Overview

overview

10

Static

static

3

niggers.exe

windows7-x64

7

niggers.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    241204-p9yjgs1nbp_pw_infected.zip

  • Size

    14.1MB

  • Sample

    241204-r2y66atnam

  • MD5

    ffddb4d8714809e17e1e1b19cb085b8c

  • SHA1

    e7b635844b198af1e84fe00aad8c322eeafea51a

  • SHA256

    74d74bfdd9852c7967a852d632c16dc347b358fead85c04b04a809d9a35fb2c9

  • SHA512

    26cece41f6bb1903398813116c0fc27a25c205ee0ae6ae930fe7fe263f60cb86a0cfc76c40cef5851671e7c11191a8e45b27b1ef55222b6575abe7bf2cfe309e

  • SSDEEP

    393216:kBkHW+0ozLt+tYFj37O1/CKw+JFu/HObglFPh8OW:k+HN7LtFp37O1/yC7gbPU

Score
10/10
ammyyadminasyncratflawedammyylummametasploitmodiloaderneshtanjratphemedronequasarta505umbralxmrigxwormdefaultmohiboffice04sgvpbackdoorcredential_accessdefense_evasiondiscoveryevasionexecutionminerpersistenceprivilege_escalationpyinstallerratspywarestealerthemidatrojanupxvmprotect

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://176.111.174.138/usersync/tradedesk/_rp

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://176.113.115.178/FF/2.png

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://176.113.115.178/FF/3.png

Extracted

Language
ps1
Source
URLs
exe.dropper

https://pastebin.com/raw/Adv9gBHa

Extracted

Family

njrat

Version

0.7d

Botnet

mohib

C2

mohibkal.publicvm.com:1978

Mutex

c14a42d030a82215ba6bc24288fc11a4

Attributes
  • reg_key

    c14a42d030a82215ba6bc24288fc11a4

  • splitter

    |'|'|

Extracted

Family

xworm

Version

5.0

C2

week-dictionary.gl.at.ply.gg:12466

Mutex

WIHzy7HOqD8TiFlq

Attributes
  • Install_directory

    %AppData%

  • install_file

    PowerShell.exe

aes.plain

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808
Mutex

MSF

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

lumma

C2

https://preside-comforter.sbs

https://savvy-steereo.sbs

https://copper-replace.sbs

https://record-envyp.sbs

https://slam-whipp.sbs

https://wrench-creter.sbs

https://looky-marked.sbs

https://plastic-mitten.sbs

https://hallowed-noisy.sbs

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

C2

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452
Mutex

a35ec7b7-5a95-4207-8f25-7af0a7847fa5

Attributes
  • encryption_key

    09BBDA8FF0524296F02F8F81158F33C0AA74D487

  • install_name

    User Application Data.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windowns Client Startup

  • subdirectory

    Quasar

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7772275304:AAF3OSvWBzn5cIHkGD9ueBFz5ed91u-60-U/sendDocument

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

14.243.221.170:2654

Mutex

a7b38fdd-192e-4e47-b9ba-ca9eb81cc7bd

Attributes
  • encryption_key

    8B9AD736E943A06EAF1321AD479071E83805704C

  • install_name

    Runtime Broker.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Runtime Broker

  • subdirectory

    SubDir

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

metasploit_stager

C2

144.34.162.13:3333

Targets

    • Target

      niggers.exe

    • Size

      14.3MB

    • MD5

      8a44ee98217bc81f0869d793eefab1f0

    • SHA1

      4756ed10cbf5dbad09746a8fa2c2e62c2f2b7200

    • SHA256

      c26e2475ef60ba969bb66c9b464b498efb1da0bf7360ff7545c1db3b707bdbed

    • SHA512

      4f18f54d791929cb24c02e8865d520e6263c096bef7ebd422578bca0600cadb6ea4b046654ef007ba056bf568ff3a19b068bf4313b4a218953a5bd2ecb0e6a02

    • SSDEEP

      393216:vOWd863huc1dQJlAwF3MnG3InVFedWm7NS/xHWgnHz:2893hr1dQ53MG4VAHsT

    Score
    10/10
    ammyyadminasyncratflawedammyylummametasploitmodiloaderneshtanjratphemedronequasarta505umbralxmrigxwormdefaultmohiboffice04sgvpbackdoorcredential_accessdefense_evasiondiscoveryevasionexecutionminerpersistenceprivilege_escalationpyinstallerratspywarestealerthemidatrojanupxvmprotect

    • Ammyy Admin

      Remote admin tool with various capabilities.

      ratammyyadmin

    • AmmyyAdmin payload

    • Ammyyadmin family

      ammyyadmin

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect Neshta payload

    • Detect Umbral payload

    • Detect Xworm Payload

    • FlawedAmmyy RAT

      Remote-access trojan based on leaked code for the Ammyy remote admin software.

      trojanflawedammyy

    • Flawedammyy family

      flawedammyy

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Metasploit family

      metasploit

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modiloader family

      modiloader

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Neshta family

      neshta

    • Njrat family

      njrat

    • Phemedrone

      An information and wallet stealer written in C#.

      stealerphemedrone

    • Phemedrone family

      phemedrone

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • TA505

      Cybercrime group active since 2015, responsible for families like Dridex and Locky.

      ta505

    • Ta505 family

      ta505

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral

    • XMRig Miner payload

      miner

    • Xmrig family

      xmrig

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Async RAT payload

      rat

    • ModiLoader Second Stage

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Indicator Removal: Network Share Connection Removal

      Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

      defense_evasion

    • Modifies Windows Firewall

      evasion

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

JavaScript

1
T1059.007

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Accessibility Features

1
T1546.008

Modify Authentication Process

1
T1556

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Accessibility Features

1
T1546.008

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Indicator Removal

1
T1070

Network Share Connection Removal

1
T1070.005

Modify Authentication Process

1
T1556

Modify Registry

1
T1112

Credential Access

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Discovery

Network Service Discovery

1
T1046

Network Share Discovery

1
T1135

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks