Overview

overview

10

Static

static

3

241127-xqs...ed.zip

windows10-2004-x64

10

Resubmissions

31-12-2024 21:35

241231-1fmqnszqft 10

31-12-2024 21:27

241231-1axzfssnek 10

16-12-2024 05:27

241216-f5kx6awmh1 10

14-12-2024 20:23

241214-y6jqlasrhy 10

14-12-2024 20:22

241214-y51bysvmbk 10

14-12-2024 20:13

241214-yzc98svkfr 10

14-12-2024 13:14

241214-qgw1masrcy 10

14-12-2024 13:12

241214-qfk7qsvlaq 3

12-12-2024 18:19

241212-wymq6ssnat 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    241127-xqsswsslej_pw_infected.zip

  • Size

    12KB

  • Sample

    241231-1fmqnszqft

  • MD5

    79fd058f7d06cc022de1786507eb26e3

  • SHA1

    86590ec8ed73fd2951587561dff5387e9e0e18e6

  • SHA256

    cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d

  • SHA512

    8316ac3782c05a3ebea4ca0868e33512e5ef29b251498f3af5ab261cd2010dec6b0eca8a57adcadb0d70653be2e22c0c2c137c7a38ec7b3d5ebbdd02e09c0227

  • SSDEEP

    384:sBfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWT:wfACW6Dr8HWTHWT

Score
10/10
asyncratjigsawquasarremcosstormkittyvidarxmrigxwormdefaulthelper atankamanagerremotehostcollectioncredential_accessdefense_evasiondiscoveryevasionexecutionminerpersistenceprivilege_escalationpyinstallerransomwareratspywarestealertrojanupx

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftpcluster.loopia.se
  • Port:
    21
  • Username:
    srbreferee.com
  • Password:
    luka2005

Extracted

Family

quasar

Version

1.4.1

Botnet

Helper Atanka

C2

193.203.238.136:8080

Mutex

14f39659-ca5b-4af7-8045-bed3500c385f

Attributes
  • encryption_key

    11049F2AEBDCF8E3A57474CD5FBA40FB2FFC5424

  • install_name

    diskutil.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    diskutil

  • subdirectory

    diskutil

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

6.tcp.eu.ngrok.io:12925

Mutex

hDtjdONRXVCh

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.210.150.26:8787

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-R1T905

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

xworm

C2

127.0.0.1:48990

147.185.221.22:48990
Attributes
  • Install_directory

    %Userprofile%

  • install_file

    svchost.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

Manager

C2

serveo.net:11453

Mutex

a851cc5b-e50f-4270-9929-06c6323cdb3d

Attributes
  • encryption_key

    5A3C537E5FB2739D5B2468FC37915D58EF4AC5EA

  • install_name

    Runtime broker.exe

  • log_directory

    Microsoftsessential

  • reconnect_delay

    3000

  • startup_key

    Runtime broker

  • subdirectory

    Microsoft_Essentials

Targets

    • Target

      241127-xqsswsslej_pw_infected.zip

    • Size

      12KB

    • MD5

      79fd058f7d06cc022de1786507eb26e3

    • SHA1

      86590ec8ed73fd2951587561dff5387e9e0e18e6

    • SHA256

      cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d

    • SHA512

      8316ac3782c05a3ebea4ca0868e33512e5ef29b251498f3af5ab261cd2010dec6b0eca8a57adcadb0d70653be2e22c0c2c137c7a38ec7b3d5ebbdd02e09c0227

    • SSDEEP

      384:sBfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWT:wfACW6Dr8HWTHWT

    Score
    10/10
    asyncratjigsawquasarremcosstormkittyvidarxmrigxwormdefaulthelper atankamanagerremotehostcollectioncredential_accessdefense_evasiondiscoveryevasionexecutionminerpersistenceprivilege_escalationpyinstallerransomwareratspywarestealertrojanupx

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect Vidar Stealer

      stealer

    • Detect Xworm Payload

    • Jigsaw Ransomware

      Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

      ransomwarejigsaw

    • Jigsaw family

      jigsaw

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • XMRig Miner payload

      miner

    • Xmrig family

      xmrig

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Async RAT payload

      rat

    • Renames multiple (3767) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

6
T1012

Remote System Discovery

1
T1018

System Information Discovery

7
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

2
T1016

Internet Connection Discovery

1
T1016.001

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks