7d319018057d1a6fa0aa340ea6d43037ee17014f13e74e5ebddaf3aec62bf8e2da6b20b14ce42

  • SSDEEP

    3145728:m2t5SZQXkJuAwd3u5d5VO4Z9WSXL5qgP47khuJWCvcICllCCrE/z:m6ClwdeyqWSXVqeU5J7CvCCrgz

Malware Config

Extracted

Family

zloader

Botnet

main

Campaign

26.02.2020

C2

https://airnaa.org/sound.php

https://banog.org/sound.php

https://rayonch.org/sound.php

Attributes
  • build_id

    19

rc4.plain

Extracted

Family

revengerat

Botnet

XDSDDD

C2

84.91.119.105:333

Mutex

RV_MUTEX-wtZlNApdygPh

Extracted

Family

revengerat

Botnet

Victime

C2

cocohack.dtdns.net:84

Mutex

RV_MUTEX-OKuSAtYBxGgZHx

Extracted

Family

zloader

Botnet

25/03

C2

https://wgyvjbse.pw/milagrecf.php

https://botiq.xyz/milagrecf.php

Attributes
  • build_id

    103

rc4.plain

Extracted

Family

revengerat

Botnet

samay

C2

shnf-47787.portmap.io:47787

Mutex

RV_MUTEX

Extracted

Family

zloader

Botnet

09/04

C2

https://eoieowo.casa/wp-config.php

https://dcgljuzrb.pw/wp-config.php

Attributes
  • build_id

    140

rc4.plain

Extracted

Family

zloader

Botnet

07/04

C2

https://xyajbocpggsr.site/wp-config.php

https://ooygvpxrb.pw/wp-config.php

Attributes
  • build_id

    131

rc4.plain

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://47.91.237.42:8443/__utm.gif

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    47.91.237.42,/__utm.gif

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • polling_time

    60000

  • port_number

    8443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)

  • watermark

    305419896

Extracted

Family

revengerat

Botnet

INSERT-COIN

C2

3.tcp.ngrok.io:24041

Mutex

RV_MUTEX

Extracted

Family

revengerat

Botnet

YT

C2

yukselofficial.duckdns.org:5552

Mutex

RV_MUTEX-WlgZblRvZwfRtNH

Extracted

Family

revengerat

Botnet

system

C2

yj233.e1.luyouxia.net:20645

Mutex

RV_MUTEX-GeVqDyMpzZJHO

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

srpmx.ddns.net:5552

Mutex

c6c84eeabbf10b049aa4efdb90558a88

Attributes
  • reg_key

    c6c84eeabbf10b049aa4efdb90558a88

  • splitter

    |'|'|

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

njrat

Version

0.7d

Botnet

HACK

C2

43.229.151.64:5552

Mutex

6825da1e045502b22d4b02d4028214ab

Attributes
  • reg_key

    6825da1e045502b22d4b02d4028214ab

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

revengerat

Botnet

Guest

C2

178.17.174.71:3310

Mutex

RV_MUTEX-HxdYuaWVCGnhp

Extracted

Family

emotet

Botnet

Epoch1

C2

12.163.208.58:80

45.33.35.74:8080

87.106.253.248:8080

192.241.146.84:8080

190.115.18.139:8080

65.36.62.20:80

170.81.48.2:80

83.169.21.32:7080

185.232.182.218:80

190.2.31.172:80

77.106.157.34:8080

82.230.1.24:80

202.4.58.197:80

201.213.177.139:80

78.249.119.122:80

123.51.47.18:80

77.90.136.129:8080

60.93.23.51:80

152.169.22.67:80

190.117.79.209:80

rsa_pubkey.plain

Extracted

Family

emotet

Botnet

Epoch3

C2

71.57.180.213:80

185.86.148.68:443

168.235.82.183:8080

181.113.229.139:443

181.134.9.162:80

217.199.160.224:8080

105.209.235.113:8080

216.75.37.196:8080

97.104.107.190:80

203.153.216.182:7080

107.161.30.122:8080

41.106.96.12:80

202.5.47.71:80

201.235.10.215:80

105.213.67.88:80

115.79.195.246:80

179.5.118.12:80

212.112.113.235:80

139.59.12.63:8080

177.37.81.212:443

rsa_pubkey.plain

Extracted

Family

icedid

C2

knockaddress.xyz

Extracted

Family

trickbot

Version

100001

Botnet

tar2

C2

66.85.183.5:443

185.163.47.157:443

94.140.115.99:443

195.123.240.40:443

195.123.241.226:443

Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Extracted

Family

hawkeye_reborn

Version

10.1.2.2

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    castor123@
Mutex

245f77ec-c812-48df-870b-886d22992db6

Attributes
  • fields

    map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:castor123@ _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:245f77ec-c812-48df-870b-886d22992db6 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]

  • name

    HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null

Extracted

Family

zloader

Botnet

05/05

C2

https://rswtgmhf.pw/wp-config.php

https://fwgdhdln.icu/wp-config.php

Attributes
  • build_id

    181

rc4.plain

Extracted

Family

zloader

Botnet

June08

Campaign

June

C2

http://snnmnkxdhflwgthqismb.com/post.php

http://nlbmfsyplohyaicmxhum.com/post.php

Attributes
  • build_id

    149

rc4.plain
rsa_pubkey.plain

Extracted

Family

zloader

Botnet

nut

Campaign

12/11

C2

https://tfbuildingjoinery.co.uk/robots.php

https://globalpacificproperties.com.au/terms.php

https://www.loonybinforum.com/errors.php

https://luminousintent.com.au/wp-smarts.php

https://espazioabierto.com/wp-smarts.php

https://racriporrosepo.tk/wp-smarts.php

Attributes
  • build_id

    233

rc4.plain
rsa_pubkey.plain

Targets

    • Target

      Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe

    • Size

      9.5MB

    • MD5

      edcc1a529ea8d2c51592d412d23c057e

    • SHA1

      1d62d278fe69be7e3dde9ae96cc7e6a0fa960331

    • SHA256

      970645912c0c0b6eb857236e6bcbfcafcb0eaf0f19d2b278c5b180ee31bb8a5d

    • SHA512

      c8d9fc14c74c87284ed92d7879e5968129572b8fc4e921f48a14b82b98f26737f89daa87213cd9068fa53a8ef84b8e07f1ce053f06790d417ff8dc621b346cab

    • SSDEEP

      196608:xQc+2jD8ZyCMeiA24G4jLonzU04DjmLy8OVKLlVT7H39:2c+cD4DMvA24PLMzU0+mLyJVKfX9

    Score
    3/10
    • Target

    • Size

      372KB

    • MD5

      2c959a0f9af72398f115f839397c3396

    • SHA1

      80b078a6b74a17e6147321f3b3104bf91b4262f2

    • SHA256

      cc0c949be6493aa98619cd591e6b4a0488eef3227b53fbaeac4309fab9efd206

    • SHA512

      511bd3992e5345c7d2b0a728f2f8ce7d18ebbc46ee41afaa4a6e4dfa937c28ca799361d286196b327e01df81981bfbc88b15ca1ad0d49fdaad46436e5735170c

    • SSDEEP

      3072:/drfV7YqW8waq6ciakIC/BwdrZ4P8Y5gla79yQ1yAnYgoFC3Wxl2G7mr3HWJtRIn:FrV7YqW83q6ciH/B6QZn8nTI

    • Target

      SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869

    • Size

      486KB

    • MD5

      cde56cf0169830ee0059ee385c0c5eaf

    • SHA1

      08aacb48ffcdc6b49af18d01155982984de230f7

    • SHA256

      cb762227729d0faadc4c33a4a55b513673a9c76284773535b0e07d7e47d8413e

    • SHA512

      234ddd4191c1abdfe04d9cc1afe2fed2901ef4d38404d0568a356218bc62096d200dd8ec28c8980da4a5852b0a481bf698b244f51d13560b303285b99105b3dd

    • SSDEEP

      6144:o3uSkuqpikJJ0Zkt5GSd2OwuXz//71gJtpdY2/jF6qA6VSFzH0ZUH:vJuqIIoU5HdeuD//+3JcDqSFzz

    • Zloader family

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Target

      SecurityTaskManager_Setup.exe

    • Size

      2.9MB

    • MD5

      444439bc44c476297d7f631a152ce638

    • SHA1

      820fcb951d1ac8c2fda1a1ae790f52eb1f8edf2e

    • SHA256

      bc2d5417a6bf47d53c20c280f6e4b1a3e00dc0b6bbd3e26b2e591fd2f2dc4cc3

    • SHA512

      160f4b095d37a9f4c6279a4a19f072e170c5f819d0e8e588b2503711b9e2eaac9567b48a9e42bf15af50ba60e64ef97a64e003230369aec0b032cb2030fdca00

    • SSDEEP

      49152:4s+HgXcROcfipeyNcRmyQLCUOE+N+2JLKmltavtaKhGiD79l+90U:4s+9ROcapelxQLGEjscg6939l+V

    Score
    4/10
    • Target

      Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe

    • Size

      10.5MB

    • MD5

      8103aad9a6f5ee1fb4f764fc5782822a

    • SHA1

      4fb4f963243d7cb65394e59de787aebe020b654c

    • SHA256

      4a5da8ebf650091c99c7a9d329ecb87533c337ab9e5642ff0355485ed419ec40

    • SHA512

      e65b7d2bdfda07a2ca22d109d39d98395915ee9ec486c44f358885e03bc3e9f9be0ce81706accbe412243ef8d62b9e364f6b1961cfe4469f3c3892821fccfae8

    • SSDEEP

      196608:CQq8NSRYBrs7LgUGCdpV9KhK7ByrkisRdslNn9YOa5QfKJIJM0hI/oVytz:CQq8NkYBCPGCdpbyK7ByrkikdsGOynq2

    Score
    3/10
    • Target

      VyprVPN.exe

    • Size

      1.6MB

    • MD5

      f1d5f022e71b8bc9e3241fbb72e87be2

    • SHA1

      1b8abac6f9ffc3571b14c68ae1bc5e7568b4106c

    • SHA256

      08fb58bfaee81d99cbb71bf71ba8f2ab4f107563c5b0c3f20484d096b337e50d

    • SHA512

      f16130958a3ff33b21623881cbdeec018dd031b4aeb01bbb676c4bdeb1ec1d4f7d312efab48b4125eaaf6ea1c8b0aa4e037b1959af1f10c2a55fbc2da9f3924f

    • SSDEEP

      24576:nTadGsNY1i8fWCsSpqq5M0bOk61uyG2CWm3U9X+Y0ttcN0sH2U9:nsGsm1qSp/MzRuI19X+Y0w39

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      WSHSetup[1].exe

    • Size

      898KB

    • MD5

      cb2b4cd74c7b57a12bd822a168e4e608

    • SHA1

      f2182062719f0537071545b77ca75f39c2922bf5

    • SHA256

      5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed

    • SHA512

      7a38be8c1270b1224be4975ad442a964b2523c849f748e5356156cdce39e494c64ca80b0d99c1d989d77f072902de8972e0b113894c9791fb0cabf856dbba348

    • SSDEEP

      12288:vI3h+hoVEZnvy/hF4CMWZrU7S/iAfMIItotPP2rbPCrF7:vu+hIE9BYO7S/iAOtc4be

    Score
    3/10
    • Target

      Yard.dll

    • Size

      400KB

    • MD5

      3cf481ccbb1019894fcbacb554f3bda1

    • SHA1

      63c11153ab0afb36703723c5121cd0e9b48ac6e8

    • SHA256

      c8c5815fe4a06a752e51f79332a393db1f91a8e39b67899aa996e4ca76cfa675

    • SHA512

      628e34581b3ebc7645639f2e6da19ce15afb794cc032e99d895841eecef0bd372da27895a9485bb18630864b921c1239fa6e4904d6bd6f54ca80a220a3fe66d0

    • SSDEEP

      6144:eUtz+achtLV3moKNkmxl2w3tgLCEpakLVF7Lsno1oVb67Yf2zBo3:Lz8ht5l0SuYLsAodqo2zBO

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Zloader family

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Blocklisted process makes network request

    • Suspicious use of SetThreadContext

    • Target

      b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (2).exe

    • Size

      209KB

    • MD5

      417457ac3e000697959127259c73ee46

    • SHA1

      e060125845cc1c4098f87632f453969ad9ec01ab

    • SHA256

      d74e9aa01bffcb4944742f93ad5b87d4c057f4faad008f04f7397634fe3f234d

    • SHA512

      7e2dac573db052dc03d89499d9e879bc530e94f3d1235898064aa87e99aee8fced1ac4aeeba342b77afd1480e0584a238ad7cd79cdef9c562bb89d65ba365b31

    • SSDEEP

      3072:tnwDl1lJiIPMUMEhTo6pWmuRdIDAP2Oh0oF14tO/m92B96W5ryx0d:y1DUUMETotmubnP2O314am92

    • Zloader family

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Target

      b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (3).exe

    • Size

      187KB

    • MD5

      561d814286baee1b2e815c06e39d6e4e

    • SHA1

      12defd78c0cd18d77a5ee085684e6e3c26ed42e9

    • SHA256

      f1987289f7a42f8ef652f6f6504991dbf0cd00a92653c544f67f1f25d4361ffc

    • SHA512

      01aa8a343625339321e55b5264a1f7f5c15309eccaaf78964e4e6a37c70416c35f64e874afbbaa5e8481c6687cee7fde3382404a24d920711707b8a5359e420b

    • SSDEEP

      3072:f4xfbcuY2y7gVX63XkuOTfg36TGqxJnEIQVZWZZpXgA4rtTcclLJruMUx+nU9Ei8:fEk2y7oX6EpfhJnEIUZWLpA5QclLJrT9

    • Zloader family

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Suspicious use of SetThreadContext

    • Target

      b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (4).exe

    • Size

      183KB

    • MD5

      6d2864f9d3349fc4292884e7baab4bcc

    • SHA1

      b4e7df23ccd50f4d136f66e62d56815eab09e720

    • SHA256

      2b5e50bc3077610128051bc3e657c3f0e331fb8fed2559c6596911890ea866ba

    • SHA512

      dcfc50105df4ea00add6dc3d121baa3ff93180a0be71e444e89e3a8249d1fd2103eb34aa61aa57ada45c5a86ed5783a67e10f21eeb9dda802a49f627aaa0cec0

    • SSDEEP

      3072:V+EdIHvacHR4IJ1/eIvfHJKsopu5Zu1yiJ1nE8dFZfdcn0TctjCQ9gXaj0jjh3DL:V+aKvac72IfHJmpu5g1yUpE8dFZls0o6

    • Zloader family

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Suspicious use of SetThreadContext

    • Target

      cd9ccf8681ed1a5380f8a27cd6dc927ab719b04baa6c6583a0c793a6dc00d5f7.exe

    • Size

      1.1MB

    • MD5

      82b5c0acec3a7946f002c9e555a7125f

    • SHA1

      f48992935c658b5685fedc7c8d5ee4b12c19ba6a

    • SHA256

      cd9ccf8681ed1a5380f8a27cd6dc927ab719b04baa6c6583a0c793a6dc00d5f7

    • SHA512

      e802adf79040570783e77643b4b75853c61e583272aaafc85f7df29fc9b1b42d37753e172a6865082701fde423ce2aa3f19ab3e346126bf0ffb1fae3b360bbd0

    • SSDEEP

      24576:9S3tM1EQlFuyzJlvD6gJWa7npqKp6hpKNAaQC:4zQlFfJ96WWa7806OYC

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

    • Revengerat family

    • Drops startup file

    • Suspicious use of SetThreadContext

    • Target

      cobaltstrike_shellcode.exe

    • Size

      219KB

    • MD5

      8e4d8b8796d2188324a0cfd6fdc8de92

    • SHA1

      9e7a053d34eb00e732e470bc28cc1fa4aa030b8f

    • SHA256

      1ae532cc0fa2e16cac4f23e289741e256cf517afbbb536aeeb0d7cd601bc05a1

    • SHA512

      db4ced8b71b63a7bd48a5bf96270e99c7380865ec31e875b9e0862535298828f4bbae3a4feeb52ef507a8ba461b744c1ce338e3ed191e90cb7079f209ecdbcf3

    • SSDEEP

      6144:b5E/nRS7UwaWiVDSYOY0iZ4i1GrTxI43ZB:b5lUpDSCFfApP

    • Target

      default.exe

    • Size

      211KB

    • MD5

      f42abb7569dbc2ff5faa7e078cb71476

    • SHA1

      04530a6165fc29ab536bab1be16f6b87c46288e6

    • SHA256

      516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

    • SHA512

      3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

    • SSDEEP

      6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    • Buran family

    • Detects Zeppelin payload

    • Zeppelin Ransomware

      Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

    • Zeppelin family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (6069) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3

    • Size

      917KB

    • MD5

      d592e787314d1c327dbc2da117e1dc59

    • SHA1

      ba3a26eaa200d53129e304078309758bbb3c95f1

    • SHA256

      ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3

    • SHA512

      1e805105ab482c752bd24afa028daa3e7bd83f0258510a6fa2ea0c90eb44d1eec590c926982252dbf3a28bb070befbaea5e78c00d556bd9b380a3c79f1480cf7

    • SSDEEP

      24576:Hk5FAciH/EjiQXFPQ0NQaScQqYLQnasbbTq4cSJG:Hk5O/EjiuFP32CYL/wnqlUG

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

    • Djvu family

    • Target

      efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js

    • Size

      920KB

    • MD5

      4339e3b6d6cf2603cc780e8e032e82f6

    • SHA1

      195c244a037815ec13d469e3b28e62a0e10bed56

    • SHA256

      efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4

    • SHA512

      a87c47c998f667eb8ac280f4e6dc3df182d721c44267c68ee042c17e8168115e38f2e1d59c6928ca595bb93b3bfd112cbd7bffb0ee6ff8ca81f469056f26ff87

    • SSDEEP

      12288:obIkK9q/oPvPrNAuPfZpAvJvqWTe57Zb8Pyfdyr4G8HdsNhAwpC:obDcnrNtPfZpYvqWTeDQIdyrb8HqhNpC

    Score
    3/10
    • Target

      emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504._exe

    • Size

      505KB

    • MD5

      cbe9aa4dce4217491cf9bffae2c66537

    • SHA1

      2b7a15303157f8b9f1cce01e5e7a130628eb2c22

    • SHA256

      ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f

    • SHA512

      71e2736fafa1be308ef341a937a1c6d0dc5a311952bfb9bfbd492c2e16950508f1aea5e63a8e3614c9a35cdc6a684d3ff6e2dba38fe483af74508d3df41262a5

    • SSDEEP

      6144:DaRhOv5KaMqEZD+m6eewOmkGOYQ87wwzcCgZi3lzAOAWPcnLiG8Ztkq66ti9pdZx:wOKhDD6yUGOYQto3lzAOATStkfxeY

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Emotet family

    • Emotet payload

      Detects Emotet payload in memory.

    • Executes dropped EXE

    • Drops file in System32 directory

    • Target

      emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe

    • Size

      448KB

    • MD5

      6becbc70725f55f6e6dbe66f383f82bf

    • SHA1

      7ea5f70e20171e23ccec3c18da638b78dcadfc5c

    • SHA256

      93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1

    • SHA512

      e3d8815ea584ec745bc103494e123ca489bdc8b8599745548acab449b9630a7e4a8d47c63db752aee63d18d1fec10f961f2f9c4cdc2324c26460c80421e09957

    • SSDEEP

      12288:ZfzaBuiszJbE9mO4sl9kHAOyQkNvOzxrq:ZbMmO4sl9gR2Ot2

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Emotet family

    • Emotet payload

      Detects Emotet payload in memory.

    • Executes dropped EXE

    • Drops file in System32 directory

    • Target

      eupdate.exe

    • Size

      87KB

    • MD5

      ccfaeed043685c189ef498c3c6f675e7

    • SHA1

      6973b66e83db7f6d9ba957a6f9cca60a4983f0e8

    • SHA256

      5d81fc6ab3e6c7bd353ee53297478fc10abfc7f851359f81a65dea74c70156ff

    • SHA512

      ab8f2d33ec8300d87423f53243f45b720e27d59ab7839d7dcb9d37572c1f4e34536221bfda25dee939218475f44915cac2cf4e9270881af15f53d916bd9dc204

    • SSDEEP

      1536:ZzfLlsKsEJQgrsOCvojaWr2mACx9lRMgzIY/M0t4T5y5cum:Z7wngrsOCvov2mACDP/IY00eVyc

    • Executes dropped EXE

    • Adds Run key to start application

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe

    • Size

      332KB

    • MD5

      1e0ff1a8078820c5c10652e406d51bef

    • SHA1

      e191fdbe58b527301eb4bd244a2258ba1cad0182

    • SHA256

      f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f

    • SHA512

      eb1a011724b988362aa52bdcb69d2886b736dbbe72fe9e53fa3530eeec6bb4089519896a88af48df8e99c7010930fb84cd33599e57f8477e8748cf5259e428a0

    • SSDEEP

      6144:R+xWEy53Bhj8sW4y9wTeT10hFPascnojIXTvUv7ohqfp2:RSw53Bhj8sW4ya6T6hFPasco4cv7o7

    Score
    10/10
    • BazarBackdoor

      Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    • Bazarbackdoor family

    • Tries to connect to .bazar domain

      Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe

    • Size

      19KB

    • MD5

      6029c37a32d7e4951449e197d4850213

    • SHA1

      6ed7bb726b1e04d6858c084bc9bf475a13b77c95

    • SHA256

      fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c

    • SHA512

      bf3639710e259aa38d0cd028071408bdd41c01ee1bd0ea70a16ada78b848c63886854ed40407242e3a68fd9b5444fce2e6ddc050e0c8a2f578b00f43b6c52b6f

    • SSDEEP

      384:EB8JbJPKd1Bf3rNeD9k4NcKlb5sCSvyP5CtrCzYcHe+Z:EBCNPKd155ulNzxoUzYcHe+Z

    Score
    6/10
    • Legitimate hosting services abused for malware hosting/C2

    • Target

      fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe

    • Size

      660KB

    • MD5

      b44c5540e020963aca89f3b9a96beb35

    • SHA1

      14a6e46be7863db3090d81a18d4e080ac005f437

    • SHA256

      fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d350

    • SHA512

      63ffac732d6b6b469f6072efa0b4ad0ef224072418b18ed879fe914c3cb64b6714ca4948c5d1816218d611865a1f1747121e126a407acbcc038b4615f9b7fd31

    • SSDEEP

      12288:96zG7KjQ+oJLVaRwYdNKxRBUU8vg0whwRKCV50robF7z:9l7eoFsRjdN6BUUP01RKC8EbF/

    • Target

      file(1).exe

    • Size

      16KB

    • MD5

      9ca9044bbac6aa39072da89d05cb3dcf

    • SHA1

      7cb6ec980704bf7eb109918a1cb037deed4341fe

    • SHA256

      3ac39ece6e1953f03e88fdfb942bf9f0dcb8d1da643cbd9677032f2ac7861d03

    • SHA512

      5f6cfae5220c219455a180ee6a6fe094fe73475be6acdef24f33476a995097c355af0cf147fd6b986ca3bd84eee0b4928a6d08cabfab63f101259e05d037d9bd

    • SSDEEP

      384:9jmvn8X19vieB6gb9oDPlMNcLlb5sVKRye5Ct:9jmvni19TBDclMNEho

    Score
    1/10
    • Target

      file.exe

    • Size

      101KB

    • MD5

      88dbffbc0062b913cbddfde8249ef2f3

    • SHA1

      e2534efda3080e7e5f3419c24ea663fe9d35b4cc

    • SHA256

      275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06

    • SHA512

      036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4

    • SSDEEP

      1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS

    Score
    7/10
    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Target

      gjMEi6eG.exe

    • Size

      23KB

    • MD5

      9ab1a677fb73e7c5a41d151c4c21f69e

    • SHA1

      10219ed34a3f76ca7fe30eb27a1a78d83c9ada37

    • SHA256

      2027c43348230de4a40e7ec590d692f744f36cdb13eb65f599983158e920cdb9

    • SHA512

      0c9f2e1555c36a3742a2ec604faf9a89bfd856946024596912bc116ad7f4fd15ee67969704956d30d70e7b6cb3a626168c309add57469adb03d389df0596f3c5

    • SSDEEP

      384:nY324bcgPiJLQrfARGSRUJsbY6ZgvSMBD3t8mRvR6JZlbw8hqIusZzZtd:wL2s+tRyRpcnuQ

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      good.exe

    • Size

      143KB

    • MD5

      b034e2a7cd76b757b7c62ce514b378b4

    • SHA1

      27d15f36cb5e3338a19a7f6441ece58439f830f2

    • SHA256

      90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac

    • SHA512

      1cea6503cf244e1efb6ef68994a723f549126fc89ef8a38c76cdcc050d2a4524e96402591d1d150d927a12dcac81084a8275a929cf6e5933fdf62502c9c84385

    • SSDEEP

      3072:VMb/kbqjO/3FxV8l8wiEXHPV9r99rWhzAxH7wpjv4z:VMxo3Z8BvV9rL6h2H7wJ4

    Score
    5/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      hyundai steel-pipe- job 8010(1).exe

    • Size

      721KB

    • MD5

      0999a03694a1c97a43ac0de89cbf355e

    • SHA1

      0c8fdd4c3b40c4827662baa0c89b5b50d8f0cf1d

    • SHA256

      8a9bcb387cd155170986cd1938beb317ee1ee511bcb6175a6d292bd976cca15b

    • SHA512

      6515a13d561d2adb08fd53dba80ecd7ee264b66080848e0c845f63313eb9a828c6be8014d6db47f8ac910e24848dd74c57aae00a92ebe9b4efd97676e0365fe9

    • SSDEEP

      12288:wdnX6tet6u5CB6m6FQgsPQCjyEtbK7DSQDnwjAR7EOP9uSlcC3ro:QXUim6m6FyPJzcQjNSuYro

    • HawkEye Reborn

      HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    • Hawkeye_reborn family

    • M00nd3v_Logger

      M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    • M00nd3v_logger family

    • M00nD3v Logger payload

      Detects M00nD3v Logger payload in memory.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      hyundai steel-pipe- job 8010.exe

    • Size

      721KB

    • MD5

      0999a03694a1c97a43ac0de89cbf355e

    • SHA1

      0c8fdd4c3b40c4827662baa0c89b5b50d8f0cf1d

    • SHA256

      8a9bcb387cd155170986cd1938beb317ee1ee511bcb6175a6d292bd976cca15b

    • SHA512

      6515a13d561d2adb08fd53dba80ecd7ee264b66080848e0c845f63313eb9a828c6be8014d6db47f8ac910e24848dd74c57aae00a92ebe9b4efd97676e0365fe9

    • SSDEEP

      12288:wdnX6tet6u5CB6m6FQgsPQCjyEtbK7DSQDnwjAR7EOP9uSlcC3ro:QXUim6m6FyPJzcQjNSuYro

    • HawkEye Reborn

      HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    • Hawkeye_reborn family

    • M00nd3v_Logger

      M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    • M00nd3v_logger family

    • M00nD3v Logger payload

      Detects M00nD3v Logger payload in memory.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      infected dot net installer.exe

    • Size

      1.7MB

    • MD5

      6eb2b081d12ad12c2ce50da34438651d

    • SHA1

      2092c0733ec3a3c514568b6009ee53b9d2ad8dc4

    • SHA256

      1371b24900cbd474a6bc2804f0e79dbd7b0429368be6190f276db912d73eb104

    • SHA512

      881d14d87a7f254292f962181eee79137f612d13994ff4da0eb3d86b0217bcbac39e04778c66d1e4c3df8a5b934cbb6130b43c0d4f3915d5e8471e9314d82c1b

    • SSDEEP

      49152:znsHyjtk2MYC5GDbQ2cRQh9GexmCxBxVV56CmWQax:znsmtk2aj2cROGom6mGvx

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      inps_979.xls

    • Size

      228KB

    • MD5

      56fc044937a072471fdd8d63b874e04a

    • SHA1

      738552f8db33ac0271aa860775815f3d1b291980

    • SHA256

      59afe59cdbebf60434bd78270826ca9689c3765264dfcace312b89c606c0a962

    • SHA512

      dbaf2e36ec17d474c829d847705de796bea153b784c8e894d4ff7bebb3bfcdf01447d97f217d9303e0eed5aa9b39046b75b2581331be28771582af2ea48c960b

    • SSDEEP

      3072:bfMhNhd8o7Vym+BoOvuuUVZV/AHyhb3/7428JMPvjLJKHpEYC5ZNWehxleT0t:bfMhL70DBoOmf1FbAJMWEYC5Z3leA

    Score
    1/10
    • Target

      jar.jar

    • Size

      81KB

    • MD5

      9e8b6710fdd55ad0675295c2c3960732

    • SHA1

      aed08772376bde9f848f335e77e2e3c3c230234d

    • SHA256

      f2fb2d0c469abc0add346ef809ad86e0194400d391a2e5429b8cbeea2711bbad

    • SHA512

      26f94b0b9766e9c244297cbe4af78f1b09087fbe471f099b5a77f5ca76fd5c905ee4d36188af67dbd6dc2c7f8402c882d0d2503a288af277840a1025562eac96

    • SSDEEP

      1536:0GZABd/SAZR5RzfFMAjP/jg6X4bUdv/mIgQnXOunxgCfj:jZ0d//JfyAz/XIbCvOIgQemWCfj

    Score
    10/10
    • Target

      june9.dll

    • Size

      491KB

    • MD5

      f8a7273ef763776e5612ac1f47f6d405

    • SHA1

      c51f2a884c024e442c1ae0d9bf9511c96a1fa02c

    • SHA256

      c653365657fbf65429ad845d0a0d93106e972aca929739560ff4b4796bd2be08

    • SHA512

      5ea060662350237d38d2c6a3c1da5fd7aeec6c05e71cdbb2725fcac47ad8e5c9568adc937329397108ab0cecdf29e9a811ab7e183884dd3044d7c5a6089f88aa

    • SSDEEP

      12288:uDKxKMk8ChMNo+e8kGOK9ab4ozUWdBENcYcj6D9r6W3FaOi:uDjMk8IMNYnGOSSjgW41QEv1aO

    • Zloader family

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Blocklisted process makes network request

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

main26.02.2020upxstealerxdsdddvictime25/03samaycryptonepacker09/0407/04305419896insert-coinytsystemhackedhackzloaderrevengeratcobaltstrikezeppelinnjratxredmodiloader
Score
10/10

behavioral1

discovery
Score
3/10

behavioral2

icedidbankerdiscoveryloadertrojan
Score
10/10

behavioral3

zloader05/05botnetdiscoverytrojan
Score
10/10

behavioral4

discovery
Score
4/10

behavioral5

discovery
Score
3/10

behavioral6

discoverypersistencespywarestealer
Score
10/10

behavioral7

discovery
Score
3/10

behavioral8

zloadernut12/11botnetdiscoverytrojan
Score
10/10

behavioral9

zloaderbotnetdiscoverytrojan
Score
10/10

behavioral10

zloader09/04botnetdiscoverytrojan
Score
10/10

behavioral11

zloader07/04botnetdiscoverytrojan
Score
10/10

behavioral12

revengeratguestdiscoverytrojan
Score
10/10

behavioral13

cobaltstrike305419896backdoordiscoverytrojan
Score
10/10

behavioral14

buranzeppelindefense_evasiondiscoveryexecutionimpactpersistenceransomware
Score
10/10

behavioral15

djvudiscoveryransomware
Score
10/10

behavioral16

execution
Score
3/10

behavioral17

emotetepoch1bankerdiscoverytrojan
Score
10/10

behavioral18

emotetepoch3bankerdiscoverytrojan
Score
10/10

behavioral19

discoverypersistenceupx
Score
7/10

behavioral20

bazarbackdoorbackdoor
Score
10/10

behavioral21

Score
6/10

behavioral22

trickbottar2bankerdiscoverytrojan
Score
10/10

behavioral23

Score
1/10

behavioral24

persistence
Score
7/10

behavioral25

njratdiscoveryevasionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral26

discoveryupx
Score
5/10

behavioral27

hawkeye_rebornm00nd3v_loggercollectiondiscoveryinfostealerkeyloggerspywarestealertrojan
Score
10/10

behavioral28

hawkeye_rebornm00nd3v_loggercollectiondiscoveryinfostealerkeyloggerspywarestealertrojan
Score
10/10

behavioral29

xredbackdoordiscoverypersistence
Score
10/10

behavioral30

Score
1/10

behavioral31

qnodeservicetrojan
Score
10/10

behavioral32

zloaderjune08junebotnetdiscoverytrojan
Score
10/10