Overview

overview

10

Static

static

3

8ZSZQ_random.exe

windows10-2004-x64

10

8ZSZQ_random.exe

windows10-ltsc 2021-x64

10

8ZSZQ_random.exe

windows11-21h2-x64

10

8ZSZQ_random.exe

windows7-x64

10

8ZSZQ_random.exe

macos-10.15-amd64

4

Resubmissions

15/02/2025, 17:38

250215-v7s4wavqer 9

15/02/2025, 16:59

250215-vhpedsvlbs 10

15/02/2025, 16:37

250215-t447astqav 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8ZSZQ_random.exe

  • Size

    1.8MB

  • Sample

    250215-vhpedsvlbs

  • MD5

    411303148c2c132ec3b30a97c1936cf9

  • SHA1

    9693f9e29924d1bbb1bf87f10707c74d1df7e996

  • SHA256

    dc9c553a3ff7574b1007f70a911f10ca22590a7661dfb84a25c5009d1b564fbb

  • SHA512

    f27dce51cbed73bb3f1b8fb977d3168f5778bab24b4c762f16333adfb9d93ce1b476a3277d994ee429781919385846c68c618c5d72b38ca6a7bc82f9c658dbdd

  • SSDEEP

    24576:5oplyMtRrcEVZQuiws76pon4/JaaT2cEMeUkt2BgHTczSS/yyvX6em4yWgw:5opPR5ZQuiws76p/iSiAllyyvdm4I

Score
10/10
amadeypovertystealerstealcsystembcxenoratxmrigxorist9c9aa5renoadwaredefense_evasiondiscoveryexecutionmacosminerpersistenceprivilege_escalationransomwareratspywarestealerthemidatrojanupx

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.netzero.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    also932

Extracted

Family

stealc

Botnet

reno

C2

http://185.215.113.115

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

systembc

C2

wodresomdaymomentum.org

Attributes
  • dns

    5.132.191.104

Extracted

Family

xenorat

C2

196.251.87.37

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    temp

  • port

    4782

  • startup_name

    nothingset

Extracted

Path

C:\Program Files\7-Zip\HOW TO DECRYPT FILES.txt

Ransom Note
YOUR SYSTEM IS LOCKED AND ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED. DON'T WORRY YOUR FILES ARE SAFE. TO RETURN ALL THE NORMALLY YOU MUST BUY THE CERBER DECRYPTOR PROGRAM. PAYMENTS ARE ACCEPTED ONLY THROUGH THE BITCOIN NETWORK. YOU CAN GET THEM VIA ATM MACHINE OR ONLINE https://coinatmradar.com/ (find a ATM) https://www.localbitcoins.com/ (buy instantly online any country) 1. Visit qtox.github.io 2. Download and install qTOX on your PC. 3. Open it, click "New Profile" and create profile. 4. Click "Add friends" button and search our contact - 677DD06ED071E4B557FF3D9236ACD21AFECBA485C6643AB84F766060B967DC6E0CFC34DDD9A0 Subject : SYSTEM-LOCKED-ID: 90890423 Payment 10 000$ BTC
URLs

https://coinatmradar.com/

https://www.localbitcoins.com/

Targets

    • Target

      8ZSZQ_random.exe

    • Size

      1.8MB

    • MD5

      411303148c2c132ec3b30a97c1936cf9

    • SHA1

      9693f9e29924d1bbb1bf87f10707c74d1df7e996

    • SHA256

      dc9c553a3ff7574b1007f70a911f10ca22590a7661dfb84a25c5009d1b564fbb

    • SHA512

      f27dce51cbed73bb3f1b8fb977d3168f5778bab24b4c762f16333adfb9d93ce1b476a3277d994ee429781919385846c68c618c5d72b38ca6a7bc82f9c658dbdd

    • SSDEEP

      24576:5oplyMtRrcEVZQuiws76pon4/JaaT2cEMeUkt2BgHTczSS/yyvX6em4yWgw:5opPR5ZQuiws76p/iSiAllyyvdm4I

    Score
    10/10
    amadeypovertystealerstealcsystembcxenoratxorist9c9aa5renoadwaredefense_evasiondiscoveryexecutionpersistenceprivilege_escalationransomwareratspywarestealerthemidatrojanupxxmrigminer

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Amadey family

      amadey

    • Detect Poverty Stealer Payload

    • Detect XenoRat Payload

    • Detected Xorist Ransomware

    • Poverty Stealer

      Poverty Stealer is a crypto and infostealer written in C++.

      stealerpovertystealer

    • Povertystealer family

      povertystealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Stealc family

      stealc

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

      trojansystembc

    • Systembc family

      systembc

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Xenorat family

      xenorat

    • Xmrig family

      xmrig

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

      ransomwarexorist

    • Xorist family

      xorist

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Renames multiple (10800) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • XMRig Miner payload

      miner

    • Blocklisted process makes network request

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Stops running service(s)

      defense_evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Drops desktop.ini file(s)

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2behavioral3behavioral4behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Browser Extensions

1
T1176

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Power Settings

1
T1653

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Hide Artifacts

1
T1564

Resource Forking

1
T1564.009

Impair Defenses

1
T1562

Modify Registry

6
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

1
T1046

Query Registry

6
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

3
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks