General
-
Target
241105-dtxrgatbpg_pw_infected.zip
-
Size
132.7MB
-
Sample
250301-xmhhrayp15
-
MD5
136b5aad00be845ec166ae8f6343b335
-
SHA1
e51860dfb734c9715b6c9b74d9c582abe03ca90c
-
SHA256
38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66
-
SHA512
ed56b1afa85e304d6973d69e289631f15955d1619c6943a376d7d319018057d1a6fa0aa340ea6d43037ee17014f13e74e5ebddaf3aec62bf8e2da6b20b14ce42
-
SSDEEP
3145728:m2t5SZQXkJuAwd3u5d5VO4Z9WSXL5qgP47khuJWCvcICllCCrE/z:m6ClwdeyqWSXVqeU5J7CvCCrgz
Malware Config
Extracted
zloader
main
26.02.2020
https://airnaa.org/sound.php
https://banog.org/sound.php
https://rayonch.org/sound.php
-
build_id
19
Extracted
revengerat
XDSDDD
84.91.119.105:333
RV_MUTEX-wtZlNApdygPh
Extracted
revengerat
Victime
cocohack.dtdns.net:84
RV_MUTEX-OKuSAtYBxGgZHx
Extracted
zloader
25/03
https://wgyvjbse.pw/milagrecf.php
https://botiq.xyz/milagrecf.php
-
build_id
103
Extracted
revengerat
samay
shnf-47787.portmap.io:47787
RV_MUTEX
Extracted
zloader
09/04
https://eoieowo.casa/wp-config.php
https://dcgljuzrb.pw/wp-config.php
-
build_id
140
Extracted
zloader
07/04
https://xyajbocpggsr.site/wp-config.php
https://ooygvpxrb.pw/wp-config.php
-
build_id
131
Extracted
cobaltstrike
305419896
http://47.91.237.42:8443/__utm.gif
-
access_type
512
-
beacon_type
2048
-
host
47.91.237.42,/__utm.gif
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
60000
-
port_number
8443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)
-
watermark
305419896
Extracted
revengerat
INSERT-COIN
3.tcp.ngrok.io:24041
RV_MUTEX
Extracted
revengerat
YT
yukselofficial.duckdns.org:5552
RV_MUTEX-WlgZblRvZwfRtNH
Extracted
revengerat
system
yj233.e1.luyouxia.net:20645
RV_MUTEX-GeVqDyMpzZJHO
Extracted
njrat
0.7d
HacKed
srpmx.ddns.net:5552
c6c84eeabbf10b049aa4efdb90558a88
-
reg_key
c6c84eeabbf10b049aa4efdb90558a88
-
splitter
|'|'|
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
njrat
0.7d
HACK
43.229.151.64:5552
6825da1e045502b22d4b02d4028214ab
-
reg_key
6825da1e045502b22d4b02d4028214ab
-
splitter
Y262SUCZ4UJJ
Extracted
http://zxvbcrt.ug/zxcvb.exe
http://zxvbcrt.ug/zxcvb.exe
Extracted
hawkeye_reborn
10.1.2.2
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
castor123@
245f77ec-c812-48df-870b-886d22992db6
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:castor123@ _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:245f77ec-c812-48df-870b-886d22992db6 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null
Extracted
vidar
26.1
276
http://centos10.com/
-
profile_id
276
Targets
-
-
Target
241105-dtxrgatbpg_pw_infected.zip
-
Size
132.7MB
-
MD5
136b5aad00be845ec166ae8f6343b335
-
SHA1
e51860dfb734c9715b6c9b74d9c582abe03ca90c
-
SHA256
38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66
-
SHA512
ed56b1afa85e304d6973d69e289631f15955d1619c6943a376d7d319018057d1a6fa0aa340ea6d43037ee17014f13e74e5ebddaf3aec62bf8e2da6b20b14ce42
-
SSDEEP
3145728:m2t5SZQXkJuAwd3u5d5VO4Z9WSXL5qgP47khuJWCvcICllCCrE/z:m6ClwdeyqWSXVqeU5J7CvCCrgz
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Betabot family
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Disables service(s)
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Hawkeye_reborn family
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nd3v_logger family
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main payload
-
Masslogger family
-
Modifies Windows Defender Real-time Protection settings
-
Modifies firewall policy service
-
Njrat family
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
Rms family
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Trickbot family
-
UAC bypass
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
M00nD3v Logger payload
Detects M00nD3v Logger payload in memory.
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
RevengeRat Executable
-
Vidar Stealer
-
Blocklisted process makes network request
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory
-
Event Triggered Execution: Image File Execution Options Injection
-
Looks for VMWare services registry key.
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Modifies file permissions
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks whether UAC is enabled
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Indicator Removal: Clear Persistence
remove IFEO.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Modifies WinLogon
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Hide Artifacts: Hidden Users
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
5Windows Service
5Event Triggered Execution
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
5Windows Service
5Event Triggered Execution
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
1Hidden Users
1Impair Defenses
5Disable or Modify System Firewall
2Disable or Modify Tools
2Indicator Removal
3Clear Persistence
1File Deletion
2Modify Registry
9Virtualization/Sandbox Evasion
1Discovery
Peripheral Device Discovery
1Query Registry
5Remote System Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
1