Malware Analysis Report

2025-01-23 13:58

Sample ID 241213-xetaaaypek
Target The-MALWARE-Repo-master.zip
SHA256 b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1
Tags
macro upx aspackv2 macro_on_action geforce host stealer guest darkcomet njrat modiloader remcos revengerat wipelock evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1

Threat Level: Known bad

The file The-MALWARE-Repo-master.zip was found to be: Known bad.

Malicious Activity Summary

macro upx aspackv2 macro_on_action geforce host stealer guest darkcomet njrat modiloader remcos revengerat wipelock evasion

Remcos family

Revengerat family

Wipelock family

Njrat family

RevengeRat Executable

Darkcomet family

ModiLoader First Stage

Modiloader family

Wipelock Android payload

Suspicious Office macro

Office macro that triggers on suspicious action

ASPack v2.12-2.42

Declares services with permission to bind to the system

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

UPX packed file

AutoIT Executable

Resource Forking

Unsigned PE

NSIS installer

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-13 18:48

Signatures

Darkcomet family

darkcomet

ModiLoader First Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Njrat family

njrat

Remcos family

remcos

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Wipelock Android payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Wipelock family

wipelock

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by wallpaper services to bind with the system. Allows apps to provide live wallpapers. android.permission.BIND_WALLPAPER N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-13 18:46

Reported

2024-12-13 21:54

Platform

macos-20241101-en

Max time kernel

1328s

Max time network

1576s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/The-MALWARE-Repo-master.zip"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer N/A N/A
N/A "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck N/A N/A
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/The-MALWARE-Repo-master.zip"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/The-MALWARE-Repo-master.zip"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/The-MALWARE-Repo-master.zip]

/System/Library/CoreServices/talagent

[/System/Library/CoreServices/talagent]

/usr/libexec/pkreporter

[/usr/libexec/pkreporter]

/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer

[/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer]

/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd

[/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd]

/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged

[/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged]

/bin/zsh

[/bin/zsh -c /Users/run/The-MALWARE-Repo-master.zip]

/Users/run/The-MALWARE-Repo-master.zip

[/Users/run/The-MALWARE-Repo-master.zip]

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater

[/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater -bgcheck]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nsurlstoraged]

/usr/libexec/nsurlstoraged

[/usr/libexec/nsurlstoraged --privileged]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AccountPolicyHelper]

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper

[/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.spindump]

/usr/sbin/spindump

[/usr/sbin/spindump]

/usr/libexec/xpcproxy

[xpcproxy com.apple.diagnosticd]

/usr/libexec/diagnosticd

[/usr/libexec/diagnosticd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.newsyslog]

/usr/sbin/newsyslog

[/usr/sbin/newsyslog]

Network

Country Destination Domain Proto
US 8.8.8.8:53 5-courier.push.apple.com udp
US 8.8.8.8:53 lb._dns-sd._udp.0.0.127.10.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 40.courier-push-apple.com.akadns.net udp

Files

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Users/run/Library/Keychains/login.keychain-db

MD5 798b8e57fa51d6abb5c40e22cf1261e6
SHA1 776c46d6e3cc2e1e61692d008c1d748253bb3943
SHA256 0db73e79c3ef87185474dc9b2d1c3e099797a488ab61004f5e006941f0aac345
SHA512 b75c9134eb7d8e3359fb2cd25704512b01ecc85154c1683e5e4aa7e47340f88b114c52fff37471de125b3883fc5295fa22caed1488844b3ad044317b7803755b

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-13 18:46

Reported

2024-12-13 21:55

Platform

macos-20241106-en

Max time kernel

1358s

Max time network

1547s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/The-MALWARE-Repo-master.zip"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/The-MALWARE-Repo-master.zip"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/The-MALWARE-Repo-master.zip"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/The-MALWARE-Repo-master.zip]

/bin/zsh

[/bin/zsh -c /Users/run/The-MALWARE-Repo-master.zip]

/Users/run/The-MALWARE-Repo-master.zip

[/Users/run/The-MALWARE-Repo-master.zip]

/usr/libexec/xpcproxy

[xpcproxy com.apple.diagnosticd]

/usr/libexec/diagnosticd

[/usr/libexec/diagnosticd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.newsyslog]

/usr/sbin/newsyslog

[/usr/sbin/newsyslog]

Network

Country Destination Domain Proto
US 8.8.8.8:53 lb._dns-sd._udp.0.0.127.10.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
GB 17.57.146.150:5223 tcp
US 8.8.8.8:53 12-courier.push.apple.com udp
US 8.8.8.8:53 15.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 35-courier.push.apple.com udp
US 8.8.8.8:53 22.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 3.courier-push-apple.com.akadns.net udp

Files

N/A