Overview

overview

10

Static

static

3

4363463463...63.exe

windows7-x64

10

4363463463...63.exe

windows10-2004-x64

10

New Text D...od.exe

windows7-x64

8

New Text D...od.exe

windows10-2004-x64

8

New Text D...od.exe

windows7-x64

8

New Text D...od.exe

windows10-2004-x64

8

Resubmissions

26/02/2025, 23:57

250226-3zn4ysxwc1 10

26/02/2025, 23:14

250226-271x2sxmz9 10

14/02/2025, 01:10

250214-bjsnnayne1 10

14/02/2025, 01:00

250214-bc5pmsymhw 10

13/02/2025, 05:01

250213-fnkwtstpgw 10

13/02/2025, 04:24

250213-e1kk6atmaz 10

13/02/2025, 04:08

250213-eqe8patkgx 8

12/02/2025, 23:56

250212-3yzt3azrdx 10

12/02/2025, 23:44

250212-3rgd5szmbm 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Downloaders.zip

  • Size

    12KB

  • Sample

    250226-271x2sxmz9

  • MD5

    94fe78dc42e3403d06477f995770733c

  • SHA1

    ea6ba4a14bab2a976d62ea7ddd4940ec90560586

  • SHA256

    16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

  • SHA512

    add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff

  • SSDEEP

    384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Score
10/10
amadeyasyncratgcleanerlummanjratquasarredlineremcosrhadamanthysumbralxworm1176f27c4393@glowfy0botcryptdefaultdock.exefirstoffice04bootkitcredential_accessdefense_evasiondiscoveryexecutionimpactinfostealerloaderpersistenceprivilege_escalationpyinstallerransomwareratspywarestealertrojan

Malware Config

Extracted

Family

remcos

Botnet

Crypt

C2

185.225.73.67:1050

Attributes
  • audio_folder

    576ruythg6534trewf

  • audio_path

    %WinDir%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    76y5trfed675ytg.exe

  • copy_folder

    kjhgfdc

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    654ytrf654trf654ytgref.dat

  • keylog_flag

    false

  • keylog_folder

    67yrtg564tr6754yter

  • mouse_option

    false

  • mutex

    89765y4tergfw6587ryute-80UMP1

  • screenshot_crypt

    false

  • screenshot_flag

    true

  • screenshot_folder

    67y4htergf65trgewfd654tyrfg

  • screenshot_path

    %Temp%

  • screenshot_time

    10

  • startup_value

    6754ytr756ytr7654yretg8765uyt

  • take_screenshot_option

    true

  • take_screenshot_time

    5

  • take_screenshot_title

    bank

Extracted

Family

njrat

Version

im523

Botnet

dock.exe

C2

pool-tournaments.gl.at.ply.gg:7445

Mutex

ec1d783eda90ea4f1a73218af4fd58aa

Attributes
  • reg_key

    ec1d783eda90ea4f1a73218af4fd58aa

  • splitter

    |'|'|

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

18.ip.gl.ply.gg:6606

18.ip.gl.ply.gg:7707

18.ip.gl.ply.gg:8808

18.ip.gl.ply.gg:9028

2.tcp.eu.ngrok.io:19695
Mutex

lmk8StbxTzvz

Attributes
  • delay

    3

  • install

    true

  • install_file

    Discord.exe

  • install_folder

    %AppData%

aes.plain
aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

bot

C2

wexos47815-61484.portmap.host:61484

Mutex

06e2bb33-968c-4ca7-97dc-f23fbd5c3092

Attributes
  • encryption_key

    8924CB3C9515DA437A37F5AE598376261E5528FC

  • install_name

    msinfo32.exe

  • log_directory

    Update

  • reconnect_delay

    3000

  • startup_key

    Discordupdate

  • subdirectory

    dll32

Extracted

Family

gcleaner

C2

80.66.75.114

45.91.200.135

Extracted

Family

xworm

Version

5.0

C2

enter-sierra.gl.at.ply.gg:55389

Mutex

lzS6Ul7Mo5UcN6CR

Attributes
  • Install_directory

    %AppData%

  • install_file

    Wave.exe

aes.plain

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' folder if you don't get answer within 6 hours. Contact us email: [email protected] [email protected] ID :B9A4DCAF3E383B51782E6D526AE7E8E989A23D139426991E2F2959EF399EFF017FE5E39AB68C2BFF8825262C2FC73580ACF9BA85F25820BF84643EE4E91C095DC0A3B609BD18E1A253AE072D49185EA8857EC071A260FFD29BE3920D4341722A519D7046CE80C41B59321EF337264670312BEB6E5E8FD4945CCD626DE03B2E020D09CDE02A8A60BAF90463D181ED99F157457EF8106AAD1EFA06EA9C6D6EAFAD4F1660244C6755740D6AE13EDD3F39ED8FAE6E8C468810C635F477AC4DD5A2633E8319A3F4E4BBBDC0D6A360D82D2AE4B5F7FBB4909051149B8BF3A419145C304C7951711EB7AC4D1743D46847BB7587152ED12715396F9A3A9129044ABEA824DD770E4D53FC738253ECE8FA2D92824887098833050A9E99153D4CB425ED0CD372218E10D8193386035497B8A5CAFDB3797FC6E3D5E99BFCAB4B808C3541E64C36FEC3583C764E1AC6EF9F957C8733EC23AA2412098FFCB61F08D8CC79FC862C84DC6945E3667956F99CBF8679CA6B8555A34106EDB03709BA6555BC66A97D8A9ADA04EDEFFFCDAA6286DE574ABF80347E553CF9B6FC50A62E9A9C7D6291D983B4BACA330AEE9BDEB6AB7E8FA518A041FD5EC1C0D203116FEA7000BF9D4999861C23A7AFFF115CD8E84B124E4A0546640CC6CB651D6FD4B3D5E2C779FB32EA10315FAA7B4C8B8356476E03CF6EE4A312313FE36DA20E20C7FA4BA9FC589F5692A99AA540C410467072275E93D7F5EDC6107C222FE5B9C4860E58B4EF369D805F89BECB575E7EF11AF3EE2AFF939C133731676326F1A6FD58A771EB7FDAE5742951BDD0CD45BEA88050F843947650DC0CF019D30C61F16BD3BC6C41EF150D3A823332531B4410F206534EEF87FDD2FC7D34E4F81FA8A7FD98CA43EF26E533B931F1F2546FF0C51BC85B80ACC3E00F5D0CE9223F7BEF24FF46C771D3780A1DBD70E7C7449F7F7D87E1B7733D3964C398026C112688F34FE85B1B493B4E4FA6FD87692A76F7CE6531EEAFCADBFF4F4475B377527190C0A2DCAB737F146F6833E3DB9B0CC90282AF92BA531007DF0908A48D5C10ADD5DC6FDE0442A3AF32B639037C23FDA6BD5CAE55F525844C3419FCDD1B9DA4A606C83D94950EBB8AABEF91FD86D4213BCC12AF67125B4F68A51FD165B6D6331538FC86435023C46664AEEB18DD4BB472282C8157F6565187EDC831EEA8751C1DC203B8759313F55EFB856DC15C9C2B70963AFE280CF0A21E50A4E4AE35003C5D9A72A734F697B5D65478384B443817433EB4B1F82833E9A937DF011BC76E383E76354283F54E920121EEF99EA1CB7E160FF0C4D53403BBFCCB54464FE864BB703609CC3C87723FB7EF7CDA98EE8554CB32F559118BE82D5B056FE843ABF8E1E3F36E4F565E1634393A9708D6402343490033F491F0088A0F509791F93F63BA62EB2093E3BED2F5332814D8F7F0914E0083CA99F9938E790F3386E2DF1BD61DDC88D597510E2A6178F850EB13B201D52B194727FA96DD7DB78FAE0799DA29F502673D0242E78152AAE3CB0B5A83F448DE0C7C9F77AF36281F7D8C129CE05F70006BF936A29230568F03A71C91791A5006709049D936DB96A6288907103CB878BFD4806E14B059A58A4F968053F6489EE6AF0EBB9AF7C3D39AF2AF95E373CCE969C9D42C0B49C2424908999957B3C409A085AF6A7976FB58DE65C7659A69E6D3BC12207E9C0694D92B7528D53F9FEC0AF9EED349CD9B88C7788C71D108FD80871FB71E8E17B610A8D273E85E4079B442B3D803108CE17EAC33E529CE396F7F5648A2E4AC347D591B4F0BEFF931C6AD9445992668A3BD80215C99D6DA7646EA8A1B01F2B0F03E2E0A99AF0669D653462619CEF04EBAA475ADB92231E69CAFB783BF1A370E06C1E85ED55E00FE9849447FF878D05DBA9E60F431627BF2F6A2080C1BF91CF27AC55885BB4606A346D0A34F9A5FAE919ABFAE2AB0FE6D00C8A284D03678BC54B7C7A9C75ED014084B9E52F20374F9697641837BE2D0437EEA01A5244027B4FFC616BADFCCCA5ECF047A8A1C5509FCC80BDF097DB9FE6CA868BD92EBA9F70F239A256E2B63839FD13B43DFBD6EFBAAEDADFB6D7BDF333189392BC3A14E2B02391A03E25D6724A5997FB68E1BE7DFB568FDF660451DACE7E90C7C1FB47DAD3C8430A485196C3BF5C67474C4B5B742C1064FF0C5521604E83A65AB47879AF890D7CC8110067C8B6BA0978D8C9EED345863ECC8489DF979E68D60F1D44E0B28A125186A89346DF128C6426CF6CAB554E022DCDF617D1F82712F8E1715C175A3BBEA1C7E6D26EAF25935038393A1F3871C56B38B22C44ADD2E0F0531FA1B422973F5B8DE6721ACB132F4682494B3F4C0774C8B75C4F4E5

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

104.251.123.245:23600

Mutex

4119a2e0-4ae4-4843-8534-99af91a2475d

Attributes
  • encryption_key

    DF6316067206E09C1F85138FCEBD56F5D94BF6AE

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Startup

  • subdirectory

    SubDir

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://pancakedipyps.click/api

Extracted

Family

redline

Botnet

first

C2

212.56.41.77:1912

Extracted

Family

amadey

Version

4.41

Botnet

1176f2

C2

http://185.215.113.19

Attributes
  • install_dir

    417fd29867

  • install_file

    ednfoki.exe

  • strings_key

    183201dc3defc4394182b4bff63c4065

  • url_paths

    /CoreOPT/index.php

rc4.plain

Extracted

Family

redline

Botnet

@glowfy0

C2

91.214.78.86:1912

Extracted

Family

amadey

Version

5.03

Botnet

7c4393

C2

http://185.215.113.217

Attributes
  • install_dir

    f9c76c1660

  • install_file

    corept.exe

  • strings_key

    9808a67f01d2f0720518035acbde7521

  • url_paths

    /CoreOPT/index.php

rc4.plain

Targets

    • Target

      4363463463464363463463463.exe

    • Size

      10KB

    • MD5

      2a94f3960c58c6e70826495f76d00b85

    • SHA1

      e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

    • SHA256

      2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

    • SHA512

      fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

    • SSDEEP

      192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

    Score
    10/10
    asyncratgcleanernjratquasarremcosbotcryptdefaultdock.exebootkitdefense_evasiondiscoveryloaderpersistenceprivilege_escalationratspywaretrojanamadeylummaredlinerhadamanthysumbralxworm1176f27c4393@glowfy0firstoffice04credential_accessexecutionimpactinfostealerpyinstallerransomwarestealer

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Amadey family

      amadey

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect Umbral payload

    • Detect Xworm Payload

    • Detects Rhadamanthys payload

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Gcleaner family

      gcleaner

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Njrat family

      njrat

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Rhadamanthys family

      rhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • UAC bypass

      defense_evasiontrojan

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Async RAT payload

      rat

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Disables Task Manager via registry modification

      defense_evasion

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      New Text Document mod.exe

    • Size

      8KB

    • MD5

      69994ff2f00eeca9335ccd502198e05b

    • SHA1

      b13a15a5bea65b711b835ce8eccd2a699a99cead

    • SHA256

      2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

    • SHA512

      ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

    • SSDEEP

      96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral3behavioral4

    • Target

      New Text Document mod.exse

    • Size

      8KB

    • MD5

      69994ff2f00eeca9335ccd502198e05b

    • SHA1

      b13a15a5bea65b711b835ce8eccd2a699a99cead

    • SHA256

      2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

    • SHA512

      ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

    • SSDEEP

      96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

    Score
    8/10

    • Downloads MZ/PE file

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

4
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Process Discovery

1
T1057

Query Registry

3
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks