General
-
Target
bomb.zip
-
Size
4KB
-
Sample
250222-t3a7tstphq
-
MD5
4d9bd8dafb8299d0fc3fc98f8b8c27d4
-
SHA1
f3b375208d793e65faabfd237c5391b49f381908
-
SHA256
94936fb4c7bed2e7233fade7980425b0300451d76a7ac9329c604886e2a9a013
-
SHA512
5e1efbbe50bdbdea6efe2314ac34eb6c185353318f1171b363062cd88d99f567fef66cacf8c05520dea664c1004e24f74f89db4979e7a17da8f74d022e164e65
-
SSDEEP
96:iNTZjYifQ0FS3KtpSSIvWClq6gXhiVIntbmfPWu+JtHmfinZxNpph3NPv:iNNjlQR3KtZtCqhiV0qOJjnZxNfh3t
Malware Config
Extracted
C:\Users\Admin\Desktop\Decryptfiles.txt
Extracted
redline
Feb2025
176.65.144.135:65012
Extracted
quasar
1.4.1
Office04
162.230.48.189:9050
e1371af2-3c26-486c-a950-9db9a0954e65
-
encryption_key
B29AF710516F59F4E03DA48D133686BA3D427275
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Startup
-
subdirectory
SubDir
Extracted
phorphiex
http://91.202.233.141
Extracted
C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt
Extracted
C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt
Targets
-
-
Target
bomb.exe
-
Size
12KB
-
MD5
a14e63d27e1ac1df185fa062103aa9aa
-
SHA1
2b64c35e4eff4a43ab6928979b6093b95f9fd714
-
SHA256
dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453
-
SHA512
10418efcce2970dcdbef1950464c4001753fccb436f4e8ba5f08f0d4d5c9b4a22a48f2803e59421b720393d84cfabd338497c0bc77cdd4548990930b9c350082
-
SSDEEP
192:brl2reIazGejA7HhdSbw/z1ULU87glpK/b26J4S1Xu85:b52r+xjALhMWULU870gJJ
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Lokibot family
-
Meduza
Meduza is a crypto wallet and info stealer written in C++.
-
Meduza Stealer payload
-
Meduza family
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Phorphiex family
-
Phorphiex payload
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
Sectoprat family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Stormkitty family
-
XMRig Miner payload
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Async RAT payload
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
mimikatz is an open source tool to dump credentials on Windows
-
Command and Scripting Interpreter: PowerShell
Powershell Invoke Web Request.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Indicator Removal: Network Share Connection Removal
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
-
Modifies Windows Firewall
-
Stops running service(s)
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Indicator Removal: Clear Persistence
Clear artifacts associated with previously established persistence like scheduletasks on a host.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Hide Artifacts: Hidden Files and Directories
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify System Firewall
1Indicator Removal
3Clear Persistence
1File Deletion
1Network Share Connection Removal
1Modify Authentication Process
1Modify Registry
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Discovery
Peripheral Device Discovery
1Process Discovery
1Query Registry
4Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1