Overview
overview
10Static
static
3221b9.exe
windows7-x64
10221b9.exe
windows10-2004-x64
102c42a36d7.exe
windows7-x64
102c42a36d7.exe
windows10-2004-x64
102da5f7422573.exe
windows7-x64
32da5f7422573.exe
windows10-2004-x64
33fcc16.exe
windows7-x64
33fcc16.exe
windows10-2004-x64
34772.exe
windows7-x64
104772.exe
windows10-2004-x64
106c1a.exe
windows7-x64
106c1a.exe
windows10-2004-x64
1079330.exe
windows7-x64
1079330.exe
windows10-2004-x64
10afc500c.exe
windows7-x64
10afc500c.exe
windows10-2004-x64
8ef62b5a6474.exe
windows7-x64
10ef62b5a6474.exe
windows10-2004-x64
10General
-
Target
Foranalysis.7z
-
Size
12.6MB
-
Sample
250312-xg84hs1mx4
-
MD5
a4495d1988b840fd00e77cb97d528d43
-
SHA1
2e381dc1d1142e9a8e25344a8e743eb510371db4
-
SHA256
3ef6482e94e62b0f674c24b66fed5230b07395929f5fc77708fed0cb536c4a2b
-
SHA512
44975caac2ce969aa90af0edf2939b7699cebc21c15870c88e30608a5f22ba4c9b6b8a2b0e79430d1f642980064b061f98d8d82f626d87c402d72d604a753d8e
-
SSDEEP
393216:yFvWvfl7zZsMFdhHxlKlhcPDgoZQ66NrRYW:yA1dlxlKlhIDsx
Static task
static1
Behavioral task
behavioral1
Sample
221b9.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
221b9.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral3
Sample
2c42a36d7.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
2c42a36d7.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral5
Sample
2da5f7422573.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
2da5f7422573.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral7
Sample
3fcc16.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
3fcc16.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral9
Sample
4772.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
4772.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral11
Sample
6c1a.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
6c1a.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral13
Sample
79330.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
79330.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral15
Sample
afc500c.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
afc500c.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral17
Sample
ef62b5a6474.exe
Resource
win7-20250207-en
Behavioral task
behavioral18
Sample
ef62b5a6474.exe
Resource
win10v2004-20250217-en
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
valleycountysar.org - Port:
26 - Username:
[email protected] - Password:
}eQA)VL2!$V}
Extracted
bitrat
1.38
62.210.11.126:9024
-
communication_password
57e9678c1972887ccb37a6296021d65d
-
tor_process
tor
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
-
payload_urls
http://167.88.170.23/swo/sw.exe
http://167.88.170.23/swo/swo.exe
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
221b9
-
Size
754KB
-
MD5
849c47adca493169ca05d46b16912631
-
SHA1
7149fcfc067b91fa57186d3c0ed0c9056bb59842
-
SHA256
854b59aa584237418101867e86018d0e0c3e8a588010d8cc8f8850e66b5221b9
-
SHA512
5184dd5af0587cd95c8f92ef1d9f3239fb9501ced1dbb216677211ee1b304eff2921c14f9e02f763394a73f50d6cad62433867dbc218333a29767358f66f8df7
-
SSDEEP
12288:hA5CB0OqJhZrzJV665IHCzwdvkSCcr/+VQ7CSOqJ7KEk0Vr2IPeiBS8rBy:hA5aWDyaIic1nxGVQ7CTxEX4IG
-
Snake Keylogger payload
-
Snakekeylogger family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
2c42a36d7
-
Size
821KB
-
MD5
5fc4c73e287297316316d56ec340bb98
-
SHA1
306fd44b6d688e9f84d87e533605121bdf64eb9c
-
SHA256
33ba34d8685f48fc23e074cf802716cce5f1b27a656a0996bdf88232c42a36d7
-
SHA512
76b21a33991414c057d1d6eafa5f8b2327c7b6e1f2aeae6e60fc15f82c65e9c40252f4aaf9d0d3276a7401a6adfb93b35e4794d9987229aa456dcddfcb85f8d8
-
SSDEEP
12288:1xkn6YuwDEgW0+K4tvzxn58XdUpGHnSieAi+Ze643VaxBP:nM6yG0+hhzxnidiGHSi3HuS
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage
-
-
-
Target
2da5f7422573
-
Size
1.7MB
-
MD5
2e796fd4f40f597199ae66b5c5e12478
-
SHA1
39546d3019a853586d7f6cf7b381275b74155c04
-
SHA256
08b093dc7c7b7f3b4bb86e0824d23adc88cf89c67836f1a717e12da5f7422573
-
SHA512
165a623c551cae3645b5b13a3555d13ddd4f4110d38200450a07160895fcc14de130899271136933acdd0d25f371534c7c73fa1aea4ba444a7b304f171569b37
-
SSDEEP
12288:loSWNTd7Yo1VFnA4r5rraOVokssOcnh2tbbLqhS8aKq:loS2Tdko1V6u5rraOVouOcn4tbbR8a9
Score3/10 -
-
-
Target
3fcc16
-
Size
1.0MB
-
MD5
b5fe9871d9ea49f5690b3b02e52432be
-
SHA1
017fbfd3040bc5cbfa724fb195d3a5240ae16d90
-
SHA256
bc663a12e76623f5bcb297c16a209b0ef5a978f2474ba9027d9ec4601c3fcc16
-
SHA512
b60e05b582a0e46b3e4128793e2e4239a3f03c8a847c29ab8e5807fb57341e543bf3a92feaf327f0764baca0030e1e9a12366ce337e9912a0d3807cf9d7ae8fc
-
SSDEEP
24576:j/lSdIQHTtf6++IdMUXuMjyKBhQXglmvgQoVPGK8n:jTV2njpmvgQolGf
Score3/10 -
-
-
Target
4772
-
Size
334KB
-
MD5
a11ae57c068442f751c4a7f4f5f542b0
-
SHA1
131eaded2b2507fa0b1fbf5677705a09496d0f4c
-
SHA256
761f42f03e50ef9b2eb1b1041c81cc6ed24cbc8ce2d6df3c87f193493b4a4772
-
SHA512
c62d70a3391f30cd5084d8ca4cfe0bdc65205205ac3913d4f9a9af847e1f224a780b3ddb4e981e105dd1dde6a1d52d628c6bb5380901f357156e3063dde2e674
-
SSDEEP
6144:5P8U5dPZDa/iuqO2pi14MlxYSCG1H95dp4kq5bx4fbJr/CYzCIbeY3opBMc:F5VZDaj5xZC2dGkebubJr/CIbbopBp
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VirtualBox drivers on disk
-
ModiLoader Second Stage
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
6c1a
-
Size
2.9MB
-
MD5
2342f3d5723d354f19844400bfc63b8f
-
SHA1
535009ed27ed4364493cecd0d871c0e45505a21f
-
SHA256
b88e6baf28fcfa45e9f951160e8dc0b017218171d4c4636fb628136c2bf6c1ac
-
SHA512
1a0fc9d77d19d5fe1243e348b4a4938518e429ce92f3bbe453a9f0116fc5c21f78df6a7af24419fb45b0f5c322a0bcbf63ec7552758fccc9e92b713b4caee10a
-
SSDEEP
24576:CaiYyi79nghoOKuvA2lrCuFWzYUKcqLcVFNT7zl3Xr4cqtBCGMUSDqH5uVBDcwDM:Qoig3DFHWfypES55XtB5Yg8KdaO
Score10/10-
Bitrat family
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
79330
-
Size
2.4MB
-
MD5
4c81e4497a420aea61e717fc94e0ad86
-
SHA1
b8cf42124816876a6f5286af46202705d2e61189
-
SHA256
069ed36bdd5046201359415dab896f99f2e5adb89eb54c2e652786e0ccd79330
-
SHA512
f78deb5aec91ea0557a3790e4f9bcd7846b1853264c25d85f28343e7e9e4eb6722fb3f72fcd834d2745f078b4e5ee5ea3c40848f0100f1edaab47e6f8d484b5b
-
SSDEEP
24576:ybKtGyBB9iuK++moKnfNIGQaK83uHU/uYfo11qis3s4b+6GIAANEN2tXL6Y3TEcZ:My1iuD+moCQZhHUWYfo11q33dRGyRt7
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Eternity family
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-
-
-
Target
afc500c
-
Size
7.3MB
-
MD5
63926a5ec17e0838207346060ea15fec
-
SHA1
d30179fb24c18f9d49202f5110d38ed7967fa836
-
SHA256
67c3aedc80696d9f2bf64ec4a4c7c461605d54f169f83babdc8b90993afc500c
-
SHA512
f0827e23038ad4fc22a0d88c2a8f466638cbb6447538f88bc8eef61b9ca585ecde215cc9c5287fc560cfc7adcb470aa312395dcad9f78e036a4769dd29ea6e48
-
SSDEEP
196608:91O6DEFZUlN3lPS0XJjoF0Kx0iroV8H6RrzJFAkN:3OAEFZmVqBFV0iroOH6RrHAkN
-
Modifies Windows Defender Real-time Protection settings
-
Windows security bypass
-
Blocklisted process makes network request
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Indirect Command Execution
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
-
-
Target
ef62b5a6474
-
Size
259KB
-
MD5
0ba4447a07a7c2c63cfe7aa69173ab6a
-
SHA1
00273726672ded3869e15e24e09ee1053f547f0f
-
SHA256
7c3bd96cd755ebe1e700c2b578cf83e88d10ce2529213c5bccf2def62b5a6474
-
SHA512
0b169df73780dfe8d3e5b4c1c298e51e2cab756482a6f6cb439ddae6e66f4c918daa8aa3f059820b2639651e59bc766dc506df654d218d995e843b5f343ebd4d
-
SSDEEP
3072:cypgerGfQDgLG96SFeQYWxK14YrLLKzxR/yrhIfD1lBqlb2PDFgvRs5xbBo2+:1xDgLzSHYKg4Yr0bTlm6Zto
-
Tofsee family
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3PowerShell
3Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Indirect Command Execution
1Modify Registry
5Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Discovery
Browser Information Discovery
1File and Directory Discovery
1Peripheral Device Discovery
1Query Registry
7Remote System Discovery
1Software Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
3