Overview
overview
10Static
static
10The-MALWAR...2aed41
windows10-ltsc 2021-x64
3The-MALWAR...b54692
windows10-ltsc 2021-x64
3The-MALWAR...00f6c1
windows10-ltsc 2021-x64
3The-MALWAR...ka.exe
windows10-ltsc 2021-x64
7The-MALWAR...te.apk
windows10-ltsc 2021-x64
3The-MALWAR...en.apk
windows10-ltsc 2021-x64
3The-MALWAR...4a.apk
windows10-ltsc 2021-x64
3The-MALWAR...if.exe
windows10-ltsc 2021-x64
10The-MALWAR...il.exe
windows10-ltsc 2021-x64
8The-MALWAR...at.exe
windows10-ltsc 2021-x64
3The-MALWAR...an.exe
windows10-ltsc 2021-x64
The-MALWAR...sa.doc
windows10-ltsc 2021-x64
1The-MALWAR...er.com
windows10-ltsc 2021-x64
The-MALWAR...98.exe
windows10-ltsc 2021-x64
3The-MALWAR...aj.exe
windows10-ltsc 2021-x64
7The-MALWAR...jB.exe
windows10-ltsc 2021-x64
7The-MALWAR...om.exe
windows10-ltsc 2021-x64
6The-MALWAR...1C.exe
windows10-ltsc 2021-x64
5The-MALWAR...90.exe
windows10-ltsc 2021-x64
9The-MALWAR...6a.exe
windows10-ltsc 2021-x64
9The-MALWAR...it.exe
windows10-ltsc 2021-x64
3The-MALWAR...ng.exe
windows10-ltsc 2021-x64
7The-MALWAR....a.exe
windows10-ltsc 2021-x64
10The-MALWAR...il.vbs
windows10-ltsc 2021-x64
10The-MALWAR...1A.exe
windows10-ltsc 2021-x64
8The-MALWAR...as.exe
windows10-ltsc 2021-x64
6The-MALWAR...te.exe
windows10-ltsc 2021-x64
7The-MALWAR....a.exe
windows10-ltsc 2021-x64
3The-MALWAR...le.exe
windows10-ltsc 2021-x64
3The-MALWAR...us.exe
windows10-ltsc 2021-x64
10The-MALWAR...er.exe
windows10-ltsc 2021-x64
7The-MALWAR...ff.exe
windows10-ltsc 2021-x64
3Analysis
-
max time kernel
1772s -
max time network
1626s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
13-12-2024 18:01
Static task
static1
Behavioral task
behavioral1
Sample
The-MALWARE-Repo-master/Trojan/XCSSETMacMalware/TrojanSpy.MacOS.XCSSET.A.6fa938770e83ef2e177e8adf4a2ea3d2d5b26107c30f9d85c3d1a557db2aed41
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
Behavioral task
behavioral2
Sample
The-MALWARE-Repo-master/Trojan/XCSSETMacMalware/TrojanSpy.MacOS.XCSSET.A.ac3467a04eeb552d92651af1187bdc795100ea77a7a1ac755b4681c654b54692
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral3
Sample
The-MALWARE-Repo-master/Trojan/XCSSETMacMalware/TrojanSpy.MacOS.XCSSET.A.d11a549e6bc913c78673f4e142e577f372311404766be8a3153792de9f00f6c1
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral4
Sample
The-MALWARE-Repo-master/Trojan/Zika.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral5
Sample
The-MALWARE-Repo-master/Trojan/elite.apk
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral6
Sample
The-MALWARE-Repo-master/Trojan/mobelejen.apk
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral7
Sample
The-MALWARE-Repo-master/Trojan/vi4a.apk
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral8
Sample
The-MALWARE-Repo-master/Virus/Floxif/Floxif.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral9
Sample
The-MALWARE-Repo-master/Virus/Gnil/Gnil.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral10
Sample
The-MALWARE-Repo-master/Virus/Mabezat/Mabezat.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral11
Sample
The-MALWARE-Repo-master/Virus/MadMan.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
Behavioral task
behavioral12
Sample
The-MALWARE-Repo-master/Virus/Melissa.doc
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral13
Sample
The-MALWARE-Repo-master/Virus/Walker.com
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral14
Sample
The-MALWARE-Repo-master/Virus/WinNuke.98.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral15
Sample
The-MALWARE-Repo-master/Virus/Xpaj/xpaj.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral16
Sample
The-MALWARE-Repo-master/Virus/Xpaj/xpajB.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral17
Sample
The-MALWARE-Repo-master/Worm/Bezilom.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral18
Sample
The-MALWARE-Repo-master/Worm/Blaster/607B60AD512C50B7D71DCCC057E85F1C.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral19
Sample
The-MALWARE-Repo-master/Worm/Blaster/8676210e6246948201aa014db471de90.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
Behavioral task
behavioral20
Sample
The-MALWARE-Repo-master/Worm/Blaster/8a17f336f86e81f04d8e66fa23f9b36a.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral21
Sample
The-MALWARE-Repo-master/Worm/Blaster/DComExploit.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral22
Sample
The-MALWARE-Repo-master/Worm/Bumerang.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral23
Sample
The-MALWARE-Repo-master/Worm/Fagot.a.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral24
Sample
The-MALWARE-Repo-master/Worm/HeadTail.vbs
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral25
Sample
The-MALWARE-Repo-master/Worm/Heap41A.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
Behavioral task
behavioral26
Sample
The-MALWARE-Repo-master/Worm/Mantas.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral27
Sample
The-MALWARE-Repo-master/Worm/NadIote/Nadlote.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral28
Sample
The-MALWARE-Repo-master/Worm/Netres.a.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral29
Sample
The-MALWARE-Repo-master/Worm/Nople.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral30
Sample
The-MALWARE-Repo-master/Worm/Vobfus/Vobus.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral31
Sample
The-MALWARE-Repo-master/rogues/AdwereCleaner.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral32
Sample
The-MALWARE-Repo-master/rogues/SpySheriff.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
General
-
Target
The-MALWARE-Repo-master/Worm/Vobfus/Vobus.exe
-
Size
384KB
-
MD5
966bb4bdfe0edb89ec2d43519c6de3af
-
SHA1
7aa402e5241ff1ca2aeabeeda8928579902ad81a
-
SHA256
ef12832d67a099282b6aad1bf2858375dd4b53c67638daf12a253bc9f918b77f
-
SHA512
71b8cf14055caee1322976dc0ac777bdd0f9058ee37d30d7967bdc28d80f66d0d478c939501be5f9c70245e5b161c69ad36721a7c6454fea9abe76786934db66
-
SSDEEP
3072:rtyFjchUoBENcPCkTaVYD3CbbTDMo6ZWbBrM/LqibDdjGRc32R7srGADv1FSJl:rqJVYD3KDN6ZWbBrM/GiDoO3IsrTvI
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Vobus.exe Set value (int) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vjtul.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation Vobus.exe -
Executes dropped EXE 1 IoCs
pid Process 3764 vjtul.exe -
Adds Run key to start application 2 TTPs 26 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /A" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /J" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /r" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /Z" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /y" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /C" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /b" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /n" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /P" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /T" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /D" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /i" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /L" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /e" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /k" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /x" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /I" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /N" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /F" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /M" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /A" Vobus.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /B" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /f" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /K" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /p" vjtul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjtul = "C:\\Users\\Admin\\vjtul.exe /d" vjtul.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Vobus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjtul.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1140 Vobus.exe 1140 Vobus.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe 3764 vjtul.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1140 Vobus.exe 3764 vjtul.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1140 wrote to memory of 3764 1140 Vobus.exe 82 PID 1140 wrote to memory of 3764 1140 Vobus.exe 82 PID 1140 wrote to memory of 3764 1140 Vobus.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Worm\Vobfus\Vobus.exe"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Worm\Vobfus\Vobus.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Users\Admin\vjtul.exe"C:\Users\Admin\vjtul.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3764
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD55e6ae5329557166414235f03006c616a
SHA16ff7f32bb319b4e2f109645882d1fe0740ae7c6b
SHA25641cacecba767fce666408e85fe805243f9923d247f5102a2fb88812116455ae2
SHA512612b7706e2068c2f20d2cf1e06c1d50e3fd8295c6a5abfa3ecdbced2bde1eae02baf767071ba4927ca360164e11bb75a84db5b101443206e32800b9f98ffe64c