Resubmissions
25-01-2025 23:19
250125-3a9dlavrfq 1025-01-2025 00:39
250125-azr7dswras 1025-01-2025 00:32
250125-avsblawpdx 1025-01-2025 00:29
250125-as5h5swnfv 1004-12-2024 19:44
241204-yftswatlcj 1028-11-2024 19:40
241128-ydqnfaxqgy 1020-11-2024 16:31
241120-t1tw6azjfy 1020-11-2024 06:05
241120-gtdv5ssnes 1020-11-2024 06:00
241120-gqchxascje 1020-11-2024 05:52
241120-gk2kvaxkgn 10General
-
Target
4363463463464363463463463.exe.zip
-
Size
4KB
-
Sample
250125-as5h5swnfv
-
MD5
16d34133af438a73419a49de605576d9
-
SHA1
c3dbcd70359fdad8835091c714a7a275c59bd732
-
SHA256
e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1
-
SHA512
59c0272d6faa2682b7a6ce1cd414d53cc39f06035f4f38a2e206965805034bf8012b02d59f428973965136d70c89f87ac3b17b5db9c1b1d49844be182b47a3d7
-
SSDEEP
96:xBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEy:xBfwncSf8Cv3w9DZjKXjmBIKEvLs97D5
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe.zip
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.exe
Resource
win11-20241023-en
Malware Config
Extracted
quasar
1.4.1
Office04
hilol.zapto.org:20
5.144.179.134:1604
0.tcp.us-cal-1.ngrok.io:15579
11bbf22e-826e-486b-b024-adbd86228a9e
-
encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
ctfmon
-
subdirectory
SubDir
Extracted
xworm
5.0
md2hTRMYBpbXprs1
-
Install_directory
%AppData%
-
install_file
Steam.exe
-
pastebin_url
https://pastebin.com/raw/Pit7WkAV
-
telegram
https://api.telegram.org/bot7494729704:AAGLY8mnPxkjjCvoEz520yCBT4GLhlnhRaI/sendMessage?chat_id=7222032715
Extracted
quasar
1.4.1
DDNS
193.161.193.99:32471
807f3187-d087-4fff-beff-e73293a32af8
-
encryption_key
81A0C14D4C705B3C678E573C849DE7F6A3671A8B
-
install_name
jusched.exe
-
log_directory
CachedLogs
-
reconnect_delay
3000
-
startup_key
Java Update Scheduler
-
subdirectory
Java
Extracted
xworm
45.141.26.134:7000
-
Install_directory
%AppData%
-
install_file
svchost.exe
Extracted
quasar
1.4.1
microsoft
193.161.193.99:25170
06cb3c8b-d800-42d6-af01-12c4e1f138b0
-
encryption_key
95C77D90C8A49F5740548C8A0A430C41732B639C
-
install_name
runtime.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Runtime
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
82.193.104.21:5137
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Extracted
asyncrat
0.5.7B
Default
ratlordvc.ddns.net:6606
1.tcp.ap.ngrok.io:21049
18.141.204.5:80
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
tesst.exe
-
install_folder
%AppData%
Extracted
asyncrat
0.5.8
Default
0.tcp.in.ngrok.io:10147
Q52IWD1RYgpZ
-
delay
3
-
install
false
-
install_file
Listopener.exe
-
install_folder
%AppData%
Targets
-
-
Target
4363463463464363463463463.exe.zip
-
Size
4KB
-
MD5
16d34133af438a73419a49de605576d9
-
SHA1
c3dbcd70359fdad8835091c714a7a275c59bd732
-
SHA256
e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1
-
SHA512
59c0272d6faa2682b7a6ce1cd414d53cc39f06035f4f38a2e206965805034bf8012b02d59f428973965136d70c89f87ac3b17b5db9c1b1d49844be182b47a3d7
-
SSDEEP
96:xBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEy:xBfwncSf8Cv3w9DZjKXjmBIKEvLs97D5
-
A potential corporate email address has been identified in the URL: [email protected]
-
-
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
-
AmmyyAdmin payload
-
Ammyyadmin family
-
Asyncrat family
-
Detect Xworm Payload
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Flawedammyy family
-
Njrat family
-
Quasar family
-
Quasar payload
-
Xworm family
-
Async RAT payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1