Overview

overview

10

Static

static

3

bomb.exe

windows7-x64

1

bomb.exe

windows10-2004-x64

10

Resubmissions

22/02/2025, 17:20

250222-vwwqmavlhl 10

22/02/2025, 16:34

250222-t3a7tstphq 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bomb.zip

  • Size

    4KB

  • Sample

    250222-vwwqmavlhl

  • MD5

    4d9bd8dafb8299d0fc3fc98f8b8c27d4

  • SHA1

    f3b375208d793e65faabfd237c5391b49f381908

  • SHA256

    94936fb4c7bed2e7233fade7980425b0300451d76a7ac9329c604886e2a9a013

  • SHA512

    5e1efbbe50bdbdea6efe2314ac34eb6c185353318f1171b363062cd88d99f567fef66cacf8c05520dea664c1004e24f74f89db4979e7a17da8f74d022e164e65

  • SSDEEP

    96:iNTZjYifQ0FS3KtpSSIvWClq6gXhiVIntbmfPWu+JtHmfinZxNpph3NPv:iNNjlQR3KtZtCqhiV0qOJjnZxNfh3t

Score
10/10
asyncratdiscordratmimikatzphorphiexquasarredlinesectopratstormkittyvidarxmrigfeb2025office04credential_accessdefense_evasiondiscoveryexecutionimpactinfostealerloaderminerpersistencepyinstallerransomwareratrootkitspywarestealertrojanupxworm

Malware Config

Extracted

Family

redline

Botnet

Feb2025

C2

176.65.144.135:65012

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' folder if you don't get answer within 6 hours. Contact us email: [email protected] [email protected] ID :3E45CA3B84B08538BD021F60CB401BB5F080BDDB1AF9F74E0EE201DE53E8B11516F4392F62FC333E99C10FB8997149400F5634A8452A3C3F5FF61A785AAE402E1EADFBFD6B5A3A170382480AAD48F3E39321673498E50AEAAD1060782D38DC1B560DFA0C64040A395006EA400FEB95435E50920ACBC17B0310DA8C63A1A84C0932E7CB5A9A0EEADC3A7D24C7C0D897E545758AFBDFB27BE7C1A360AD201950116AB77B5CFAF1B409EAFD5143332EBC7567325EADE066DB7F0AD47D7A09E4B7D1C57B214E62096DD888F42E932F8A8FF7B9E3A03F77752AA6BB2BE2FF28095376A39C7231F33050EF903FEA7D123309200637BB3147D5FBEB4303348942E88AFA05274272A588EE89B18E86F2D00ADD695B82E2B4F8F4C491162AA9E1B089B784476B661465ACF610BA3F81437B28F92C1365579E4B536C42F028A61B10697DC3F4B3ADA1CE8487171FFDB3AA90E893CD71DFE456DD9A281B83FC566EB62DCB7D0C112CA4D8C8595E582BB08C7B2CE1DFF95ACCD03707EECAE9367EF03190049CED2840166FE72EDAA14A9DE1D7B1C12FA564DCAC0076DF7F5462561862CACBE939EF359BCD544CE176F8C5C2D916AE9564421367E90D677D30EB229B18A8AFB2C3A300C74A6EA5E38DE93F7739C56589A8E6BE92318C5D7B80270E333AA33A209252D287EAC7AFF2B6168895E223A456FAB6605135A26D17405E3D21B91DC625A858AB21B33E923A45F1B7ECEB63991C8E70586EB538B8F41872B36ED72877FCB266ECFCFFC62D26E3B297FC5AACAC6D1C06B4D91DD9FDD98EFA1A01F96E5E0F599BBEBED9B2DF0273BAA7A4862888256F7E001B25165985C1633C12D087F0D8BC8BFE4EBCADF84E2A0794827DA575DBF87197AA9845A9BB49ABF5537F9E4493BB8C24F9D658796820A54ADB407A7BD2C98D95DE4FCC4CE4DAD59616B6B4252ACDEA54E81AE74D8197AB2C28FDCAFD4337D21094904E4914CD8C15831281F965F0AC59E5399F3EE15ABABC7DAE3C29D9DC610B03A750191E4C7C1C630749EE09CE04F3A45E577D58941FC8BE0725CB655887EDFEEDA867547C3C79FADD1758C6B43F6B7D31816443D1E09D204EA1D1844452EDD401EEABF215877C5C7AD2A6392EE4D3A38010EC729579488CDCEDD310296A96027E201BA640A4E1D068476E3D326AEF9B9AF24B5F9A6487FCC6A6C6714848990A9FEB4D1DC090D3424F77DB19ED6425E79083C682A957309DF63AAE20DAF3BF056D312D0D9BDD1531C28558F880D7F2DC6887BF695AD69EF61EBB264986D179BDF1FA02123D8846104E0559F7C6E9C58D196B1852D7299879997284E0C5F48F4DA9C59F6E650DBD728122053DFC1543A770DBDCE7674A46A226F35BA1CB4581652285DDE25F8690008D34623674BE4B11CCA7D114077C495F1EB4ED808C4A446EDB98F1D535F7E099A3ACA99DD5A8B67EE81357D1F11862CA8F63DD2317AAD48EA2C8F7F78F920C51C3F00BD583E6E981AEEAD6A2DB0319C3876A51866DF9497F64E7F96B000442BEA065093BB542E78738DF3F503E132153FE3D8F5B6C501C1A17479F2F8200C758822A9F6C3A92E3A7E670A96C8753CA5C209C59FEA78C4EEF3CA5EA6D32ACA1493F1FAC6E93F60B11203D66543F5FD9178FC9BFC3F1CD1BFFC81E63BBAEFFD44E02257DB46C63A07368ECCC614172071CBBD1831A65BF6EEF5A6BF3A840775AC08CAAE2BEB1036310B92A23442F146FD5F5B4C7330A96C76CEB50C32DC03F6FA3B68D10154819970D16CDC89E3B0C1F13E979FF435872007A2AE8A4E3471BEB18D0CFE19F318D66B6E5AB97CE00896CAA1D56A714D698B9029AA8E28603484B36BE981D327A2D6C46C4FC595628215A1F89F096B627E4FB2072C20D80413B459E32932DA7D18DA704D49A1E80B70F88F598F3F82A21C6F7AC87619685064CE159EAB8B139BE192B918B0BB31F72BCFA5DBFD5D80FB961557D54840FE1248F367CEB5B2E8A8A80409F3FC041CEF510C7D29DA36CF35D54DD6EADBF69BE6D5ACCABB4C69F0BA417C14D09EBB0B177FDBA812F01D6055B715F049E87848C22822CFB0F402BA200CB46F9458844E81CD27FE2133E19B93F5EA1E3C4DDB445694E5B3CF1FF4351750FAE0C87553FCDCF0A2E24BEA358C8C54C976FBBA575E463B170ED7AA3D813332DFC200D71DC797286AA9626F0DD0BE332F661B9E98CE77D23013A916DF154AC065A2AE0BF40748DDAE9AC56AF6DB81B1319ECAE45388D564CF81CBC8E635BD2F35267DD300D1D8CCA825CB5530E3095751F8436B985A19918CA0C975BE2F844B64A605EC1725EE14C78C4830CCAA9A16496E6B5F7568B220E4AE1FEAA45513C17D5D6C9B73E3FB42F1B

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

162.230.48.189:9050

Mutex

e1371af2-3c26-486c-a950-9db9a0954e65

Attributes
  • encryption_key

    B29AF710516F59F4E03DA48D133686BA3D427275

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Startup

  • subdirectory

    SubDir

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMzOTY1MzA3MzExODk1NzYyOA.Gyeqfo.jSoIylbD9209F3SYWC8lQpax1pi7WnTlraTMiY

  • server_id

    1339592792070164510

Targets

    • Target

      bomb.exe

    • Size

      12KB

    • MD5

      a14e63d27e1ac1df185fa062103aa9aa

    • SHA1

      2b64c35e4eff4a43ab6928979b6093b95f9fd714

    • SHA256

      dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453

    • SHA512

      10418efcce2970dcdbef1950464c4001753fccb436f4e8ba5f08f0d4d5c9b4a22a48f2803e59421b720393d84cfabd338497c0bc77cdd4548990930b9c350082

    • SSDEEP

      192:brl2reIazGejA7HhdSbw/z1ULU87glpK/b26J4S1Xu85:b52r+xjALhMWULU870gJJ

    Score
    10/10
    asyncratdiscordratmimikatzphorphiexquasarredlinesectopratstormkittyvidarxmrigfeb2025office04credential_accessdefense_evasiondiscoveryexecutionimpactinfostealerloaderminerpersistencepyinstallerransomwareratrootkitspywarestealertrojanupxworm

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect Vidar Stealer

      stealer

    • Discord RAT

      A RAT written in C# using Discord as a C2.

      stealerrootkitratpersistencediscordrat

    • Discordrat family

      discordrat

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

      mimikatz

    • Mimikatz family

      mimikatz

    • Phorphiex family

      phorphiex

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

      wormtrojanloaderphorphiex

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • XMRig Miner payload

      miner

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Async RAT payload

      rat

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • mimikatz is an open source tool to dump credentials on Windows

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      defense_evasion

    • Stops running service(s)

      defense_evasionexecution

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Indicator Removal: Clear Persistence

      Clear artifacts associated with previously established persistence like scheduletasks on a host.

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

2
T1569

Service Execution

2
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Modify Authentication Process

1
T1556

Power Settings

1
T1653

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Indicator Removal

2
T1070

Clear Persistence

1
T1070.009

File Deletion

1
T1070.004

Modify Authentication Process

1
T1556

Modify Registry

1
T1112

Credential Access

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Discovery

Process Discovery

1
T1057

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Service Stop

1
T1489

Tasks