Overview

overview

10

Static

static

10

4klgwMz.exe

windows7-x64

10

4klgwMz.exe

windows10-2004-x64

10

8jQumY5.exe

windows7-x64

1

8jQumY5.exe

windows10-2004-x64

7

OEHBOHk.exe

windows7-x64

1

OEHBOHk.exe

windows10-2004-x64

1

Ps7WqSx.exe

windows7-x64

3

Ps7WqSx.exe

windows10-2004-x64

3

SpotIfy_V2.467.exe

windows7-x64

3

SpotIfy_V2.467.exe

windows10-2004-x64

10

W6ySCZP.exe

windows7-x64

10

W6ySCZP.exe

windows10-2004-x64

10

dc7d690adb...2d.exe

windows7-x64

10

dc7d690adb...2d.exe

windows10-2004-x64

10

random.exe

windows7-x64

10

random.exe

windows10-2004-x64

10

random_2.exe

windows7-x64

9

random_2.exe

windows10-2004-x64

10

reloadrive.exe

windows7-x64

10

reloadrive.exe

windows10-2004-x64

10

wBalaPT.exe

windows7-x64

7

wBalaPT.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    quarantine.7z

  • Size

    10.4MB

  • Sample

    250304-2d9cbstjt6

  • MD5

    6f41c499e4d9bfc25bbeaadfb2f8e716

  • SHA1

    0215fb04e92e54c3f5d1065c46bb5f2199da0380

  • SHA256

    bfe4b4df28361cf5ef899f834fefed90d282995621018ac8215c04ca2cfe571f

  • SHA512

    8215ccc2e7d25e4fc756837725d1ebaf187ae4ace23703fa6df737d4384cdcd311a5699ccffd2d8c3ec1e7ff47c1ded0df1d9f195dd11517f9ba208cc3bf3ecd

  • SSDEEP

    196608:ZaIz9xvnQfOgSkGfLZ80b1o+Wh6lwkpROJaRgTmj8JWQGScbEzH99U4shtW:ZaOD+SkGfLZ8emf6lwi+Tmxm7BsnW

Score
10/10
amadeyredlinestealcsvcstealersystembcvidarxworm092155a4d2cdir7amtestprolivtrumpcredential_accessdefense_evasiondiscoverydownloaderinfostealerpersistencepyinstallerratspywarestealertrojan

Malware Config

Extracted

Family

vidar

Botnet

ir7am

C2

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Extracted

Family

amadey

Version

5.21

Botnet

a4d2cd

C2

http://cobolrationumelawrtewarms.com

http://�������� jlgenfekjlfnvtgpegkwr.xyz
Attributes
  • install_dir

    a58456755d

  • install_file

    Gxtuum.exe

  • strings_key

    00fadbeacf092dfd58b48ef4ac68f826

  • url_paths

    /3ofn3jf3e2ljk/index.php

rc4.plain

Extracted

Family

systembc

C2

towerbingobongoboom.com

62.60.226.86
Attributes
  • dns

    5.132.191.104

Extracted

Family

stealc

Botnet

trump

C2

http://45.93.20.28

Attributes
  • url_path

    /85a1cacf11314eb8.php

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

redline

Botnet

testproliv

C2

45.155.103.183:1488

Extracted

Family

svcstealer

Version

3.1

C2

185.81.68.156

176.113.115.149
Attributes
  • url_paths

    /svcstealer/get.php

Targets

    • Target

      4klgwMz.exe

    • Size

      615KB

    • MD5

      19668940080169c70b830bed8c390783

    • SHA1

      5e6b72e52abc7d221d512111e39cbdd3f2ad40c1

    • SHA256

      cdbc641b8c23b5699f899b408394ecfc946af9ac7a38c5d44c78a4a938e7b02c

    • SHA512

      c322eba01ff4544b8077ec400f15ecffd3b66f89e0e0e26946224771c1ffb9c687ff4adc2e0a5e6b119766b3c8300971cfc2c990ff48346d9d3d514ab5d4bed2

    • SSDEEP

      12288:El+79KrrgMgm+w7diouERjgVCjqQeJKxZ+0EQrkyfazcdM+XUr1Mlohbn:Elc9KrrgMgm+sdhuEO0OFJ8Z+ZQ1fFqv

    Score
    10/10
    svcstealerdownloaderpersistencestealerdiscoverypyinstallerspyware

    • Detects SvcStealer Payload

      SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.

    • SvcStealer, Diamotrix

      SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.

      stealerdownloadersvcstealer

    • Svcstealer family

      svcstealer

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      8jQumY5.exe

    • Size

      7.6MB

    • MD5

      e82c4c3f7a2994eeecc1f81a5e4a4180

    • SHA1

      660820f778073332dcd5ec446d2fcf00de887abd

    • SHA256

      11eec5d71c7fadae9d7176448d8fff3de44ec8d3b4df86f0eca59e06adf202d3

    • SHA512

      4d3e42e68b9fa6330edfee677ad55ae24964c33d6fd2d25ba6c2876d80f8d9cbc999c6e27192ce58a45559d00b3c0bc71ddbee1ad8d6fd7083b705ef5cf84d76

    • SSDEEP

      98304:cLOsFGmdzUZB0Dg62kDXGIl2i+dlD64lQZ+gSBPfmAWY5/x9mgX2k1Tfltl/fTy5:oS1WmX6dLuk

    Score
    7/10
    discoveryspywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral3behavioral4

    • Target

      OEHBOHk.exe

    • Size

      909KB

    • MD5

      3babce4f85902c7bcfde22e222508c4e

    • SHA1

      4898ae5c075322b47ab2f512b5463ee6116d98f7

    • SHA256

      06b678b55cb81e6999b25903def2ac02336dc6c9ff3cd6afdaafffd55e2e5302

    • SHA512

      f8687729c8931579f8120f6451f669726f115123c10a7c5ce6d9a24746940153efcf7e33b719e8f543f9b4316db485633272943f462bf948b4044f234795d629

    • SSDEEP

      24576:9lBq4/QlK9/CqNzb5lgV6tZVPKilGRl1D:9lBj/V6QtGily

    Score
    1/10
    behavioral5behavioral6

    • Target

      Ps7WqSx.exe

    • Size

      6.8MB

    • MD5

      dab2bc3868e73dd0aab2a5b4853d9583

    • SHA1

      3dadfc676570fc26fc2406d948f7a6d4834a6e2c

    • SHA256

      388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb

    • SHA512

      3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

    • SSDEEP

      98304:fQX0x83hQvVapJdIJc3XO72dn3ffZSjZbkKk5KExKKUkIg5Wo6J:YX02GapHXkAn38jZk5KETUkIglW

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      SpotIfy_V2.467.exe

    • Size

      2.0MB

    • MD5

      6e3802cfc1f9be894f57bc3efaec85a3

    • SHA1

      5110581b426b3054620d17ce4dfe3f0946d6d701

    • SHA256

      f32eb5f5834590a15c0e86d0adb577093b35e12679b87b41bf835e38e2ccc75b

    • SHA512

      db83f4fc718f22d71e5424b147ee43cc72df938ff10ab676848714787f67a078a34c8b4e5b1740c7f28a3e64166a48e79a5dbdc743acc1bfaea0c4b92f772aaa

    • SSDEEP

      24576:E19c4JFCqYyQvL4xH7HzQ2RnCIOhx9jyqwexgFcDE+OfF0Zet//G+pyQEFwGzvHH:ElNfNmhxSf7y3Jz+k

    Score
    10/10
    vidarir7amcredential_accessdiscoveryspywarestealer

    • Detect Vidar Stealer

      stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      W6ySCZP.exe

    • Size

      1.8MB

    • MD5

      a308ca3417da9a5fd27823d205e2944a

    • SHA1

      a623c58df6d2f75b3ffda3268cc6ed7ef48ce070

    • SHA256

      973bb90580ab417bea0568823bb7852eeed34f6d83461f3de275fcda727c73ee

    • SHA512

      4a9e58b99bf736a20f4b7f7a740546c2e2a4c46ab9bfd44b15a76b75f14a90a0ba4eca0302a4b0006086e035b4e739bec9da98d9ff416880dcc4f44aa8e3f7f2

    • SSDEEP

      49152:PbGi9UZtjE+mbKe83yQMKUPGfyxu6o57N512SXv:G1EZKe8MKK46o9N55

    Score
    10/10
    amadeysystembca4d2cddefense_evasiondiscoverytrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Amadey family

      amadey

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

      trojansystembc

    • Systembc family

      systembc

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral11behavioral12

    • Target

      dc7d690adb8ea5ab1a9b1f65fc3a62b35d9ae4c57a7806ccb226b825f1465f2d.bin

    • Size

      277KB

    • MD5

      d1458dc39b290683cefbb01cc5b0991a

    • SHA1

      e9749971be9d943cb2a62e2be5eb442161876ec6

    • SHA256

      dc7d690adb8ea5ab1a9b1f65fc3a62b35d9ae4c57a7806ccb226b825f1465f2d

    • SHA512

      f90bc037576ee1205fa260d5b6b05c95f930025bc40f541b92f39b845b8e9a90a59ec18ef0be1ab5cf7bb74ed6a6222fc1a882df894ba8e1e722d671aef37e35

    • SSDEEP

      6144:mncN0em3ZxfIiz1uE9FT6gLc/wtgdmvRvtsUuVGh+/Kq3u:P0dfJ8E9d6gLMaDvzsVu+d+

    Score
    10/10
    xwormdiscoverypersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      random.exe

    • Size

      1.7MB

    • MD5

      feb18482eb371b37b6c6e67dc17481da

    • SHA1

      e61fbf2517f0995a8af7a9fd34ab338e58ba2636

    • SHA256

      dbc99ecaa606611123fd3b89100c1f2de4491eca4b1977396e3a613ae2eada62

    • SHA512

      63ac01e9c5a40e4c30017d4667d65e282fd64ea9b7d23540132c3597166121e6dadd68b1e0e1c889ba976f365a4c9f9c333d70fb5624a4fcefe1e24e0814edee

    • SSDEEP

      49152:3J14DprmYEHkZoo3mnG/au1qzeYgAfHJOegN:3JuNJWY1T1qyy

    Score
    10/10
    stealctrumpcredential_accessdefense_evasiondiscoveryspywarestealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Stealc family

      stealc

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral15behavioral16

    • Target

      random_2.exe

    • Size

      3.1MB

    • MD5

      00961d161138aa0b47dba68d37496786

    • SHA1

      ca31f7bd78c56fdc78819df24dc25c43b8c7e621

    • SHA256

      d359d667ffb1630874144e309250f07e6337a24fa79901e088893dbdd7ed5c1a

    • SHA512

      6f11ccf00591ece1183efe70e39ff05d2c744c69b2dfb42d02a8c3a95ccbbfde23695a2acd86158ca04487d20a1bd2a3f63abeae98708f2d204d648f4996efcd

    • SSDEEP

      98304:zAhP04tDAa9fRyMH0BcUSrc9etZBETLL:zAhP04BJc9etYTL

    Score
    10/10
    defense_evasiondiscoveryspywarestealeramadeyredlinesvcstealersystembcvidar092155a4d2cdir7amtestprolivcredential_accessdownloaderinfostealerpersistencepyinstallertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Amadey family

      amadey

    • Detect Vidar Stealer

      stealer

    • Detects SvcStealer Payload

      SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SvcStealer, Diamotrix

      SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.

      stealerdownloadersvcstealer

    • Svcstealer family

      svcstealer

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

      trojansystembc

    • Systembc family

      systembc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      reloadrive.exe

    • Size

      1.6MB

    • MD5

      8c767708c9a9554c0afb504629e75ffd

    • SHA1

      c65394806c0f77af880c7ff8a021bd4222ca3f11

    • SHA256

      dcb373f73cc5e29881b6c97f753da1db91becee01b5eade03b0fd217d10b4e7d

    • SHA512

      f9531159b45f92db319f351ebf4dadf9ba3c413e87da401a0af81d25a446084ed30dee670462292b989e1c9b0074a3c2ae76bb8a1d992e4407f72360303b4e16

    • SSDEEP

      49152:R1aqCQ3KKia9icS8P80nPIIXQocVHmir6QmEGmNyRzs3Xn:R1aA37ia9iJ800QIXQocVHoEGV0

    Score
    10/10
    systembcdefense_evasiondiscoverytrojan

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

      trojansystembc

    • Systembc family

      systembc

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral19behavioral20

    • Target

      wBalaPT.exe

    • Size

      413KB

    • MD5

      3f84f670f0e10ad43bcb6df7c25cdc1a

    • SHA1

      0e04beff1beec91fa9408c0b1e28da8283c9c70e

    • SHA256

      787490502d51da937007d81c84ae8929ab20e5516f0fa36dec97b30b5f154351

    • SHA512

      4cbcc517ec10f0e40f88da1e43cd2d776bc4bc493d355b6186e03f07343319386496e57d56bcfa775fc9b8ce0586260dfb0a900c47b3c77d9202909a71835d40

    • SSDEEP

      12288:r/8FYTSB3tGmyAnI5mla3za4EALdrVWiZ:rAWgdOAWmcjLEApVZ

    Score
    7/10
    discoveryspywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Modify Authentication Process

1
T1556

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Authentication Process

1
T1556

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

5
T1552

Credentials In Files

5
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

7
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

4
T1005

Command and Control

Exfiltration

Impact

Tasks

static1

svcstealer
Score
10/10

behavioral1

svcstealerdownloaderpersistencestealer
Score
10/10

behavioral2

svcstealerdiscoverydownloaderpersistencepyinstallerspywarestealer
Score
10/10

behavioral3

Score
1/10

behavioral4

discoveryspywarestealer
Score
7/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

vidarir7amcredential_accessdiscoveryspywarestealer
Score
10/10

behavioral11

amadeysystembca4d2cddefense_evasiondiscoverytrojan
Score
10/10

behavioral12

amadeysystembca4d2cddefense_evasiondiscoverytrojan
Score
10/10

behavioral13

xwormdiscoverypersistencerattrojan
Score
10/10

behavioral14

xwormdiscoverypersistencerattrojan
Score
10/10

behavioral15

stealctrumpcredential_accessdefense_evasiondiscoveryspywarestealer
Score
10/10

behavioral16

stealctrumpdefense_evasiondiscoverystealer
Score
10/10

behavioral17

defense_evasiondiscoveryspywarestealer
Score
9/10

behavioral18

amadeyredlinesvcstealersystembcvidar092155a4d2cdir7amtestprolivcredential_accessdefense_evasiondiscoverydownloaderinfostealerpersistencepyinstallerspywarestealertrojan
Score
10/10

behavioral19

systembcdefense_evasiondiscoverytrojan
Score
10/10

behavioral20

systembcdefense_evasiondiscoverytrojan
Score
10/10

behavioral21

discoveryspywarestealer
Score
7/10

behavioral22

discoveryspywarestealer
Score
7/10