Overview

overview

10

Static

static

10

The-MALWAR...MZ.exe

windows7-x64

6

The-MALWAR...MZ.exe

windows10-2004-x64

The-MALWAR...MZ.exe

android-9-x86

The-MALWAR...MZ.exe

android-10-x64

The-MALWAR...MZ.exe

android-11-x64

The-MALWAR...MZ.exe

macos-10.15-amd64

4

The-MALWAR...re.apk

android-9-x86

The-MALWAR...or.exe

windows7-x64

The-MALWAR...or.exe

windows10-2004-x64

The-MALWAR...or.exe

android-9-x86

The-MALWAR...or.exe

android-10-x64

The-MALWAR...or.exe

android-11-x64

The-MALWAR...or.exe

macos-10.15-amd64

1

The-MALWAR...te.apk

android-9-x86

The-MALWAR...te.apk

android-10-x64

The-MALWAR...te.apk

android-11-x64

The-MALWAR...en.apk

android-9-x86

The-MALWAR...en.apk

android-10-x64

The-MALWAR...en.apk

android-11-x64

The-MALWAR...4a.apk

android-9-x86

The-MALWAR...4a.apk

android-10-x64

The-MALWAR...4a.apk

android-11-x64

The-MALWAR...at.exe

windows7-x64

1

The-MALWAR...at.exe

windows10-2004-x64

3

The-MALWAR...at.exe

android-9-x86

The-MALWAR...at.exe

android-10-x64

The-MALWAR...at.exe

android-11-x64

The-MALWAR...at.exe

macos-10.15-amd64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    The-MALWARE-Repo-master.zip

  • Size

    198.8MB

  • Sample

    241214-zh7cesvrap

  • MD5

    af60ad5b6cafd14d7ebce530813e68a0

  • SHA1

    ad81b87e7e9bbc21eb93aca7638d827498e78076

  • SHA256

    b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1

  • SHA512

    81314363d5d461264ed5fdf8a7976f97bceb5081c374b4ee6bbea5d8ce3386822d089d031234ddd67c5077a1cc1ed3f6b16139253fbb1b3d34d3985f9b97aba3

  • SSDEEP

    6291456:wNl3aFW2h9/fiTwCzCLS6iilVkLZgAEtknRzq:wDaFd//Orcpi4VkL6AfRG

Score
10/10
darkcometmodiloadernjratremcosrevengeratwipelockgeforceguesthostandroidaspackv2bootkitdefense_evasiondiscoveryevasionmacosmacromacro_on_actionpersistencephishingprivilege_escalationstealertrojanupx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Geforce

C2

startitit2-23969.portmap.host:1604

Mutex

b9584a316aeb9ca9b31edd4db18381f5

Attributes
  • reg_key

    b9584a316aeb9ca9b31edd4db18381f5

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

nickman12-46565.portmap.io:46565

nickman12-46565.portmap.io:1735
Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    Userdata.exe

  • copy_folder

    Userdata

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %WinDir%\System32

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %WinDir%\System32

  • mouse_option

    false

  • mutex

    remcos_vcexssuhap

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

revengerat

Botnet

Guest

C2

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Targets

    • Target

      The-MALWARE-Repo-master/Trojan/MEMZ.exe

    • Size

      14KB

    • MD5

      19dbec50735b5f2a72d4199c4e184960

    • SHA1

      6fed7732f7cb6f59743795b2ab154a3676f4c822

    • SHA256

      a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

    • SHA512

      aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

    • SSDEEP

      192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj

    Score
    7/10
    bootkitdiscoverypersistencephishingevasion

    • A potential corporate email address has been identified in the URL: [email protected]

      phishing

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral1behavioral2behavioral3behavioral4behavioral5behavioral6

    • Target

      The-MALWARE-Repo-master/Trojan/Mobile_Legends_Adventure.apk

    • Size

      4.0MB

    • MD5

      42585ccd2b7867c12052653e4d54b7cc

    • SHA1

      a9348c3aabcc0171d1e35edeb37fd2da0fff0ad4

    • SHA256

      b47bcc55ca8dc0625a145d6809cfa3ad78e9e3b4f33bc608b5bcaf7e9e1e5827

    • SHA512

      e270bd1fbbaaccf3382048e9ac2489444a735ed32fb83f7681526a1edb0b7847d6adb8d75064b065309293ef75c45e2ea85fb132a1c12afd08b3a1346caad550

    • SSDEEP

      98304:1kDC5i3mO2jB5qJYNXV6lDysPmkMZHG9dqO/J:1x2ZW5eYN4lDy2xwHG9dfJ

    Score
    1/10
    behavioral7

    • Target

      The-MALWARE-Repo-master/Trojan/MrsMajors/BossDaMajor/BossDaMajor.exe

    • Size

      1.9MB

    • MD5

      38ff71c1dee2a9add67f1edb1a30ff8c

    • SHA1

      10f0defd98d4e5096fbeb321b28d6559e44d66db

    • SHA256

      730a41a7656f606a22e9f0d68782612d6e00ab8cfe1260160b9e0b00bc2e442a

    • SHA512

      8347782951f2647fe433482cb13186653afa32ee9f5be83a138c4ed47ff34d8de66a26e74b5a28ea21c1529b2078401922a9a26803772677b70489967c10f3e9

    • SSDEEP

      49152:veG3J7FtM9SbJakTiTBMGSARaspyyx979PSxgKFdGlYU:2GZxSoJrTiTBMGtRa8t7EFddU

    Score
    10/10
    defense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Modifies system executable filetype association

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral10behavioral11behavioral12behavioral13behavioral8behavioral9

    • Target

      The-MALWARE-Repo-master/Trojan/elite.apk

    • Size

      533KB

    • MD5

      9f01767647e2e72f446d374bbcb20c53

    • SHA1

      f6b1adcd7723b525418a05bcede5c671366d7ab3

    • SHA256

      fcee982b3d0e1601b40078d98df03503668aec7542721f921ae8248bc3cec3a1

    • SHA512

      4b9dc2dc08f015ed96a3ce30978994314d3edca84348eb62e7cb65d4d5477f179c44c80cc0a67863bc119555d0217f57681d047ce98ec405bd5eeaf2da8280ed

    • SSDEEP

      12288:kjRH6+O//n3tKpSsM+1HA+x283ecVS3EVqPlR6i0Ci3jM34D9Z:kN6+ONjstg38OOS3EW6i0C+M3SZ

    Score
    1/10
    behavioral14behavioral15behavioral16

    • Target

      The-MALWARE-Repo-master/Trojan/mobelejen.apk

    • Size

      549KB

    • MD5

      45be5a7857a4fa1c5eadd519e9402e8a

    • SHA1

      36feb0809c1853f9a1f6d587302691abd7ce90e9

    • SHA256

      7d59e24f4bdf28a846d21e2608796f7e91389c4778bec75369d7b05e3f8449a5

    • SHA512

      46c869051e0c97b68f4388b87caecd82bf7362110a34ebb28ddc5fcd6c8a0e339eeaafbfce54d22593e245457fae7ec4c36b49a8556d3327ba7f90a40dd96a73

    • SSDEEP

      12288:9cVS3EVqPlR6i0Ci3jM34D9zSxjRH6+O//n3tKpSsM+1HA+3De7:9OS3EW6i0C+M3SziN6+ONjstgYDe7

    Score
    1/10
    behavioral17behavioral18behavioral19

    • Target

      The-MALWARE-Repo-master/Trojan/vi4a.apk

    • Size

      37KB

    • MD5

      5f616a8fb9ce44ed75834487405be446

    • SHA1

      8ae9c48e6a8a21b4c8068e0b8855240978637fdf

    • SHA256

      b0ff5690c31f160808a869a14fa55f9e38c82de81cf98b895badc88c997ee45c

    • SHA512

      0ad658d53c455f7e68c3a4722f475bba65c22f17fd2c330a1ed34bff384462ceae9096c2d2e9cb4ad35168c551d579ca6b7335728432e94661dc8f65cdd14c58

    • SSDEEP

      768:DZ1Z9LApP6PUxxV9L2WSkwvCjSsPVxa8D74gV8:DZPBAB6mIWSjSSszj4D

    Score
    1/10
    behavioral20behavioral21behavioral22

    • Target

      The-MALWARE-Repo-master/Virus/Mabezat/Mabezat.exe

    • Size

      141KB

    • MD5

      de8d08a3018dfe8fd04ed525d30bb612

    • SHA1

      a65d97c20e777d04fb4f3c465b82e8c456edba24

    • SHA256

      2ae0c4a5f1fedf964e2f8a486bf0ee5d1816aac30c889458a9ac113d13b50ceb

    • SHA512

      cc4bbf71024732addda3a30a511ce33ce41cbed2d507dfc7391e8367ddf9a5c4906a57bf8310e3f6535646f6d365835c7e49b95584d1114faf2738dcb1eb451a

    • SSDEEP

      3072:k8sjSpy0bShLy8gXvzJ9k8a/o3z4aBy5chynHa3Ifn9xJY:Fsjl0bu+NxjJBRhyHJfO

    Score
    3/10
    discovery
    behavioral23behavioral24behavioral25behavioral26behavioral27behavioral28

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Hide Artifacts

1
T1564

Resource Forking

1
T1564.009

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

5
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

macroupxaspackv2macro_on_actiongeforcehoststealerguestdarkcometnjratmodiloaderremcosrevengeratwipelock
Score
10/10

behavioral1

bootkitdiscoverypersistence
Score
6/10

behavioral2

bootkitdiscoverypersistencephishing
Score
7/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

evasion
Score
4/10

behavioral7

Score
1/10

behavioral8

defense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral9

defense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

discovery
Score
3/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10