Overview

overview

10

Static

static

10

4363463463...63.exe

windows11-21h2-x64

10

Resubmissions

31/01/2025, 20:51

250131-zngnysynhl 10

22/01/2025, 17:19

250122-vv8c2awqf1 10

22/01/2025, 16:20

250122-ts986swjel 10

22/01/2025, 13:44

250122-q2a9nayng1 10

22/01/2025, 13:43

250122-q1jjmszmel 10

22/01/2025, 13:42

250122-qz519ayncz 10

21/01/2025, 02:07

250121-cjzbwa1jhp 10

20/01/2025, 18:36

250120-w88fmasqfy 10

20/01/2025, 18:27

250120-w3q96asnh1 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4363463463464363463463463.zip.zip

  • Size

    394KB

  • Sample

    250121-cjzbwa1jhp

  • MD5

    22872ef7f39c6c03422b358f867e69b7

  • SHA1

    263dbd53bf3e6766a11e0a0ce896e708be807aa0

  • SHA256

    12fce52d084a8c7efa638c88fa2307bca7c038a49fe566ebb05533cacf17efbd

  • SHA512

    d26020b40e03a1bc7dff4d872c9421e07681e4bb4bbf9172f063be7d81b060686f1091dd2603de30ae600cae250e4a94cd3f2909e88e2e26b796771b8eb6b817

  • SSDEEP

    12288:YGA+VQGlOa26BcdTJw3dzxdY4BAvcTCyY:YGfQGlg64NWv64AETI

Score
10/10
metasploitstealcvidarxredxworm41d35cbb974bc2d1287dcd4381b4a2a8a21440e9f7223be06be5f5e2f94969c7backdoorcredential_accessdiscoveryexecutionpersistencepyinstallerratspywarestealertrojan

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

89.197.154.116:7810

Extracted

Family

xworm

Version

5.0

C2

police-turkish.gl.at.ply.gg:46359

Mutex

98LKJ8osZWR75pSw

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

vidar

Version

11.8

Botnet

41d35cbb974bc2d1287dcd4381b4a2a8

C2

https://t.me/fu4chmo

https://steamcommunity.com/profiles/76561199802540894
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Extracted

Family

vidar

Version

11.3

Botnet

a21440e9f7223be06be5f5e2f94969c7

C2

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Targets

    • Target

      4363463463464363463463463.exe

    • Size

      764KB

    • MD5

      85e3d4ac5a6ef32fb93764c090ef32b7

    • SHA1

      adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52

    • SHA256

      4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1

    • SHA512

      a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab

    • SSDEEP

      12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ufbj:6nsJ39LyjbJkQFMhmC+6GD9mH

    Score
    10/10
    metasploitstealcvidarxredxworm41d35cbb974bc2d1287dcd4381b4a2a8a21440e9f7223be06be5f5e2f94969c7backdoorcredential_accessdiscoveryexecutionpersistencepyinstallerratspywarestealertrojan

    • Detect Vidar Stealer

      stealer

    • Detect Xworm Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Metasploit family

      metasploit

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Stealc family

      stealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Modify Authentication Process

1
T1556

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Authentication Process

1
T1556

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

3
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks