Overview

overview

10

Static

static

10

virussign....ee.zip

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    virussign.com_20241209_LimitedFree.zip

  • Size

    12.6MB

  • Sample

    241210-nx1yeazlbk

  • MD5

    6b3d9c02066b33e120cc70909c5806d7

  • SHA1

    0af21bb623041bbe95792d11fe64cc4001757409

  • SHA256

    8455503a13bf1290304f2cc41b0f3bfbfa88ca7d5276d34c9e42514c270117a6

  • SHA512

    84863e117e43246485c51db1dba46f8c014fc9a48bd57861654f0454c80dfa5adf688fdd41f328583d43fad5ef0fba2ac836ade4375a38177b039d7ec81695b6

  • SSDEEP

    393216:n9FMWw1QRAZ8PyF8vhNRzVa/8EfDX9SnziNjcP:tw1KBPyWvLRo/8JWla

Score
10/10
berbewphorphiexxmrigbackdoordefense_evasiondiscoveryexecutionlinkloaderminerpdfpersistencespywarestealertrojanupxworm

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Targets

    • Target

      virussign.com_20241209_LimitedFree.zip

    • Size

      12.6MB

    • MD5

      6b3d9c02066b33e120cc70909c5806d7

    • SHA1

      0af21bb623041bbe95792d11fe64cc4001757409

    • SHA256

      8455503a13bf1290304f2cc41b0f3bfbfa88ca7d5276d34c9e42514c270117a6

    • SHA512

      84863e117e43246485c51db1dba46f8c014fc9a48bd57861654f0454c80dfa5adf688fdd41f328583d43fad5ef0fba2ac836ade4375a38177b039d7ec81695b6

    • SSDEEP

      393216:n9FMWw1QRAZ8PyF8vhNRzVa/8EfDX9SnziNjcP:tw1KBPyWvLRo/8JWla

    Score
    10/10
    berbewphorphiexxmrigbackdoordefense_evasiondiscoveryexecutionloaderminerpersistencespywarestealertrojanupxworm

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Berbew family

      berbew

    • Phorphiex family

      phorphiex

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

      wormtrojanloaderphorphiex

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

3
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

2
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

2
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

4
T1005

Command and Control

Exfiltration

Impact

Tasks