Overview

overview

10

Static

static

10

New Text D...xe.zip

windows7-x64

10

New Text D...xe.zip

windows10-2004-x64

New Text D...xe.zip

windows10-ltsc 2021-x64

10

New Text D...xe.zip

windows11-21h2-x64

10

Resubmissions

13-01-2025 17:50

250113-wewjza1pes 10

13-01-2025 17:32

250113-v4m4fssrgj 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New Text Document mod.exe.zip

  • Size

    392KB

  • Sample

    250113-v4m4fssrgj

  • MD5

    209c2bed74ce311f3de2c3040f5cbd8b

  • SHA1

    676dbe2bbf178ca27210c8a2e37aa9652f4e17d5

  • SHA256

    672ad2d52af206cc63cebe2c801181d3b406aae5891cc57bdaafd5eea3d61fe6

  • SHA512

    44b5207ce1a79c220ed014b7803ba4f3b89b0aa81f2232e152da9e5c8004c164a281d8806843a10590e3c55b902ef5e3f359bc117b80b11d052fe60324709324

  • SSDEEP

    6144:PiyQGVN3t3bmwUUoI7a+OjFjjGFEduVVZ4vELL2VzCGb49pRYCEheDmDUKUQWCCJ:P/HfRx7aNFXuhTL2I70SmpXCqry

Score
10/10
asyncratmeduzamimikatzquasarredlinevidarvipkeyloggerxmrigxredxworm1v@glowfy0defaultfirstofficeoffice04roblox executorruntimebrokersigortastandoffzjebbackdoorcollectiondefense_evasiondiscoveryevasionexecutionimpactinfostealerkeyloggerminerpersistenceransomwareratspywarestealertrojanupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

other-little.gl.at.ply.gg:11758

Extazz24535-22930.portmap.host:22930

llordiWasHere-55715.portmap.host:55715
Mutex

fbbc34bd-7320-405e-aebb-d4c666ee475f

Attributes
  • encryption_key

    FEA99DED4EFE826DE2850621FD7919E62525FD26

  • install_name

    DirectX111.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    DirectX

  • subdirectory

    SubDir

Extracted

Family

redline

Botnet

1V

C2

195.177.92.88:1912

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

0.tcp.in.ngrok.io:10147

38.240.58.195:6606

172.204.136.22:1604
Mutex

Q52IWD1RYgpZ

Attributes
  • delay

    3

  • install

    false

  • install_file

    Listopener.exe

  • install_folder

    %AppData%

aes.plain
aes.plain
aes.plain

Extracted

Family

redline

Botnet

Standoff

C2

89.23.101.77:1912

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

20.107.53.25:25535

Mutex

QSR_MUTEX_zQ0poF2lHhCSZKSUZ3

Attributes
  • encryption_key

    E2xbpJ93MnABcIqioTDL

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' folder if you don't get answer within 6 hours. Contact us email: [email protected] [email protected] ID :91B4E4EF265777F9805A257A6CF869405C7F96547184187E6FF860987B6E7D3828A9DF7954503876CE593C61AC17964B520AF63C915E8D3C3EECCA25167440DFC3A8CB053DD62BA81ABFF8EF7857F8ECDFF45375FEE45F1843BDE370B927E1792311A72923452374890D1509E14F7D61F79197CEE8145E62BEC7A02EB54BB9659BE281DD077CBD81AD17C516127BFC9E44ACE87855E4BFC87B56EC9598AF016F2EBB778B81D184215C92764CE0FA1072648066E80CB9CCCDF8F1AC26DC9168796ACBEFBF9FC3A6EB60BBC1FD529B9BDEC850407055291007A2ACB5F816F8A1217ABB81678B73A14B977BED44E72FFCC7DBBD5B0C9C64C9E9089BFC242752ED556434A0A8B1689F95B9198488CF5399AB4AE15A035CF15329037CF9DEBABA8DD65835B859437A8B98CBD3ADE34AE175BFEF2DED465B01E2D0092E85B2B713FF6A75F009BC7541540D997E2E57AA96061B09FDFC2669A3F071981931837E1E0EB296C0121FF15260B8C3CBF42CB995EDE419466760D7830A5E06FB5557B27683D70DE4DE46A013E0E397C284802761CDF60F5395BD97BBE4088ACED22DBC27D03C3C33BBB7F1AE526530083C0571787A44B13AA5B5941DD4EEF1884DE2B44F9657F98DFFFEEA61F64A554B872135C8DCF3779B07AF95F509CBA908B86E7F17B371CCB37058FF9132275B7AD56867AE896D8696AA3366625979563BC454152892F00F5F5B886B99353F048A522135D6202D4046773BC3EFFA63EB2121E8B58774DC120B9B9A41FDBE194D10FD58C455EBBB023855295DA919201D6D89AFDC0368B38595314D19B2C22381F99CDB72DFDFBF077230DF54F25991A9175C81EF3A096E0D16B0BD443067DFA9BB81FD94CFD259076A276E6C164FEDD0E305639E8807F34E44E253B346FFDB4F8DA7266CAC4D97A0F55E7E3B6AF4C793BE593DC7F15A29288AEDA28FAEA10A0BCD69860846D05FF26619CFD576E5A511C7FEECC364848397D8D0F6F649CC04F9D4864DAD190E34FDA7538A7B19E4683F07F011627F3F52E6EFD24934912CE7E66CE8734C5F7E9081A83BEC84F406D423149348B9164B003A5BA9F1710272FD6B411C8273666A3F0280E97E238D507189887BFCC46DE139133FB12E31F8164C371A4C2DA2CA8E49A3E61E9D91BE7ED6D1B12BC1E879C3EC523B2F43FE36808A2C8D1755836FB93CF560B5D1FADFB90AB07359C06FCD922925392E65DB6FFEEE0F3619C630D4C409B49378280EDA588B49831589A1BA009B0B861729EA846FC0F3CF4BC73F0C2824713D8EF26FBA73755C4C7BECB921A3B2E208A89B9764C59A3015AD8EB56C2895EE28EADFD400B8FF250DF611B2175CD89D54B1F04C5C88FDD48F858B40B89011825323DB1583C85F45E4104E16884C528258D2000CFAAA259FBDF48716E10C89A35352906E0F315ACED5068B73843589751D7782D9237B35CF68F661339C11D4890641874241D458726BC74DA47AC831F3F93CEF6C92A331F033986CD34C3736FFF8CC87BC60FE58A8AD4BE22ED2A5C586BE4134405FCAB9087085467F16D3EEEE8AD63EEC4C238705975B17E4AE77AB2B4F39D6362067999611FBFF51B13898A60C830EE273CAD1BFACA5964E0C8438764E3C3210BE6590F504912FBBB92F55F9D79C9AF5E6D07C5D5CB877D1ECE8F9D74C1F6A0F99557AB853E3BED99DE1C57E5C7637CCA414A78434D8F780BB44B6D0822879A8014490F4277F18274F84633F3E8802367E6034F9E326482E11F37C92652E77B3521C15F783B43A3AFF0F47400FFCE5098E1BDA816A78363514EFA18584BB3F5DB273650EBBA97561ECEAF0232A8307760052414D4A70B9760BC5808A4573E678D4E52D931777CDF9DFF0C053474DAC429547F6126BCB26362B09D88E0B01F16D1F909924AB3DF22F6792712657DBE3DCBF14EC3CAB97806C624D5C6D8515374275631217776289C2D927FF2B7E1157CD3FC5E04CB7D183B1DB9D89C6D4D7D1C01F3EEFA2764D14055A73BB7018D745368DD839CA4E8E1F415C46CC52FE6F138EB7CFBC14ADE9109F0BF163F022FE62EBA3C119A01EA52BA69969144C10038A0A6707FB31E6651B1F955C18948D07D9CC2C8BE1A2FA207944AF32429F94BC82DBE2E2F0234E71CE9B31EDCB9FB26E105CA7FE653818DE04A7776E61EE684D79C5DB7BA010ECC0547C1E585F3A9D1A89915585A367812CC532F73D44E3323C5A529D3332476DD1A493E5711F0668026698D6410650743781C002E5D891754A808B27152D2948592A728079E5862533B973BEBD3A29F20058AABA7C39FD70B47B9B8E798EBA0AB9CF170A698BD4E707FED5067C1CD3162A418D4245D2B753F80F1D68519AE3F52A

Extracted

Family

redline

Botnet

first

C2

212.56.41.77:1912

Extracted

Family

quasar

Version

1.3.0.0

Botnet

sigorta

C2

217.195.197.170:1604

Mutex

QSR_MUTEX_9WjAcLINYji1uqfzRt

Attributes
  • encryption_key

    B2vTTMiPGqHXv2xzSGYH

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

RuntimeBroker

C2

qrpn9be.localto.net:2810

Mutex

fc5edab1-6e8f-4963-98aa-bd077e08750f

Attributes
  • encryption_key

    F749DCAC94A1FC3102D2B0CFBBFCB76086F86568

  • install_name

    RuntimeBroker.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    RuntimeBroker

  • subdirectory

    a7

Extracted

Family

quasar

Version

1.4.1

Botnet

ROBLOX EXECUTOR

C2

192.168.50.1:4782

10.0.0.113:4782

LETSQOOO-62766.portmap.host:62766

89.10.178.51:4782
Mutex

90faf922-159d-4166-b661-4ba16af8650e

Attributes
  • encryption_key

    FFEE70B90F5EBED6085600C989F1D6D56E2DEC26

  • install_name

    windows 3543.exe

  • log_directory

    roblox executor

  • reconnect_delay

    3000

  • startup_key

    windows background updater

  • subdirectory

    windows updater

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

wzt5xcg.localto.net:1604

wzt5xcg.localto.net:5274
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_file

    KYGOClient.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

C2

VIPEEK1990-25013.portmap.host:25013

Mutex

ad21b115-2c1b-40cb-adba-a50736b76c21

Attributes
  • encryption_key

    3EBA8BC34FA983893A9B07B831E7CEB183F7492D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Security Service

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

C2

85.192.29.60:5173

45.136.51.217:5173
Mutex

QAPB6w0UbYXMvQdKRF

Attributes
  • encryption_key

    pxC3g4rfVijQxK1hMGwM

  • install_name

    csrss.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    NET framework

  • subdirectory

    SubDir

Extracted

Family

redline

Botnet

@glowfy0

C2

91.214.78.86:1912

Extracted

Family

vipkeylogger

Targets

    • Target

      New Text Document mod.exe.zip

    • Size

      392KB

    • MD5

      209c2bed74ce311f3de2c3040f5cbd8b

    • SHA1

      676dbe2bbf178ca27210c8a2e37aa9652f4e17d5

    • SHA256

      672ad2d52af206cc63cebe2c801181d3b406aae5891cc57bdaafd5eea3d61fe6

    • SHA512

      44b5207ce1a79c220ed014b7803ba4f3b89b0aa81f2232e152da9e5c8004c164a281d8806843a10590e3c55b902ef5e3f359bc117b80b11d052fe60324709324

    • SSDEEP

      6144:PiyQGVN3t3bmwUUoI7a+OjFjjGFEduVVZ4vELL2VzCGb49pRYCEheDmDUKUQWCCJ:P/HfRx7aNFXuhTL2I70SmpXCqry

    Score
    10/10
    asyncratmeduzaquasarredlinexred1vdefaultoffice04standoffbackdoorcollectiondefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistenceransomwareratspywarestealertrojanupxmimikatzvidarxmrigxworm@glowfy0firstofficeroblox executorruntimebrokersigortazjebminervipkeyloggerkeylogger

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect Vidar Stealer

      stealer

    • Detect Xworm Payload

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

      stealermeduza

    • Meduza Stealer payload

    • Meduza family

      meduza

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

      mimikatz

    • Mimikatz family

      mimikatz

    • Modifies security service

      evasion

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Vipkeylogger family

      vipkeylogger

    • XMRig Miner payload

      miner

    • Xmrig family

      xmrig

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Async RAT payload

      rat

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • mimikatz is an open source tool to dump credentials on Windows

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Contacts a large (565) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Stops running service(s)

      evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

      defense_evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

2
T1569

Service Execution

2
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Power Settings

1
T1653

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Indicator Removal

2
T1070

Clear Windows Event Logs

1
T1070.001

File Deletion

1
T1070.004

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

1
T1046

Peripheral Device Discovery

1
T1120

Query Registry

7
T1012

Remote System Discovery

1
T1018

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Service Stop

1
T1489

Tasks

static1

xred
Score
10/10

behavioral1

asyncratmeduzaquasarredlinexred1vdefaultoffice04standoffbackdoorcollectiondefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistenceransomwareratspywarestealertrojanupx
Score
10/10

behavioral2

asyncratmeduzamimikatzquasarredlinevidarxmrigxredxworm1v@glowfy0defaultfirstofficeoffice04roblox executorruntimebrokersigortastandoffzjebbackdoorcollectiondefense_evasiondiscoveryevasionexecutionimpactinfostealerminerpersistenceransomwareratspywarestealertrojanupx
Score
10/10

behavioral3

asyncratmeduzaquasarredlinexmrigxred1vdefaultfirstoffice04roblox executorruntimebrokersigortastandoffbackdoorcollectiondefense_evasiondiscoveryevasionexecutionimpactinfostealerminerpersistenceransomwareratspywarestealertrojanupx
Score
10/10

behavioral4

asyncratmeduzamimikatzquasarredlinevipkeyloggerxmrigxred1vdefaultfirstoffice04roblox executorruntimebrokersigortastandoffbackdoorcollectiondefense_evasiondiscoveryevasionexecutionimpactinfostealerkeyloggerminerpersistenceransomwareratspywarestealertrojanupx
Score
10/10