General
-
Target
Malware.2024.12.25.7z
-
Size
359.1MB
-
Sample
250131-v87nnasmdv
-
MD5
2773b9f8be935e4a903c1925dcf9d054
-
SHA1
2c558feafd59d269472fbf3fee4cae8a0b085b0a
-
SHA256
2e96258f3dd21d059f59831295d32d324a849c87bc5a2149a49c97fcf5783558
-
SHA512
0fc4adc14ff767e107db9fc21dce50330805a58eee6fe075ba2328ba4b8b8ff4922eb79df2a53a9505ac8d2f591e35d0b2887e3ea23ff4f02f92e8b50427e52b
-
SSDEEP
6291456:DUgWs0RbrHe8lNBENzpb6wGjZygOOKPZVa9nl/EuT5U1PlU9eK8DK:cs0Rr+SypCty9a+zlU9iDK
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
Extracted
urelas
218.54.31.226
218.54.31.165
Extracted
lumma
https://rapeflowwj.lat/api
https://crosshuaht.lat/api
https://sustainskelet.lat/api
https://aspecteirs.lat/api
https://energyaffai.lat/api
https://necklacebudi.lat/api
https://discokeyus.lat/api
https://grannyejh.lat/api
https://spellshagey.biz/api
https://movementby.cyou/api
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Extracted
njrat
0.7.3
Lime
192.168.100.59:6522
Client.exe
-
reg_key
Client.exe
-
splitter
9999
Extracted
metasploit
windows/reverse_tcp
192.168.64.3:4444
Extracted
simda
-
dga
gatyfus.com
lyvyxor.com
vojyqem.com
qetyfuv.com
puvyxil.com
gahyqah.com
lyryfyd.com
vocyzit.com
qegyqaq.com
purydyv.com
gacyzuz.com
lygymoj.com
vowydef.com
qexylup.com
pufymoq.com
gaqydeb.com
lyxylux.com
vofymik.com
qeqysag.com
puzylyp.com
gadyniw.com
lymysan.com
volykyc.com
qedynul.com
pumypog.com
galykes.com
lysynur.com
vonypom.com
qekykev.com
pupybul.com
Extracted
njrat
0.7d
HaCkEd bY LoKn
customers-edmonton.gl.at.ply.gg:28608
5a0e6576524fad771bccf79eb40f7eca
-
reg_key
5a0e6576524fad771bccf79eb40f7eca
-
splitter
|'|'|
Targets
-
-
Target
Malware.2024.12.25.7z
-
Size
359.1MB
-
MD5
2773b9f8be935e4a903c1925dcf9d054
-
SHA1
2c558feafd59d269472fbf3fee4cae8a0b085b0a
-
SHA256
2e96258f3dd21d059f59831295d32d324a849c87bc5a2149a49c97fcf5783558
-
SHA512
0fc4adc14ff767e107db9fc21dce50330805a58eee6fe075ba2328ba4b8b8ff4922eb79df2a53a9505ac8d2f591e35d0b2887e3ea23ff4f02f92e8b50427e52b
-
SSDEEP
6291456:DUgWs0RbrHe8lNBENzpb6wGjZygOOKPZVa9nl/EuT5U1PlU9eK8DK:cs0Rr+SypCty9a+zlU9iDK
Score1/10 -
-
-
Target
2024-12-25/unknown-df6ecbdc8f043bbe3a4018a4fd3734c474761e1c7505fb0917df4fb808087e19
-
Size
404KB
-
MD5
396c0381b8d72ffbbb918d18ac54d8f0
-
SHA1
06651cd165a3b941293f15522b933ea518df0421
-
SHA256
df6ecbdc8f043bbe3a4018a4fd3734c474761e1c7505fb0917df4fb808087e19
-
SHA512
453a0b080ddccf2f5f4745bb1089f2ef532f625b80ae0e2e7327569952b306b7162174a681f3da0202eb6fc32c84d520d468a6418a876b86358c57440f9335b1
-
SSDEEP
12288:QgjabOp8LGlSN+nMuwjy5R3tTbQrcoKHnd5yb:QuUOpMGlSsMuwy5R3lsQHd5
Score1/10 -
-
-
Target
2024-12-25/unknown-e0b170a4440b174bb3d6bd6c5abb8833cd7eae6eadc74d4176c8bb8a4b38ca8a
-
Size
27KB
-
MD5
c372eae14e8e8a896c6061974a07a8d0
-
SHA1
a8afe32850219a36cc17cf9b40dfd1713efbdf14
-
SHA256
e0b170a4440b174bb3d6bd6c5abb8833cd7eae6eadc74d4176c8bb8a4b38ca8a
-
SHA512
f80880ac0e4a5d041c35cbf0837318804262082f22362064af9e8324b944167eab698553dc263dd32dab0a3fc4b95a108e3c6778ffbe7a223ef0864739d1ff4d
-
SSDEEP
768:dZ8r4g7dfecPF6/wRVEigJHOTh4F6uTNgDt2s83:9JHOTh4FrK183
Score3/10 -
-
-
Target
2024-12-25/unknown-e1e08ee8a9d8d42268b3537c74ec3f099dc05a1cf1fd91d3c1e54084957c570d
-
Size
40KB
-
MD5
79492ffb683a8713c4fd878aae86edd0
-
SHA1
7389e41483249467341fa5b53de3a416c600381c
-
SHA256
e1e08ee8a9d8d42268b3537c74ec3f099dc05a1cf1fd91d3c1e54084957c570d
-
SHA512
53e3f11e17a49d97f5a26d6acb2b945ecbe77ed20d65c5632cc3051e9564e590ec12948bed3a05bd21135510043cb54fd6009877e185a7f70efd6bcea82c5456
-
SSDEEP
768:IYpfhjKAQ1LVfJ0mesphqecRTnIJsELWJtgcGwu2B78y19icebaR:tfhZ7XspQqsGWJe9y1kfaR
Score3/10 -
-
-
Target
2024-12-25/unknown-e1ffabc651f471b8d4141420d8e171310bc91a400462062ca96f6ac202a0a896
-
Size
380KB
-
MD5
f6801450c785d0873122146b2abac250
-
SHA1
00155ae2e2fb6221d54a02a6a37fba248361f991
-
SHA256
e1ffabc651f471b8d4141420d8e171310bc91a400462062ca96f6ac202a0a896
-
SHA512
1ede9e2a8ceb52b1a704453ef6c75075adf62dbbfc338d20d2e999fb06e95bf1ce4c1660dc6f6142e96f10dd6a7dabc5d69ab12c38fef683541455c49d33d064
-
SSDEEP
6144:PqQ1fKF0S3RN6GEFxim4SlcBjWMDibbn9o5v+Tk/M+b85BkAXP41ON2NMGEMh2Fa:PqMf4Ki59p/ML3FMhCQvjhZ3Rh
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
2024-12-25/unknown-e2c57dce7eb054b47a8f96e8be747b91ad1fce0bc0de597c9d41fce2623d9361
-
Size
249KB
-
MD5
ed043302a36912a06040b204986ba680
-
SHA1
8239e0f38cbe40a647c4a32d53475012dd412cca
-
SHA256
e2c57dce7eb054b47a8f96e8be747b91ad1fce0bc0de597c9d41fce2623d9361
-
SHA512
d2d34bf0d5f4363a4bb8104d8bb63cd36baed4e2025f55a82f47b7a8fa523e0ee377c0b0db8d1131d45430d37631c310882c835b2d362491523ec939baca8feb
-
SSDEEP
3072:dY1bLmWQlXctyar8KQWhU+Ig2iA5f04cn+SeO1qPZg6QZya9dYC1+wuiWFEx+IAt:2AW+osKQWhUC2Vpcn+ShLvxuN6ABr
Score1/10 -
-
-
Target
2024-12-25/unknown-e3dcabde5987c263aef8243cba944e442658bfcf1ad19ebbd7c78b89be0ab203
-
Size
565KB
-
MD5
4442d1b9638bfc0326ef4257989b6080
-
SHA1
8c98a03d60095a64463050f414310691f55ae5e0
-
SHA256
e3dcabde5987c263aef8243cba944e442658bfcf1ad19ebbd7c78b89be0ab203
-
SHA512
bf8b78eb9b99aea28bdbdbe1f383094addd43a2296cbc7f895d6cec5548e5efaa897c6c51a4539fcaf31af5b163a5c6b6e23c1b43e741e96fe000a513bffaed4
-
SSDEEP
12288:NW2Bmcs3RGf23tICyKlLIv0bZOLKzgnIu0n2GkHu0T4WAFi1xj:NucwGf23tICyKTbZOgu0n2x82R
Score3/10 -
-
-
Target
2024-12-25/unknown-e49324f54cdf00a226d1779157391c9c260ddb6a5179ece3276f326052b95962
-
Size
2.5MB
-
MD5
592dfc2c69751ac75147467449ed271e
-
SHA1
16df4b6679091b52db2baed0e535b22f418fed5c
-
SHA256
e49324f54cdf00a226d1779157391c9c260ddb6a5179ece3276f326052b95962
-
SHA512
f0bd781a7ba5d6f43593d0ca67daa7196207960589b7ed7c22df0f2325035b7e4527963dfe4e0111ede7b8be48e7fba30a2a4be1ac8f07d9cc432bdbc34bd773
-
SSDEEP
49152:dFUjNrQNRdtz/izuOBU0+djAeSlj2taFwuJxWvIT6tXdsQtEr8haJ:KN4vz/izuOBadjAeSlj2taSubWAT6tXY
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
-
-
Target
2024-12-25/unknown-e4c4e59c66b650e0d696b6ec194d61637a688293cd5e23be9c630f7748c74125
-
Size
182KB
-
MD5
361830025896dd90a81de43e0b7f00b6
-
SHA1
fd7be7f6fe0c9fdc44ce4f262f4be81ff5392ff0
-
SHA256
e4c4e59c66b650e0d696b6ec194d61637a688293cd5e23be9c630f7748c74125
-
SHA512
26e3b67e304f5c2766b6e4cdbdd0f05f28ed17d5308ad0280b07497df23ef4bab0cc8dd0efe6b0193a4994efdcc58d996edb7fedb7d6331f06abad9c0a23033e
-
SSDEEP
3072:YE6JJJJJJJJJJJJdtLnaZ01Tuhxgty6Ccew+bUudqnHMy+wjpo6t/LLlgNWNlxUP:yJJJJJJJJJJJJBTIxgM6qw+oudqnuCpi
Score1/10 -
-
-
Target
2024-12-25/unknown-e668037208d053a72e197f6b156805776bf8bd8823c0b850d7c6302e22eb726b
-
Size
1.3MB
-
MD5
dcb495a0700ddc8b92f846df0b2686c0
-
SHA1
335148ad5327fbd1c49948d18f64c6573513c7d7
-
SHA256
e668037208d053a72e197f6b156805776bf8bd8823c0b850d7c6302e22eb726b
-
SHA512
b666827defe8da98b6ea93ad8245da6d0f76162ab7ef24c3f41c7c929911237f07216e7e9a10efd96877b55a56c54473e1919913f3e4e9ac98d7c871e6f72e94
-
SSDEEP
12288:U0b1/Nblt01PBExKqClt01PBExKN4P6IfKTLR+6CwUkEoIQ:U0nlksklks/6HnEpQ
Score10/10-
Adds autorun key to be loaded by Explorer.exe on startup
-
Berbew
Berbew is a backdoor written in C++.
-
Berbew family
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
2024-12-25/unknown-e8c053991c3618b30dde741da46435044fd5ae153f78c53f526f0de329fd43ec
-
Size
42KB
-
MD5
84a65d20513405c621327bcb7df114a0
-
SHA1
459458c37b70388e7a9e8cd143216c85556b18b5
-
SHA256
e8c053991c3618b30dde741da46435044fd5ae153f78c53f526f0de329fd43ec
-
SHA512
7cd28a63c7c00d240fa7c2a2dbcddd95a9a6277949abe60dcbda16537cdecbe1cfcea8b877109a82fe6bd1360a7cd932bb630c289b46dcbad198a0ca8ba5a1a1
-
SSDEEP
768:Ui/mYqEi//zqxe+oPP3lLuzZPKqbAIJul31wpxm:Ui/mP/T+oPP3lLuBZb/JEwpxm
Score3/10 -
-
-
Target
2024-12-25/unknown-ea34039dbd854222e03748c548a5210e552bbfaa600ae0f24dfb55397a3136cc
-
Size
29KB
-
MD5
9d8b21b49bd2c3f04d3dff590a7a8e40
-
SHA1
8bac86060d5e1961f4ce70abe76d6d295138061c
-
SHA256
ea34039dbd854222e03748c548a5210e552bbfaa600ae0f24dfb55397a3136cc
-
SHA512
3e5cb12cf2c205046eaab403aca880f8ac23da5a7c11037f8d82ad51312dca4d88bb3a63143a4e8a4db48fed64d7b623dcbea06d8c2aaebb48b1fd898536e66f
-
SSDEEP
192:XXfXQZjfQEn3ZM9SYgs++WRGVc0KGxTcg:XPX6cYpGSY0RGlZTc
Score3/10 -
-
-
Target
2024-12-25/unknown-ebf18c1982c1ceec0f808a2e8a8b1fc11970a2483e2c92dc121d38292141ab3a
-
Size
455KB
-
MD5
fde5e265ba6cdbb0270cbaddc3993a10
-
SHA1
f4d328bb4f667389b248f6e2509c04e153e2e87e
-
SHA256
ebf18c1982c1ceec0f808a2e8a8b1fc11970a2483e2c92dc121d38292141ab3a
-
SHA512
055f22c437be2c63ae28d3bd567ca4801d2e537e9c827627d0f5003c3b21c8546abcd6e0e4b065914e5b5acc869e91e5006f2e7a70c948b40fc97221f52bd814
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbei:q7Tc2NYHUrAwfMp3CDi
Score10/10-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
2024-12-25/unknown-ec6a36915e9f9d331e80881a2336503416fc441a599fec36e2601e6f27229b66
-
Size
2.9MB
-
MD5
f7d5d4e29c1d36be102f456c38c1a510
-
SHA1
38bbb90c46d80248207f743d42c8c035017db8a9
-
SHA256
ec6a36915e9f9d331e80881a2336503416fc441a599fec36e2601e6f27229b66
-
SHA512
92652ce1fdaad522acf33b55845b7613ababf53f4a87bdf2eb9a96e56f502841dc82ab157cebe86240e51a602303187f32f1a47f5eedd9023e106d16265fb7a6
-
SSDEEP
49152:AbXP+XotFI2y6tIjn9Nq8l6NRZemtFO/9cSdT21T:AbXP+Y7I2y6Ojn9n6NTe+FO/9cR
Score3/10 -
-
-
Target
2024-12-25/unknown-ed34607d35c3e5e97ce126000df93ecdcc854d9e7bde1ee42e08b243df314697
-
Size
2.4MB
-
MD5
747fb3b7dffd1d3cef78812a1dea7970
-
SHA1
3bdf5b14ca2489b0bc8c3d4f66efa49a77e86b8b
-
SHA256
ed34607d35c3e5e97ce126000df93ecdcc854d9e7bde1ee42e08b243df314697
-
SHA512
b1a677a19563aed3b0802e7b2b674f625428e8edeefebc6fa034ef69c9afc12c4eac02cbe9bfe725e30313a0fd7e17cc16f16c6a03d6778ac533064a4b15907c
-
SSDEEP
49152:BVg5tQ7a3VVlS5J7VBVwzRNuPMmiCsHjg0B5:vg56aVVGbB2bCMCsHjg0
Score10/10-
UAC bypass
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks whether UAC is enabled
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
-
-
Target
2024-12-25/unknown-ed52a60eea60738501367935811e2f8a9ffe366ff9656cca8d4d9c78555d581d
-
Size
27KB
-
MD5
07ca6a87249da6a710a6375f0f075b80
-
SHA1
56042cdd6ae5f69332196b8d8822d42824127fcd
-
SHA256
ed52a60eea60738501367935811e2f8a9ffe366ff9656cca8d4d9c78555d581d
-
SHA512
b610ccb92348d5d9ab7dd62eff287de67a3cca3405bce6a9396ecd3a0ad3459f0cda24504ea90b7a26c89919781ad24ced1528d73c0b8b7af123c57e9228e061
-
SSDEEP
768:1lSlMulvlLl+lclcjaWzp4xQidl8UvfOMwRf6uTNg8oA/JqQe:YvfOMwRfrJ/re
Score3/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Screensaver
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Screensaver
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4