General
-
Target
MALZ6.zip
-
Size
17.8MB
-
Sample
241208-bkq68azkep
-
MD5
5ad5a10e0ae8eeb1bb6817c9d0cd960e
-
SHA1
ecb3ffcf79aedfa3c35c2dab0b4f5ca0f872b62c
-
SHA256
c858e10e29b769ca86445ba1bebdf708e88245da4e96c4afc967818e8293e099
-
SHA512
05b6ee99e6843d928255daded5a699231c25275b726f68be2b67c6bfc59305bc2b2ad5ae6ab11e70ce975a3ad10e7acbb520601728d9e4b255b7891263828cdd
-
SSDEEP
393216:P7tKCblX9nuQNeyIvnpDDsIT0vyirPw9yesWcnE1zoQrq8:c6hVeyQpvsIgvyirPiKWcnkUr8
Malware Config
Targets
-
-
Target
客户端(Client)_KEY.exe
-
Size
1.2MB
-
MD5
b0aacc897731ccf1adee875390c6cfcf
-
SHA1
494182a125ce93921252c79f155d4c10db049899
-
SHA256
e182e12f86fcc70e57c6ed760c5789e6c1a08dac5b4bfb005509c1a7038e9990
-
SHA512
b3f8f4793d9b00f1015ea0f9a77a0cf6672fc700036781adf5d5e4c559573f191d4ef982e57e964f7ad107664995d6f5cab6bd20d81f9f6f592602468fab2eab
-
SSDEEP
24576:4zOhmv9L5ldZz5NLDvHvK2OZkh0y634ek4cKWd6JqjzD8E:wZHzz6y63Jk4bg0VE
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
06432
-
Size
384KB
-
MD5
9a51d462452001e1f04dd68cf4336c54
-
SHA1
594d570708fa03d0ab37a0306b38c134be90becc
-
SHA256
7b06be1d204ee0b5ebc0d4cb287133b796bb28b18414ce3b1e8d31691db8b172
-
SHA512
e89c9abca2fce011ecade9763fdf738af4b642d5bad22af9a78b25e6a229409b1cb823e446569f7d647ccdd88f6d55094bcf7f4c591951d01f72b7b6d8e4deb6
-
SSDEEP
6144:AH0cwGaZNuEtdb3usKYgoJ4o+dp5ky7aIq1/axpR9yMl0gXQYjTwk73o:AHZwBTdbFKVy+dp5kZIlL08QgwGo
Score7/10-
File and Directory Permissions Modification
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE
-
Modifies init.d
Adds/modifies system service, likely for persistence.
-
Reads system routing table
Gets active network interfaces from /proc virtual filesystem.
-
Write file to user bin folder
-
Writes file to system bin folder
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
1.exe
-
Size
2KB
-
MD5
26162a10ad7f77d367b92ab22f8e6fd4
-
SHA1
c497c4ad6be12606c909646598b92cb9f8c7f15f
-
SHA256
9ebf4c7da32ee2a39ed57364ad5d79697dcdc7cb24d41f4bb7cc01db55f646ca
-
SHA512
c71e04b2bad4282f70b24734284f7bc2d4bd4f31484623741413c1f5706972c02088ed4470d292df4d1668f8dd7e7526e7bd937ae076d1b2eed7e0ba5de5e7f3
Score3/10 -
-
-
Target
518_2.exe
-
Size
68KB
-
MD5
4ad86e5001f11f30b6f67344c325609f
-
SHA1
4bcd6382f5d095f271f81f235d0285305a48ab02
-
SHA256
aec671efacaa95db6e4487bc2914038f80939be5889d4b313aa137ac1ca91549
-
SHA512
bbf47ebacc510575081296d8160ae8e62e9619f56192c80f9d52a38f607cfa19027cfb04e507fc263b44f77135f32454ea1da0af4cd8046ccd6dcdca2ffef434
-
SSDEEP
768:EkHn8ozagGwcfAXZq6Imvy0D6SbUtOpgAq0:E8n7Gw5p1IqrAtOp3f
Score4/10 -
-
-
Target
520.exe
-
Size
29KB
-
MD5
4757d1138e38d916bad87bfa92cf90c9
-
SHA1
06d7fd312e50eb34512c5e9ac7eea29f76c8e667
-
SHA256
0f254db8f98e6626c487e0bb534b27f33fce6c280ce77303ad356f8c1ce01e11
-
SHA512
002382b2b860657b17b15b194b160d4e6dc880ef068ac9a5733617a960e7da8afe9d33e5efe520ab0361ae2b014e049cfab1006e96ac65759c29aeec66548e86
-
SSDEEP
384:wVQPhCc4EMap5JN1VY8ianYPLI46OXBc1yoMOmFi6j:kQ50EMaX9V3ianaXBc1f3mb
Score4/10 -
-
-
Target
10711.exe
-
Size
677KB
-
MD5
3ec6e71ee9670117bb68bce1172913cb
-
SHA1
f1891cce37b395e10314b369130cad628c9f87a6
-
SHA256
b388b34512371975ed665d676875ed1499ffbf7be9f74407e2c6f796efd4d8ef
-
SHA512
d167f125f64206f73f95cf42049b34a32e07fbbdd93c9b29956222f752d922f4f2d3da3b1bd7183728178b19cb35ac65f63489eda973ce13af542bc7fb7ecf19
-
SSDEEP
12288:49o2HYYuxp9Mc8QTmWWcGLh3OJMxFdYlBaCuYO4fN77OihGewG:jYuSWU+JMxKaC7f1i6zw
Score3/10 -
-
-
Target
711.exe
-
Size
560KB
-
MD5
f219bf2848d3e5f636405c3c77438e79
-
SHA1
39514f84960978978b7e2295c2af5a2ad5574878
-
SHA256
c724a936a8f9482f7182e1511038482a67237ffebe66502d2e96ff42c4da55aa
-
SHA512
8eb975b4ae072b5559c3d1081d7ae8068b64b9ba50047f015cba9022e2bc2627465d0534fc14988649e81bd1df5fc7cd4d6c20192e7b16b5765e4bd0dbcc4083
-
SSDEEP
12288:v1lAhHtn1bvzSP6iTn1UserksHkU5KrVclb6ajydnl:v1ShHLvmP6+19egRG10nl
Score7/10-
Executes dropped EXE
-
-
-
Target
TSmm
-
Size
1.5MB
-
MD5
c2e14a973f432b9488fdb0535c019797
-
SHA1
322fa15337433e93e6138bf72c3d47d4b95f1366
-
SHA256
df0506cdecf09a8879920a133ef2f9d215bb858a0f8c9131838607036a5479e9
-
SHA512
bb4cbcc02c9c16d64523f17c1e2cb61c9aac7817722758e57ee0cbfc5d28e975464b08a2ff12ae10015c050fc29f1323aea853a7e1a87483f3dd295074f89c24
-
SSDEEP
24576:hNJp/2SkgT4KUAopmhDO2Aan9XgnU6tZAf4Nzbm6g+qF2SdYOrhGg+bL+cH8y6LL:hNvOx/Vp/2bn9XgnNtmf28rhLbccIwhL
Score7/10-
Loads a kernel module
Loads a Linux kernel module, potentially to achieve persistence
-
-
-
Target
Drkv
-
Size
1.2MB
-
MD5
3df5c5e26e2d9fd4946c8121299cd513
-
SHA1
efaa2e397773a5eda58a68ddce1d9e17a90fdbd3
-
SHA256
a17ca067bd6f74817a0516e6083c0739fc9b9e36aafd95b74fddc84343972cda
-
SHA512
9574af57a2984065c6c348f7242533211051c5e9e03c74d6926023c64f61805b4d28698a3c77c3c33ffe33b84f0224f308889a5071bfeca3557fd58043dcca78
-
SSDEEP
24576:e845rGHu6gVJKG75oFpA0VWeX4q2y1q2rJp0:745vRVJKGtSA0VWeoJu9p0
Score10/10-
MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
-
MrBlack trojan
-
Mrblack family
-
File and Directory Permissions Modification
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE
-
Modifies init.d
Adds/modifies system service, likely for persistence.
-
Write file to user bin folder
-
Writes file to system bin folder
-
-
-
Target
FCK_RSC.dump
-
Size
8KB
-
MD5
aabeb05e642b2f9acb86a5dc1a600813
-
SHA1
abba695b782c0e644b971b65d4dc7b8349714488
-
SHA256
8b1d4870fdc940da538f225251996794f2f10ab7fff718d1aa884be8468dcfce
-
SHA512
730fd04e4624f4db8c7c92e786148139d457c5bdc28badb3b1cbb70b61fd7b20655c2feab90c5c91b0d30f42a2d7bccb2ce0120752e223e6df2139c371b4be8a
-
SSDEEP
96:b/TFVUFXleWwunodJsFDgt1CEiRgWY3ZbBNVyJ6/xMWwWHB6KJAso9Rdtoewc:fUFXlemctwgRPNVyJ6/eWwWhlDoHgzc
Score3/10 -
-
-
Target
FUCK360.exe
-
Size
250KB
-
MD5
7ab51c2e2fdac53f3360bb5c8b73734e
-
SHA1
076d233ef06971a64f9b009c03627a491444a422
-
SHA256
8a7ad72fd6d3936ea3ad0ecadc063b382c6f0f8ff65b4839df1f3169f0135216
-
SHA512
35a6247f16a0295140782d0ea73754a37aafa09ba62d1f2be0a822d7f1b548921bad94b563ff16f1c817060544560f3c66856f0a85862cdbdfd85e29462abfee
-
SSDEEP
6144:XaLSyXt5iZ6hyebe81XrTE4/Cw5E2XppJZxA:qLtyGe81XU4rttQ
Score10/10-
Modifies firewall policy service
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
GetPass.exe
-
Size
52KB
-
MD5
d25ab00267a9da1944bad9e1115ad428
-
SHA1
9470006b8763054e14d0e4708a3708e490cacfe9
-
SHA256
07fc745c29db1e2db61089d8d46299078794d7127120d04c07e0a1ea6933a6df
-
SHA512
a5906883361a4ce9ee6e3556808f886ee05e84063bbc7e394a33463767e8670eba5cb9f76abef894fcd8607eb3d197ef69e321996246c1f93d463748aaacb206
-
SSDEEP
768:Feizs4ulZdVEUHw+0QcKbUyQV8gmDzQn3pVok:w3vpHwPQngyOWDCVok
Score3/10 -
-
-
Target
HkMh.exe
-
Size
332KB
-
MD5
1cd12a8269d6ed7af46c6d82dbf0db28
-
SHA1
cf47e4ce299999ce9b584e29f29cd3942d8abf27
-
SHA256
83e96c76e59b2d12849e2f92306c76bb90687194326b79546ac9ed2a1d8b6162
-
SHA512
20106eba738c1e0ef1f544879b4036b81cf19aba8c6d581aa6c546af68c819bd7f283138ba9fed55f82feacfcb4c4dd4ba1e0b5af8bf8de481444292109a9baa
-
SSDEEP
6144:xBcBaz+oA9IxnN8veMdpRTAZbl/NMe5F+/fAsluDXKVBopxC1rUniJ734maajc3A:sBaz+oA9IxnN8WmAZbRNZOAy3BUHniJX
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Modifies firewall policy service
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Loads dropped DLL
-
-
-
Target
HkMh_2.exe
-
Size
226KB
-
MD5
6d5aeb2b084f4fcc5defcd584953acf1
-
SHA1
56513de25668afef7ee860fec5934d7820a9f1f2
-
SHA256
1e3c843183830bb4c4f6078e866780b19f6967fa200d809998657f184934998d
-
SHA512
44f75c3f346d8de8911673ea75ebbdcd54a574b907cb5437ba3f457f487877b33f4e93372179b59e66ccf34383f273298c28ff4e0b6a1fa6cd4e030c84e308bb
-
SSDEEP
6144:bCahtHLoObzXYsWWYbEqaMyveyjV+nByskr:bNYdbgeyjwyr
Score10/10-
Modifies firewall policy service
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
HkMh_3.exe
-
Size
176KB
-
MD5
0cae2144249cca11917ce26657fc0281
-
SHA1
e7ffc36c62c26e987c6954e4739a306a95d119e1
-
SHA256
5fa749158a4dd5dd030bb97a5ca74a542ae4661b2a76ec69b29d41c3a32e8767
-
SHA512
50c5ea18407b74fc5d741d602c87a28c0bfebb348a8ff1710026951937b1e9077a353ee0b9bf2eb648b83a60e34a5e934d8b95c1b7e1202933aea875e6975027
-
SSDEEP
3072:MBFDC2a8kkalMLmNTMeN1vT72dPxIhf+5HS5LTbl2NBX9ZdebJR3u:M/inHlN1vTyTIBEHkTbl2zn0bJR
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Modifies firewall policy service
-
Executes dropped EXE
-
Drops file in System32 directory
-
-
-
Target
Killbash.x
-
Size
338KB
-
MD5
7622b6a703b61b767a8f15fe24801ff8
-
SHA1
d987be4df6349f1ed7934b4e0154ce743bce863d
-
SHA256
95fb9e93efec22c8426f3d557a0c353ff63aa323f42180ecacdf9cd7cfe4c5aa
-
SHA512
e950f0eb8b971980342f889b36b2794b883925879e6a8105c1179e9b99492006f324f0aeedc62f77ed7ca8a0cf13c99eb7b6a2e38f4e6bd41e511ac38143fa00
-
SSDEEP
6144:wFE15RyBAwujPOjS7624nLqFLof5cAw+l0qbRQ2Aj4qewO3TjC45:jllGSWlnLIoRcAw+lFbSsve45
Score3/10 -
-
-
Target
服务器(Server)/服务器(Server).exe
-
Size
1.4MB
-
MD5
00bfefeeeac3ce8ca86f04b712ff5f05
-
SHA1
22873ef23a8b57d49837f251eefdd2e7bea2c8ef
-
SHA256
cc0ca86e194d2849c2b6c273c46a6a5d2b4846a72de50033e8638724cae07786
-
SHA512
43021d34391a590278c52ea2cd7dba02aeb65455ca83eec8928c9f3b4350a0a6ef7c683dcad44221f27cb54bf0372440f8aae4bad03e1f3f88cdcb3d71fcb59b
-
SSDEEP
24576:rmYno3lV5tqWXfqxysa8nTHtJXc3iLrrNTz1Cogt5CBt+CAIHQT4r0:5no3xtqWvyysaovZTxPtjAIwT4r0
Score6/10-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
ShellCodeDec.bat
-
Size
74KB
-
MD5
381744f92d0d5fc08efad4272d334474
-
SHA1
f4152e1d4498023c6377092b79a6746f19cf7c60
-
SHA256
3c5b9126bc245f99f4d89ff7871af4f333f92405ed40e197aa8314b2644c1e6c
-
SHA512
ff5d6a7f9a86a32cfb36647b501ee0391014f2a8f648eb75fab702581454f2d7668f9f592903765ee17d0897202f5114538ab16b237059f1c9608bddfb955b08
-
SSDEEP
1536:sg01tN3rHoLzvODn5qchGGxfP361DssRfAQ:q1ILDcn5qaGGhP3614sRfAQ
Score1/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Windows Service
1Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
3System Checks
1Discovery
Browser Information Discovery
1Query Registry
5System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
2Virtualization/Sandbox Evasion
3System Checks
1