Resubmissions
31-01-2025 20:51
250131-zngnysynhl 1022-01-2025 17:19
250122-vv8c2awqf1 1022-01-2025 16:20
250122-ts986swjel 1022-01-2025 13:44
250122-q2a9nayng1 1022-01-2025 13:43
250122-q1jjmszmel 1022-01-2025 13:42
250122-qz519ayncz 1021-01-2025 02:07
250121-cjzbwa1jhp 1020-01-2025 18:36
250120-w88fmasqfy 1020-01-2025 18:27
250120-w3q96asnh1 10General
-
Target
4363463463464363463463463.zip.zip
-
Size
394KB
-
Sample
250120-w3q96asnh1
-
MD5
22872ef7f39c6c03422b358f867e69b7
-
SHA1
263dbd53bf3e6766a11e0a0ce896e708be807aa0
-
SHA256
12fce52d084a8c7efa638c88fa2307bca7c038a49fe566ebb05533cacf17efbd
-
SHA512
d26020b40e03a1bc7dff4d872c9421e07681e4bb4bbf9172f063be7d81b060686f1091dd2603de30ae600cae250e4a94cd3f2909e88e2e26b796771b8eb6b817
-
SSDEEP
12288:YGA+VQGlOa26BcdTJw3dzxdY4BAvcTCyY:YGfQGlg64NWv64AETI
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
quasar
1.4.0.0
FakeCreal
espinyskibidi-40205.portmap.host:40205
CdrjrrWbtRopP1ic7E
-
encryption_key
HXEHSwyN1GHqlZUqunrd
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Client
-
subdirectory
Microsoft
Extracted
risepro
118.194.235.187:50500
Extracted
metasploit
windows/reverse_tcp
167.250.49.155:445
Extracted
quasar
1.4.1
Manager
serveo.net:11453
a851cc5b-e50f-4270-9929-06c6323cdb3d
-
encryption_key
5A3C537E5FB2739D5B2468FC37915D58EF4AC5EA
-
install_name
Runtime broker.exe
-
log_directory
Microsoftsessential
-
reconnect_delay
3000
-
startup_key
Runtime broker
-
subdirectory
Microsoft_Essentials
Extracted
quasar
1.4.1
SGVP
192.168.1.9:4782
150.129.206.176:4782
Ai-Sgvp-33452.portmap.host:33452
a35ec7b7-5a95-4207-8f25-7af0a7847fa5
-
encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
-
install_name
User Application Data.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windowns Client Startup
-
subdirectory
Quasar
Extracted
quasar
1.4.0.0
Office
45.136.51.217:2222
d1mBeqcqGummV1rEKw
-
encryption_key
h9j7M9986eVjQwMbjacZ
-
install_name
csrss.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
NET framework
-
subdirectory
SubDir
Extracted
xworm
5.0
147.124.216.7:7000
:7000
robert2day-54368.portmap.host:54368
147.182.141.239:7000
Chb72kPsRE765ttP
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot6637136966:AAEts3hYw0FMwzt3_IyeXzVgX3ImP0vNUKQ/sendMessage?chat_id=995234876
Extracted
quasar
1.4.1
Office04
192.168.43.241:4782
0517af80-95f0-4a6d-a904-5b7ee8faa157
-
encryption_key
6095BF6D5D58D02597F98370DFD1CCEB782F1EDD
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svhost
-
subdirectory
SubDir
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:8080
127.0.0.1:17027
2.tcp.ngrok.io:6606
2.tcp.ngrok.io:7707
2.tcp.ngrok.io:8808
2.tcp.ngrok.io:8080
2.tcp.ngrok.io:17027
KSKA6RWWOYIu
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
stealc
Voov2
http://154.216.17.90
-
url_path
/a48146f6763ef3af.php
Extracted
vidar
11.8
0174ec9d0ab5d3dd4d0bbe7415cfa10c
https://t.me/fu4chmo
https://steamcommunity.com/profiles/76561199802540894
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Extracted
quasar
1.4.0
Office04
192.168.31.99:4782
2001:4bc9:1f98:a4e::676:4782
255.255.255.0:4782
fe80::cabf:4cff:fe84:9572%17:4782
1f65a787-81b8-4955-95e4-b7751e10cd50
-
encryption_key
A0B82A50BBC49EC084E3E53A9E34DF58BD7050B9
-
install_name
Java Updater.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Java Updater
-
subdirectory
SubDir
Extracted
vidar
p1up1
https://t.me/m3wm0w
https://steamcommunity.com/profiles/76561199804377619
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_8) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Extracted
gurcu
https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_Ovo/sendMessage?chat_id=5479981438
https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_Ovo/getUpdates?offset=
https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_Ovo/getUpdates?offset=1
https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_Ovo/getUpdates?offset=2
https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_Ovo/getUpdates?offset=3
https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_Ovo/getUpdates?offset=4
https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_Ovo/getUpdates?offset=5
https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_Ovo/getUpdates?offset=6
https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_Ovo/getUpdates?offset=7
https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_Ovo/getUpdates?offset=8
https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_Ovo/getUpdates?offset=9
https://api.telegram.org/bot6637136966:AAEts3hYw0FMwzt3_IyeXzVgX3ImP0vNUKQ/sendMessage?chat_id=995234876
https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_OvoM/sendMessage?chat_id=5479981438
Targets
-
-
Target
4363463463464363463463463.exe
-
Size
764KB
-
MD5
85e3d4ac5a6ef32fb93764c090ef32b7
-
SHA1
adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52
-
SHA256
4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1
-
SHA512
a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab
-
SSDEEP
12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ufbj:6nsJ39LyjbJkQFMhmC+6GD9mH
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Detect Vidar Stealer
-
Detect Xworm Payload
-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Risepro family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Stormkitty family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
XMRig Miner payload
-
Xmrig family
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Async RAT payload
-
DCRat payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
4Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1