Overview

overview

10

Static

static

3

bomb.exe

windows7-x64

1

bomb.exe

windows10-2004-x64

10

bomb.exe

windows10-ltsc 2021-x64

10

bomb.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bomb.zip

  • Size

    4KB

  • Sample

    250222-tz19vavqz5

  • MD5

    4d9bd8dafb8299d0fc3fc98f8b8c27d4

  • SHA1

    f3b375208d793e65faabfd237c5391b49f381908

  • SHA256

    94936fb4c7bed2e7233fade7980425b0300451d76a7ac9329c604886e2a9a013

  • SHA512

    5e1efbbe50bdbdea6efe2314ac34eb6c185353318f1171b363062cd88d99f567fef66cacf8c05520dea664c1004e24f74f89db4979e7a17da8f74d022e164e65

  • SSDEEP

    96:iNTZjYifQ0FS3KtpSSIvWClq6gXhiVIntbmfPWu+JtHmfinZxNpph3NPv:iNNjlQR3KtZtCqhiV0qOJjnZxNfh3t

Score
10/10
asyncratmimikatznjratphorphiexredlinesectopratstormkittyxmrigfeb2025hackeddefense_evasiondiscoveryexecutioninfostealerloaderminerpersistenceransomwareratstealertrojanupxworm

Malware Config

Extracted

Family

redline

Botnet

Feb2025

C2

176.65.144.135:65012

Extracted

Family

phorphiex

C2

http://91.202.233.141

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' folder if you don't get answer within 6 hours. Contact us email: [email protected] [email protected] ID :A1E99C39311B397126C5E023DD7FFFECDACFE77BF5C7B261BF80BBE5F51AC937A8ED476380AAD8141B5CCD5A3333E1AC68B85D701595667ACEA3A515B705E0677110930A9626288C945B8D4D955B42B7DD0A3832E30F9E6D560377300A7BA5F650E97D4E82A75080668515373396D2048817A4D842A2B41823031F60A11E1A1933D7E2BF21A1E68C0EBA57B607F942086D57B8B5F14C0E81FD929A9C1FBE7936E50BCA773DB02CB7995710C39446648AD6534E5D05B00C293D73701B8882307A9D645FF161A7FE85BB4116314367754173B1830D729008C8941755835D842070C56E9EACD70552D2C90D10CF3161C4747699908D4D3DFC73B20C093F5A7011BF2B584D4B8434A3158780BB3620188E65A29C6890649B58BBE0649B30C83C0BD4448BA493B14C5BD0E8AD6F41B777FA41B41A14A499966F8098CD76B7A665797766798F794F5BB0E8B388E24E1662BD57BC69C4E04D1A6B8A18B870C18E1E30A7948BBBAA7E3BDB4C49BD9FE5E500D84DFB900110DECB74385C6BE42D05361B7A24E3321B999CF41DC98D2BA452C7F0DA2763A74CAF046E70D12160481EE5880338FE65CBCE43FCFEA047805CFA3777649E5B77DC51DCF816A68F602E45F1ECAFE9840D9DF48794D0C51788A56183B9D35CDFEB18F1983BD378ACCECAA1ECAB8135020A6395FB764208393F5BD938D4C316584F9C6507BDB1F76175A15C5BA2852851790F7FA210D8DC520B05D030FD23AEE1631D10F7B1D71FF08216D4504F4160737FF2017390CA9BC0706D9099EC5A3CA722EFE1C7614FEB34109E21E60A1DCB2D2EC5BBA02FBEA881B6813F3A4C2084E461395C8055DBA6182E8D2DDE8A5B861AF7F54F23465D6A774291F145D71B2EC886FABA480DF1B9BE88C3978F351D6D3852B405E40AEF5A54BF367ED3AB569C66F1F54B932878F95DA68EDDEDF258D6382C257109A7000FD82E6E234E0CA19D9EB8693DF2D0271EEF9250E9BC5495D56558E0B0A7D331041A55F34EB67BC2864A5AD100EBC6F9BF5836D8BE668073EB9AF3E4505ADFCE43040AD4300498CC9F7AEA37F4B11E74594469EB960083E867463617AAA3ABEEFBE24AF15A10EA09A873D44C20E5B682D6D9F5CE9FEB1A8675AEB87DD2AB9B47FE4C99FA8AB606C196714A38A513846D932AA0192D73CC565B3DE039332277A381472C4F4CA77631A7FDC7FCFB3E0E2125AAFA3D34DA1DF319F2313D03A6180349BB885693EEF7384FCA45521A3D8698FE68EBDCC6B41B6621403F8D72124EDD52BA96A57A8231EDBDC4E1A466F7FFAF1AD5FBCC69C25199AFA382B0F336CB83576ECBC24A25F444741FC7CC24DC9D76349798216AC1DDD4C973D419CEC8FA402200350A054BFFF100A8D81BDDE299ED63F6C068B1BE3F3BE1887C1E0B15B63D37B3DA1A410C919B91B24CA0BB66C638F59AC31D1B3B7E7272898AFADB59CB19B4634A2C273B2D7F3707A3981AF16347C772ECD0FA6B0BECC25E836191968BF68E0114BC29AEB5FF2097BC705F967FF6A2151A0DD9C2A476C697B2936E05728480BE657322266D4AD8FA30C68AF59388BE6C75565A0C15E03E3FC351EFE46F416CB65941C95E823780E5E7E15454051FBCC25C58FAA7312E9B36B87A0181E833103BC5CECB9D1603A063E6F19F011ED1ADED3F24D6D6EF152F23336085804A701D2E7385518854078F4C2197B3DD54434136C7F80C81091B255075AADFD01338A824E91854CBF7CD90319E624B50BFE7EE4D33BB62B171E8F22B9C7E96F32DCD79774853A1DE71C2594E6A067B633E296C110D37A1B6B3D58DD8D27B43A7232179779AEADA4728FB350C81CD1CFF93A8ABAD38C1BE9D3CDDF47B61E0A49227903B4F74D65C048085D2FB622348FB1CCDD6DE42773991B98CDD140669DFEB6B292FED80107C7FCB80AFA18398C65E7EC2634716A212342528FF390EF7BD4766BE02B3E813DD8F3E749E1D678D3F52E36967C1DF95075D884DB1A4D94CB52160FF8921D95AAF2962FCC618666CBB69D21E382826FDF4C80EDD4D165D4929467E689099BED0848A012C6B2DA0C6D19A72FC9103ADB8CC56614B01918F4489FE3DBC16CF89FEE7BF962475F4F101F4024F9C830BFC7AD5E24326F6CF6B884574643FAFD9C3B898EE69B3A84507EF15605777A2B5EEFD786B074B3A3E3559A40725686A86EC691D59E9976E41F2F68442992768BD4BFF0ECB21411240634FC98464F593D0BB66443D6E3C12E59765A98024A25284EFFB6D812BB9EE8606322A7F9E300E7A0D6137217071C712ED6DB0C7504BF1E28BA4A40D0989A5467428D223E99A0976A72B8745828CFF001AC5E393F8D488475CDD46086224523E3DE555FF0720CD2EC6

Extracted

Family

njrat

Botnet

HacKed

Mutex

53$79$73$74$65$6d$33$32

Attributes
  • reg_key

    53$79$73$74$65$6d$33$32

  • splitter

    |-F-|

Targets

    • Target

      bomb.exe

    • Size

      12KB

    • MD5

      a14e63d27e1ac1df185fa062103aa9aa

    • SHA1

      2b64c35e4eff4a43ab6928979b6093b95f9fd714

    • SHA256

      dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453

    • SHA512

      10418efcce2970dcdbef1950464c4001753fccb436f4e8ba5f08f0d4d5c9b4a22a48f2803e59421b720393d84cfabd338497c0bc77cdd4548990930b9c350082

    • SSDEEP

      192:brl2reIazGejA7HhdSbw/z1ULU87glpK/b26J4S1Xu85:b52r+xjALhMWULU870gJJ

    Score
    10/10
    asyncratmimikatzphorphiexredlinesectopratstormkittyxmrigfeb2025defense_evasiondiscoveryexecutioninfostealerloaderminerpersistenceransomwareratstealertrojanupxwormnjrathacked

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

      mimikatz

    • Mimikatz family

      mimikatz

    • Njrat family

      njrat

    • Phorphiex family

      phorphiex

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

      wormtrojanloaderphorphiex

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Xmrig family

      xmrig

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Async RAT payload

      rat

    • XMRig Miner payload

      miner

    • mimikatz is an open source tool to dump credentials on Windows

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      defense_evasion

    • Stops running service(s)

      defense_evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Indicator Removal: Clear Persistence

      Clear artifacts associated with previously established persistence like scheduletasks on a host.

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Indicator Removal

1
T1070

Clear Persistence

1
T1070.009

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks