General

  • Target

    RNSM00262.7z

  • Size

    23.5MB

  • Sample

    250227-2f7xaaspy6

  • MD5

    e362b1154d8a96e7c7d8315620310767

  • SHA1

    0beb8dd3b2a42bcff82038ddd2fa9d1b33f27127

  • SHA256

    de0bf2df04a896629563c8142a4a3916ee98a445c954da5da7c6752aa9ed78ca

  • SHA512

    8c8e465c314aa10111c886148584678026ffa2e3475b26ac71aaded7ca083c0aa6b9ec39e60727da1389de87a99e021b16bba1360d9559b014ec820f307a20d7

  • SSDEEP

    393216:/IOvKjleYNBvQpcycoDrN8vAaBweucwAXWh7BaGxYMxB2Oz/ehBAX1Q902lY852f:/IUKBb/v7wtAX8QGuMnz/aAX1Q+2u8Uf

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://fyreport.com/inst.php?id=skytraf01

Extracted

Language
hta
Source
URLs
hta.dropper

http://report22new.com/inst.php?id=t_a_d_01

Extracted

Language
hta
Source
URLs
hta.dropper

http://reportandwin.com/inst.php?id=abs_15

Extracted

Family

sendsafe

Botnet

UNREGISTERED

C2

91.220.131.40:50001

91.220.131.40:50002

Attributes
  • service_name

    Enterprise Mailing Service

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      RNSM00262.7z

    • Size

      23.5MB

    • MD5

      e362b1154d8a96e7c7d8315620310767

    • SHA1

      0beb8dd3b2a42bcff82038ddd2fa9d1b33f27127

    • SHA256

      de0bf2df04a896629563c8142a4a3916ee98a445c954da5da7c6752aa9ed78ca

    • SHA512

      8c8e465c314aa10111c886148584678026ffa2e3475b26ac71aaded7ca083c0aa6b9ec39e60727da1389de87a99e021b16bba1360d9559b014ec820f307a20d7

    • SSDEEP

      393216:/IOvKjleYNBvQpcycoDrN8vAaBweucwAXWh7BaGxYMxB2Oz/ehBAX1Q902lY852f:/IUKBb/v7wtAX8QGuMnz/aAX1Q+2u8Uf

    • Blackshades

      Blackshades is a remote access trojan with various capabilities.

    • Blackshades family

    • Blackshades payload

    • Modifies WinLogon for persistence

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • Sality family

    • SendSafe

      SendSafe is a notorious spam tool which then turned into spam botnet.

    • Sendsafe family

    • SendSafe payload

    • Executes dropped EXE

    • Checks whether UAC is enabled

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks