General
-
Target
virusbomb.zip
-
Size
3.0MB
-
Sample
241204-tvw5bs1kgv
-
MD5
52917c0a946305fc5559792a8bebf8bd
-
SHA1
374d7c957fe6633c597e74e086ced767db328f36
-
SHA256
56f01de80d010ece0209f6b266462b28305a4373b7d5fcafa0268d2f7e3921be
-
SHA512
ed7f6c6efb52739fb25bdb34140a461b7ef6c80905055b9bb6527c63918982c1b31d1193c293d0c9f2428be1b2ad15fbc823f4d6ae5e3ad05aa2c92535d8218d
-
SSDEEP
49152:/+PoMNvrqvm2lpQBHZyZTrw1YK7wyI1UcpRxSRIM2jePjiki3EAGPfj/KM2qTHT0:2g02rpuHZyZwR0yI1UuRxrNkNexkjiCE
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7584205709:AAHSbORjgixKBL3e_gW4a2nQGHA1HBwJVqY/sendMessage?chat_id=5569740835
Extracted
quasar
1.4.1
Office04
riprealworld.ddns.net:4782
6a893031-8f7c-4e00-9e79-83e39719887d
-
encryption_key
3388F603979BF351F677D18F04E7A89AEBEE7BE8
-
install_name
Windows.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows
-
subdirectory
SubDir
Extracted
gurcu
https://api.telegram.org/bot7584205709:AAHSbORjgixKBL3e_gW4a2nQGHA1HBwJVqY/sendMessage?chat_id=5569740835
https://api.telegram.org/bot7584205709:AAHSbORjgixKBL3e_gW4a2nQGHA1HBwJVqY/getUpdate
https://api.telegram.org/bot7584205709:AAHSbORjgixKBL3e_gW4a2nQGHA1HBwJVqY/getUpdates?offset=
https://api.telegram.org/bot7584205709:AAHSbORjgixKBL3e_gW4a2nQGHA1HBwJVqY/getUpdates?offset=1
https://api.telegram.org/bot7584205709:AAHSbORjgixKBL3e_gW4a2nQGHA1HBwJVqY/getUpdates?offset=87029332
https://api.telegram.org/bot7584205709:AAHSbORjgixKBL3e_gW4a2nQGHA1HBwJVqY/getUpdates?offset=87029333
https://api.telegram.org/bot7584205709:AAHSbORjgixKBL3e_gW4a2nQGHA1HBwJVqY/getUpdates?offset=87029334
https://api.telegram.org/bot7584205709:AAHSbORjgixKBL3e_gW4a2nQGHA1HBwJVqY/sendDocument?chat_id=556974083
Targets
-
-
Target
virusbomb.zip
-
Size
3.0MB
-
MD5
52917c0a946305fc5559792a8bebf8bd
-
SHA1
374d7c957fe6633c597e74e086ced767db328f36
-
SHA256
56f01de80d010ece0209f6b266462b28305a4373b7d5fcafa0268d2f7e3921be
-
SHA512
ed7f6c6efb52739fb25bdb34140a461b7ef6c80905055b9bb6527c63918982c1b31d1193c293d0c9f2428be1b2ad15fbc823f4d6ae5e3ad05aa2c92535d8218d
-
SSDEEP
49152:/+PoMNvrqvm2lpQBHZyZTrw1YK7wyI1UcpRxSRIM2jePjiki3EAGPfj/KM2qTHT0:2g02rpuHZyZwR0yI1UuRxrNkNexkjiCE
Score10/10-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
ToxicEye
ToxicEye is a trojan written in C#.
-
Toxiceye family
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Peripheral Device Discovery
2Process Discovery
1Query Registry
4Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1