Overview

overview

10

Static

static

3

Bitcoin Fl...er.exe

windows7-x64

10

Bitcoin Fl...er.exe

windows10-2004-x64

10

Btc_Flashi...t_.exe

windows7-x64

3

Btc_Flashi...t_.exe

windows10-2004-x64

3

Main.exe

windows7-x64

10

Main.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    BitcoinFlashSenderV2.zip

  • Size

    1.6MB

  • Sample

    250304-1enatasjt8

  • MD5

    7e228eed9bd70732361faa3c0b1111ed

  • SHA1

    ec9a0fe4715830594f3f031105464569c9af0151

  • SHA256

    2d454a5836f9595ec437cda94f901452f94e6c266aaaf7b7baac3f8ce2adc4cd

  • SHA512

    67d963782aa7ba27bc1f502455dd05a2f49371c86f96c2ffd68fd50ca509b471a96b6597329b1a6f4572d2a23a48fc8253a0522537077f30135d7ea18f6c3fd7

  • SSDEEP

    49152:KoWH+Q3uz2mzjjnWLhXB+spjkjcQOTSGY7fZ:KoWNuxzjjWNRajT7fZ

Score
10/10
asyncratquasarstormkittyvenomratxwormdefaultoffice04defense_evasiondiscoveryevasionpersistenceprivilege_escalationratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

45.61.140.75:7812

Mutex

VNM_MUTEX_DIBuVCpZfDcrHCFft2

Attributes
  • encryption_key

    q8RpA86xyuUHuOrxUGXa

  • install_name

    Windows Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Service Host

  • subdirectory

    SubDir

Extracted

Family

xworm

Version

5.0

C2

185.252.232.158:7812

Mutex

b0c5WZixE6SqaTDD

Attributes
  • Install_directory

    %AppData%

  • install_file

    Windows Defender Security Service.exe

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendMessage?chat_id=6291749148
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

185.252.232.158:7812

64.23.232.116:7812
Mutex

vsvf

Attributes
  • delay

    1

  • install

    true

  • install_file

    Windows Security Health Service.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Bitcoin Flash Sender.exe

    • Size

      1.0MB

    • MD5

      fe4cf784ce07deb238da9cfc876b2c1f

    • SHA1

      855c8c3535dff682b86ed8a17ede5f4e8bd068f8

    • SHA256

      2826ba31add950b8bad6c19805f8a6cf0efc4710ac35c54acb19afc09f72c057

    • SHA512

      51c225d338dc5a1e07f94dffba252a05b84d198444ed174ee0d7aeaaa27729a76b1c2389eaa03447f3f1cea02bff13cc97190bb70687bd535dd3874e989d8c81

    • SSDEEP

      24576:o7uzTHUpq1n4CBQpUOgyuiSjKg5tVlHmxtC/ulI4Xf:oKT0pk4CBQrg2jgGjlb

    Score
    10/10
    asyncratquasarstormkittyvenomratxwormdefaultoffice04defense_evasiondiscoveryevasionpersistenceprivilege_escalationratspywarestealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Modifies Windows Defender DisableAntiSpyware settings

      evasiontrojan

    • Modifies Windows Defender Real-time Protection settings

      defense_evasiontrojan

    • Modifies Windows Defender TamperProtection settings

      evasiontrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • VenomRAT

      Detects VenomRAT.

      rat

    • Venomrat family

      venomrat

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Async RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      defense_evasiontrojan

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral1behavioral2

    • Target

      Btc_Flashing_Latest_.exe.deploy

    • Size

      157KB

    • MD5

      211fbfe924f26355d7425601e199a816

    • SHA1

      63c6b67f265f38fdf7571064e2ecf3986224c625

    • SHA256

      916ef31a9b62b5fca3cdf18bd4c759d9f0485e0c5a422de7126fab98f6582bbb

    • SHA512

      25a8bff04a398a9b033c926d409332e796cd9737bc3d6876af71e690344354667ca7bc632f92876425289a5f929959c42340afee5e4d493478ee15fc452c982c

    • SSDEEP

      768:aJf6F8jAfEYZ6F+tVi2FUm5aAfEYZ6F+t:HyEpr

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      Main.exe

    • Size

      723KB

    • MD5

      da83861c41845595ac896a9ba8908166

    • SHA1

      35fb04158b18389c0fa05d560b44d0c90b378bac

    • SHA256

      88f0200e25ae48da6d87f5bb43c0b3ca9e3af0a55544a362a4c68fca967ab790

    • SHA512

      b257db872b86fc9565222694a5bf6e74f6c825a107b3ebbc38a7e19e762b143c7ad86bce111c9eb9424d5f83fe5cb057f73456fd3c19e7f68b95acbc5fb72e90

    • SSDEEP

      12288:tOhqsVIRb2yrFriBdD3aTbgLxLYjQbyGzs0yROS44MERXjI7Uh0TAXP6KH37gi:ohDsDhCU/gLijQbyGzs0yQaMKjI7kXjl

    Score
    10/10
    asyncratquasarstormkittyvenomratdefaultoffice04defense_evasiondiscoveryevasionpersistenceprivilege_escalationratrootkitspywarestealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender DisableAntiSpyware settings

      evasiontrojan

    • Modifies Windows Defender Real-time Protection settings

      defense_evasiontrojan

    • Modifies Windows Defender TamperProtection settings

      evasiontrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

      ratrootkitstealervenomrat

    • Venomrat family

      venomrat

    • Async RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      defense_evasiontrojan

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

4
T1562

Disable or Modify Tools

4
T1562.001

Modify Registry

5
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

3
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

2
T1016

Internet Connection Discovery

1
T1016.001

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks