Overview

overview

10

Static

static

10

2024-12-25...9f.exe

windows7-x64

5

2024-12-25...9f.exe

windows10-2004-x64

5

2024-12-25...88.pdf

windows7-x64

3

2024-12-25...88.pdf

windows10-2004-x64

3

2024-12-25...e2.exe

windows7-x64

1

2024-12-25...e2.exe

windows10-2004-x64

1

2024-12-25...20.exe

windows7-x64

5

2024-12-25...20.exe

windows10-2004-x64

5

2024-12-25...07.pdf

windows7-x64

3

2024-12-25...07.pdf

windows10-2004-x64

3

2024-12-25...f3.pdf

windows7-x64

3

2024-12-25...f3.pdf

windows10-2004-x64

3

2024-12-25...86.pdf

windows7-x64

3

2024-12-25...86.pdf

windows10-2004-x64

3

2024-12-25...7f.exe

windows7-x64

10

2024-12-25...7f.exe

windows10-2004-x64

10

2024-12-25...b5.exe

windows7-x64

7

2024-12-25...b5.exe

windows10-2004-x64

7

2024-12-25...e1.exe

windows7-x64

5

2024-12-25...e1.exe

windows10-2004-x64

5

2024-12-25...32.exe

windows7-x64

1

2024-12-25...32.exe

windows10-2004-x64

8

2024-12-25...d8.exe

windows7-x64

7

2024-12-25...d8.exe

windows10-2004-x64

7

2024-12-25...f4.exe

windows7-x64

2024-12-25...f4.exe

windows10-2004-x64

2024-12-25...27.exe

windows7-x64

3

2024-12-25...27.exe

windows10-2004-x64

3

2024-12-25...55.pdf

windows7-x64

3

2024-12-25...55.pdf

windows10-2004-x64

3

2024-12-25...66.pdf

windows7-x64

3

2024-12-25...66.pdf

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Malware.2024.12.25.7z

  • Size

    359.1MB

  • Sample

    250131-wedn6avmal

  • MD5

    2773b9f8be935e4a903c1925dcf9d054

  • SHA1

    2c558feafd59d269472fbf3fee4cae8a0b085b0a

  • SHA256

    2e96258f3dd21d059f59831295d32d324a849c87bc5a2149a49c97fcf5783558

  • SHA512

    0fc4adc14ff767e107db9fc21dce50330805a58eee6fe075ba2328ba4b8b8ff4922eb79df2a53a9505ac8d2f591e35d0b2887e3ea23ff4f02f92e8b50427e52b

  • SSDEEP

    6291456:DUgWs0RbrHe8lNBENzpb6wGjZygOOKPZVa9nl/EuT5U1PlU9eK8DK:cs0Rr+SypCty9a+zlU9iDK

Score
10/10
berbewdcratfakeavfloxifgh0stratlummametasploitneconydnjratquasarsakulasimdaurelaswarzoneratxredhacked by loknlimeaspackv2backdoordefense_evasiondiscoveryexecutionfakeavpersistencepyinstallerratspywarestealerthemidaupxvmprotect

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Extracted

Family

lumma

C2

https://rapeflowwj.lat/api

https://crosshuaht.lat/api

https://sustainskelet.lat/api

https://aspecteirs.lat/api

https://energyaffai.lat/api

https://necklacebudi.lat/api

https://discokeyus.lat/api

https://grannyejh.lat/api

https://spellshagey.biz/api

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Extracted

Family

njrat

Version

0.7.3

Botnet

Lime

C2

192.168.100.59:6522

Mutex

Client.exe

Attributes
  • reg_key

    Client.exe

  • splitter

    9999

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.64.3:4444

Extracted

Family

simda

Attributes
  • dga

    gatyfus.com

    lyvyxor.com

    vojyqem.com

    qetyfuv.com

    puvyxil.com

    gahyqah.com

    lyryfyd.com

    vocyzit.com

    qegyqaq.com

    purydyv.com

    gacyzuz.com

    lygymoj.com

    vowydef.com

    qexylup.com

    pufymoq.com

    gaqydeb.com

    lyxylux.com

    vofymik.com

    qeqysag.com

    puzylyp.com

    gadyniw.com

    lymysan.com

    volykyc.com

    qedynul.com

    pumypog.com

    galykes.com

    lysynur.com

    vonypom.com

    qekykev.com

    pupybul.com

Extracted

Family

njrat

Version

0.7d

Botnet

HaCkEd bY LoKn

C2

customers-edmonton.gl.at.ply.gg:28608

Mutex

5a0e6576524fad771bccf79eb40f7eca

Attributes
  • reg_key

    5a0e6576524fad771bccf79eb40f7eca

  • splitter

    |'|'|

Targets

    • Target

      2024-12-25/unknown-c954abcdf28a143f9389ba7de8a5c7732a200f8d1e69bd03b1e682bfd660359f

    • Size

      364KB

    • MD5

      8e08c75488ef0ba0b09c478071ea5b9d

    • SHA1

      aa178f746d8665bb3950ba9753124aff96fb60c9

    • SHA256

      c954abcdf28a143f9389ba7de8a5c7732a200f8d1e69bd03b1e682bfd660359f

    • SHA512

      790c8a623facf6007aa3dec2ddf4cbe7538bee8e0fced908088804f1b3a7b95676449be9e96b5f57ea922b08af2d74af168918955c22416c04c41533695950b9

    • SSDEEP

      3072:Wv/EkT1AKbNVCsBgyquI4OWbyGv/EkT1AKbNVCsBgyqudWWbyC:f2AKbNVCnRjWbyP2AKbNVCncWWbyC

    Score
    5/10
    discoveryupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      2024-12-25/unknown-c97924ca68b45c526430850cf3a560f1e86899680ebeab4abf9c665adbe2d188

    • Size

      27KB

    • MD5

      fd30d592b1afb6ab8d2fe3f075783980

    • SHA1

      00a97512a7f3163341c98925d19c3a5c12a8b6ff

    • SHA256

      c97924ca68b45c526430850cf3a560f1e86899680ebeab4abf9c665adbe2d188

    • SHA512

      0fa85dabf044a530639c5936933008c1afc1950ecdb104e18c5803f7a8287da6dd9e156163d59d6c106b7ecf3f0b59a397c46ed7601257c1a2ae16ef487d4466

    • SSDEEP

      768:PiJWswOKqW0kgc8Ch7ry96uTNgaLVKxSv1k+NhZ:+q8Y7ry9rNLVKSv1kshZ

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      2024-12-25/unknown-c9b4bcd53dae4000069befc3a53329f4ad7f104b8823fefe389ed280cde1c8e2

    • Size

      1.3MB

    • MD5

      5d3424428668d779f83f9798a6c4cc00

    • SHA1

      a8df2536f0adc4d4c2ecfaba8b1d363d55f10b4a

    • SHA256

      c9b4bcd53dae4000069befc3a53329f4ad7f104b8823fefe389ed280cde1c8e2

    • SHA512

      81d54419fbea6e008cfbaf5559d0cf3d28abfe432b60cce04fb947f13e0a87bd97aa706ac870bb724474bd6c79e533dc98690afab6d1ac1e7b72f3e8d8ea3002

    • SSDEEP

      24576:kz9GkqDjo0IVw226WctECfw+Jwz/S/67I7dK5HfGoeUQ5OKpmxGlid9YRg2V:wGjjo0Iu7gEow+W7SC7I7kfGorQ5EMS4

    Score
    1/10
    behavioral5behavioral6

    • Target

      2024-12-25/unknown-c9ce76d4b2157e69ef18b8467d1194590d637dd2b877c892a80b918889cebd20

    • Size

      100KB

    • MD5

      03183c62267740445f051f8490fedbd0

    • SHA1

      dc4a2b9defca23554170984c20ff7c078e9687e2

    • SHA256

      c9ce76d4b2157e69ef18b8467d1194590d637dd2b877c892a80b918889cebd20

    • SHA512

      bc4a00d35d7ac43f4905071c155aeb96b684e6225c15d4080ebfc830210b401e9e21be565df0099457cadc433fcf03d8c8d00973f5ce5146f6d3e9fc49e4169e

    • SSDEEP

      768:deUuy0M6fcbZ8H0HBC6pQSKkO+lxWK21xceBnjdX05ccXG5v:d7uy03oZ8H0HgmXZ16uc8M

    Score
    5/10
    discoveryupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral7behavioral8

    • Target

      2024-12-25/unknown-ca83e47eecf1e3463c8c053493623e206b8d5d4838d8c1dd3c6f67703d2d7b07

    • Size

      28KB

    • MD5

      a0390011f28f9327c6e9067b18401d70

    • SHA1

      016a291fd773dbff721835d3071bdb030016aecb

    • SHA256

      ca83e47eecf1e3463c8c053493623e206b8d5d4838d8c1dd3c6f67703d2d7b07

    • SHA512

      4f1dba605e9119c4313c6020b0aa1e90afea56ccc17632ac3590c7097f17c4cbbb36a5419753be6ad3a6dd9438f7aff633f794af256c96a4ab172ca57ee2c286

    • SSDEEP

      768:VlllwOlSlmlUlylBqZo/ITLK1BlM9XOTyu6uTNg4k75THrME:o9XOTyur7klTrME

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      2024-12-25/unknown-cae83eb36377a14b719f102684b05495da325419539caf8ceaeb1c090d6647f3

    • Size

      337KB

    • MD5

      321bd9a966a3fa3ceb82a340f922cd60

    • SHA1

      b98c31ef31a2740179fa8a78547d91cedb3f1850

    • SHA256

      cae83eb36377a14b719f102684b05495da325419539caf8ceaeb1c090d6647f3

    • SHA512

      00294761973cb9cee5c4128b8c58f9aa19583e10a528ec2b7a0105c6491ec91678f6169aad01d6280b0201ae64097a896d0050cb89ed0507c85e917c109d663d

    • SSDEEP

      6144:5xTLIOK0K0K0K0KWgWNJRFytJXr38BOYCC8tflSHPhvX2dethw2HzPCQAE:5lL/3RyHb3JYCRtdU5vX2dK6QAE

    Score
    3/10
    discovery
    behavioral11behavioral12

    • Target

      2024-12-25/unknown-cb63045d23bf4484b25ada69256faaae4f67daad194601ad6942045e1d4b9b86

    • Size

      27KB

    • MD5

      b288ca52d1787598422f9764b588f300

    • SHA1

      5d9c7b24ed7e100d6b816f12a090fc4323d59f9a

    • SHA256

      cb63045d23bf4484b25ada69256faaae4f67daad194601ad6942045e1d4b9b86

    • SHA512

      4a1a768d9fc5b95a0753bc22696a8696815080a1de7d4717904841bacdab0c15074d93041c4545d8076e705420373faa33ba624fdfa82923639de5cf33a8d680

    • SSDEEP

      768:4ZpQdeROKsgRgep6b1/s2+wp2J7fe6uTNgkApO6c:Q2h2J7erP2c

    Score
    3/10
    discovery
    behavioral13behavioral14

    • Target

      2024-12-25/unknown-cbf9a2d0623e8013ac45924fc3fb45a5533dc71245e097c4d5fcbaf662bee97f

    • Size

      472KB

    • MD5

      cf87635c34c4b8a6e6dcf2c4b94568b0

    • SHA1

      b0f1a1006135068e0c2ab19eb0019ad0963cb1e1

    • SHA256

      cbf9a2d0623e8013ac45924fc3fb45a5533dc71245e097c4d5fcbaf662bee97f

    • SHA512

      18041e3b191c9af6ca5ffdeb67043e357c7f1cf4fe8a874713a1321af73dd576e81463e31d75d69cba1a378faea7ea80d31fc19244c5e622edaf714b76d8426b

    • SSDEEP

      3072:7qB8RinudiP52xx67lLdkiHDouqkqlT1N1wWJGIFf0HStVa:77kgiPA6RaPuJkT1NyyGI3Va

    Score
    10/10
    berbewbackdoordiscovery
    behavioral15behavioral16

    • Target

      2024-12-25/unknown-ccfd8ab65761b50dd4d699f374d27b375442cfe75cb2c785a59b7fe8463d01b5

    • Size

      2.7MB

    • MD5

      b6c0b8f301a977e10c5cae4c226291f0

    • SHA1

      471d41a7d1bc97a40307e7d77d363a73062ccb6d

    • SHA256

      ccfd8ab65761b50dd4d699f374d27b375442cfe75cb2c785a59b7fe8463d01b5

    • SHA512

      ca78ea0e477f93e438a7a37d20f2876da540ed9f1cbd51411cac5e4c1003041e53ef6c94b126af657e8d9cc34d45b4b9d17269a41d19a849d7bf103c8459272c

    • SSDEEP

      49152:vh+ZkldoPK8Ya8zPp4NE88c2TL8HoBW0VOnNfo4hDc+J+Hl1KH0PHQ2R4avMEO:42cPK82zPp4NE88c2TgHyb0NzhDcyKU7

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral17behavioral18

    • Target

      2024-12-25/unknown-cdd11a2f5d99974d26ac33916b8d0070be80c2cf1e30b9fb7c75d0dc47ea92e1

    • Size

      83KB

    • MD5

      30623e60f9495bc32e91cc76526baf40

    • SHA1

      1550c5e9c379c9e101785e87256df19dca16eadf

    • SHA256

      cdd11a2f5d99974d26ac33916b8d0070be80c2cf1e30b9fb7c75d0dc47ea92e1

    • SHA512

      752825844262849f0af378b8440ecea08bfefc84534c4a112bc22983640a9d50e7ee5980a24fb34f209cebee2e66e567e529726b17fe8ce2cb2c572c439cb62d

    • SSDEEP

      1536:LJaPJpAz869DUxWB+i4OQ4NR2Kk+aSnfZaG8fcaOCzGquSE0cF+PKO:LJ0TAz6Mte4A+aaZx8EnCGVuPP

    Score
    5/10
    discoveryupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral19behavioral20

    • Target

      2024-12-25/unknown-ce8201ef3f097f928288c638ee20cb440fa4a4861c77ff5473669f9a4dfa1432

    • Size

      3.9MB

    • MD5

      ca535cb7f416a9b0c6404cc5d9d0c380

    • SHA1

      afa7cc852d8f33ad8fdc34ec24acd7ffa5250d06

    • SHA256

      ce8201ef3f097f928288c638ee20cb440fa4a4861c77ff5473669f9a4dfa1432

    • SHA512

      46d804e65a4b9d1c0080672ce470f9610d3fc45f37b91c4d52af1faab48d73ffe24db63015e80086146898cddb0d0bd00643d1a0682cbc6ce3bc84182b871854

    • SSDEEP

      98304:n7gPBIcLPRvhj1yj/9R9T5/gKxzD0d0WMdS0kGmd:ILzj1G9T5JxzD00NSd

    Score
    8/10
    defense_evasionexecutionpersistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Adds Run key to start application

      persistence

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion
    behavioral21behavioral22

    • Target

      2024-12-25/unknown-d09dfe69897a47aebdcdfd83245cabd2be0e3e595aa1413f3b266fea36e289d8

    • Size

      52KB

    • MD5

      878873bd862bf018936e6d9a2625c360

    • SHA1

      48e7fb752620b3bab1eac475e54af6c50f097a68

    • SHA256

      d09dfe69897a47aebdcdfd83245cabd2be0e3e595aa1413f3b266fea36e289d8

    • SHA512

      07a9681c437a03c0f5f1fa7da18d71ce1651c7f91187a47609ca735d6824b98a895da87847a62815a75b3572b24d724e7837ae3f697331eefeaedcad7981a05a

    • SSDEEP

      1536:e6q10k0EFjed6rqJ+6vghzwYu7vih9GueIh9j2IoHAcBHUIF2kvEHrH1hyhuhrhR:E1oEFlt6vghzwYu7vih9GueIh9j2IoH+

    Score
    7/10
    discoverypersistence

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral23behavioral24

    • Target

      2024-12-25/unknown-d0ce4f86c7c8d588c7fba7de0e6d355c01706235a109e38ea9311822025967f4

    • Size

      1.7MB

    • MD5

      1bbd2a243954ca0a2f2cfcfb59a87bc0

    • SHA1

      78e3305f5c3a1c6a2868eb84676f5375c39e6f37

    • SHA256

      d0ce4f86c7c8d588c7fba7de0e6d355c01706235a109e38ea9311822025967f4

    • SHA512

      0632729c71d3b3dafa24fd0e646d25abf5b79dc0d7bce85337bf9dc2e3c5304c6ed72995bf632629571229a2ec5afc7559d64ddf66aac3aca2ee7b1ad0f6f6e0

    • SSDEEP

      24576:vBF672l6i2Ncb2ygupgrnACAmZ/NwFC31G3AcMxA7DELKcW7wpebBQLn2IBP3WK0:r56uL3pgrCEdMKPFotsgEBr6p

    Score
    1/10
    behavioral25behavioral26

    • Target

      2024-12-25/unknown-d1bcae648806631aa0f124c1b9d3af3b736e7f15dd90a64b83059c2ce4ddf427

    • Size

      1.3MB

    • MD5

      a08b509805e03ece9a6e79c0fb60f47d

    • SHA1

      d1b43ad8a4226180a68699934f297b7fade0b6a5

    • SHA256

      d1bcae648806631aa0f124c1b9d3af3b736e7f15dd90a64b83059c2ce4ddf427

    • SHA512

      5d8ec48750208292d340924dbc089c804c42fefa3735f7cbff2f7beaf4dca5f90fb9e6da248c8b651532b8c821e5eda7f9b5c8556401e9abeb51c45621b3f7cb

    • SSDEEP

      24576:kHLOsDFncLmKDZOSzXFZv8uCHLOsDFncLmKDZOSzXFZv:eEzjQEzP

    Score
    3/10
    discovery
    behavioral27behavioral28

    • Target

      2024-12-25/unknown-d1ec2ec2825c2de7f5a5cfc4ebc53592c6db75e26b219034b7c22e97f097e555

    • Size

      19KB

    • MD5

      469300734563789567bfd4441caf8c40

    • SHA1

      4d8c373468411c819405a62cba0b210199c0b947

    • SHA256

      d1ec2ec2825c2de7f5a5cfc4ebc53592c6db75e26b219034b7c22e97f097e555

    • SHA512

      4d85481d1a9c156085eb11392345b7c856dc0bf717a2700cf0e29e577651f3728eaa39f50800d2a8e73745eda0332256b5dcc396e2a42e2cef17810a64bb0cad

    • SSDEEP

      384:qPvquYE0TcRs4gFUUUUUUUUUUk+If1BBNfPg4S3MxzIDTx:q6uTNgLGVlgU8Z

    Score
    3/10
    discovery
    behavioral29behavioral30

    • Target

      2024-12-25/unknown-d285c12ef03d01f32a22ac776551028025c0f9a4e51ffb4c379dc3280a6b9a66

    • Size

      54KB

    • MD5

      dcab7ab13df1b2699165f6b13fac5f50

    • SHA1

      bd65c6b4ce1dc2681b410be9e77075835c47ece3

    • SHA256

      d285c12ef03d01f32a22ac776551028025c0f9a4e51ffb4c379dc3280a6b9a66

    • SHA512

      0dfc5ff6a89dce2a52df427ae9f59b421e49596615403d79acb5de61597d6af1e997f527357ba5f857a38921ef8dc38acf7d8c2a74d8fc58ce0acd9eff8a4f62

    • SSDEEP

      768:NuzdNIggou41dMV+foYlP13HUuK5jmpFVdIuj1lMfYrlI7WQYU214u7NuyVN:0zIW1dMV+foY56pmnVWSqwxiWKC8yH

    Score
    3/10
    discovery
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Tasks

static1

upxaspackv2ratstealerbackdoorfakeavspywarelimethemidavmprotectpyinstallerhacked by loknxredberbewurelasgh0stratdcratlummawarzoneratneconydfloxiffakeavnjratmetasploitquasarsakulasimda
Score
10/10

behavioral1

discoveryupx
Score
5/10

behavioral2

discoveryupx
Score
5/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

discoveryupx
Score
5/10

behavioral8

discoveryupx
Score
5/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

berbewbackdoordiscovery
Score
10/10

behavioral16

berbewbackdoordiscovery
Score
10/10

behavioral17

discovery
Score
7/10

behavioral18

discovery
Score
7/10

behavioral19

discoveryupx
Score
5/10

behavioral20

discoveryupx
Score
5/10

behavioral21

Score
1/10

behavioral22

defense_evasionexecutionpersistence
Score
8/10

behavioral23

discoverypersistence
Score
7/10

behavioral24

discoverypersistence
Score
7/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

discovery
Score
3/10

behavioral28

discovery
Score
3/10

behavioral29

discovery
Score
3/10

behavioral30

discovery
Score
3/10

behavioral31

discovery
Score
3/10

behavioral32

discovery
Score
3/10