Overview

overview

10

Static

static

3

221b9.exe

windows7-x64

10

221b9.exe

windows10-2004-x64

10

2c42a36d7.exe

windows7-x64

10

2c42a36d7.exe

windows10-2004-x64

10

2da5f7422573.exe

windows7-x64

3

2da5f7422573.exe

windows10-2004-x64

3

3fcc16.exe

windows7-x64

3

3fcc16.exe

windows10-2004-x64

3

4772.exe

windows7-x64

10

4772.exe

windows10-2004-x64

10

6c1a.exe

windows7-x64

10

6c1a.exe

windows10-2004-x64

10

79330.exe

windows7-x64

10

79330.exe

windows10-2004-x64

10

afc500c.exe

windows7-x64

10

afc500c.exe

windows10-2004-x64

8

ef62b5a6474.exe

windows7-x64

10

ef62b5a6474.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Foranalysis.7z

  • Size

    12.6MB

  • Sample

    250312-xg84hs1mx4

  • MD5

    a4495d1988b840fd00e77cb97d528d43

  • SHA1

    2e381dc1d1142e9a8e25344a8e743eb510371db4

  • SHA256

    3ef6482e94e62b0f674c24b66fed5230b07395929f5fc77708fed0cb536c4a2b

  • SHA512

    44975caac2ce969aa90af0edf2939b7699cebc21c15870c88e30608a5f22ba4c9b6b8a2b0e79430d1f642980064b061f98d8d82f626d87c402d72d604a753d8e

  • SSDEEP

    393216:yFvWvfl7zZsMFdhHxlKlhcPDgoZQ66NrRYW:yA1dlxlKlhIDsx

Score
10/10
bitrateternitymodiloadersnakekeyloggertofseecollectioncredential_accessdefense_evasiondiscoveryexecutionkeyloggerpersistenceprivilege_escalationspywarestealertrojanupxworm

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    valleycountysar.org
  • Port:
    26
  • Username:
    [email protected]
  • Password:
    }eQA)VL2!$V}

Extracted

Family

bitrat

Version

1.38

C2

62.210.11.126:9024

Attributes
  • communication_password

    57e9678c1972887ccb37a6296021d65d

  • tor_process

    tor

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes
  • payload_urls

    http://167.88.170.23/swo/sw.exe

    http://167.88.170.23/swo/swo.exe

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      221b9

    • Size

      754KB

    • MD5

      849c47adca493169ca05d46b16912631

    • SHA1

      7149fcfc067b91fa57186d3c0ed0c9056bb59842

    • SHA256

      854b59aa584237418101867e86018d0e0c3e8a588010d8cc8f8850e66b5221b9

    • SHA512

      5184dd5af0587cd95c8f92ef1d9f3239fb9501ced1dbb216677211ee1b304eff2921c14f9e02f763394a73f50d6cad62433867dbc218333a29767358f66f8df7

    • SSDEEP

      12288:hA5CB0OqJhZrzJV665IHCzwdvkSCcr/+VQ7CSOqJ7KEk0Vr2IPeiBS8rBy:hA5aWDyaIic1nxGVQ7CTxEX4IG

    Score
    10/10
    snakekeyloggercollectioncredential_accessdiscoveryexecutionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      2c42a36d7

    • Size

      821KB

    • MD5

      5fc4c73e287297316316d56ec340bb98

    • SHA1

      306fd44b6d688e9f84d87e533605121bdf64eb9c

    • SHA256

      33ba34d8685f48fc23e074cf802716cce5f1b27a656a0996bdf88232c42a36d7

    • SHA512

      76b21a33991414c057d1d6eafa5f8b2327c7b6e1f2aeae6e60fc15f82c65e9c40252f4aaf9d0d3276a7401a6adfb93b35e4794d9987229aa456dcddfcb85f8d8

    • SSDEEP

      12288:1xkn6YuwDEgW0+K4tvzxn58XdUpGHnSieAi+Ze643VaxBP:nM6yG0+hhzxnidiGHSi3HuS

    Score
    10/10
    modiloaderdiscoverytrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modiloader family

      modiloader

    • ModiLoader Second Stage

    behavioral3behavioral4

    • Target

      2da5f7422573

    • Size

      1.7MB

    • MD5

      2e796fd4f40f597199ae66b5c5e12478

    • SHA1

      39546d3019a853586d7f6cf7b381275b74155c04

    • SHA256

      08b093dc7c7b7f3b4bb86e0824d23adc88cf89c67836f1a717e12da5f7422573

    • SHA512

      165a623c551cae3645b5b13a3555d13ddd4f4110d38200450a07160895fcc14de130899271136933acdd0d25f371534c7c73fa1aea4ba444a7b304f171569b37

    • SSDEEP

      12288:loSWNTd7Yo1VFnA4r5rraOVokssOcnh2tbbLqhS8aKq:loS2Tdko1V6u5rraOVouOcn4tbbR8a9

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      3fcc16

    • Size

      1.0MB

    • MD5

      b5fe9871d9ea49f5690b3b02e52432be

    • SHA1

      017fbfd3040bc5cbfa724fb195d3a5240ae16d90

    • SHA256

      bc663a12e76623f5bcb297c16a209b0ef5a978f2474ba9027d9ec4601c3fcc16

    • SHA512

      b60e05b582a0e46b3e4128793e2e4239a3f03c8a847c29ab8e5807fb57341e543bf3a92feaf327f0764baca0030e1e9a12366ce337e9912a0d3807cf9d7ae8fc

    • SSDEEP

      24576:j/lSdIQHTtf6++IdMUXuMjyKBhQXglmvgQoVPGK8n:jTV2njpmvgQolGf

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      4772

    • Size

      334KB

    • MD5

      a11ae57c068442f751c4a7f4f5f542b0

    • SHA1

      131eaded2b2507fa0b1fbf5677705a09496d0f4c

    • SHA256

      761f42f03e50ef9b2eb1b1041c81cc6ed24cbc8ce2d6df3c87f193493b4a4772

    • SHA512

      c62d70a3391f30cd5084d8ca4cfe0bdc65205205ac3913d4f9a9af847e1f224a780b3ddb4e981e105dd1dde6a1d52d628c6bb5380901f357156e3063dde2e674

    • SSDEEP

      6144:5P8U5dPZDa/iuqO2pi14MlxYSCG1H95dp4kq5bx4fbJr/CYzCIbeY3opBMc:F5VZDaj5xZC2dGkebubJr/CIbbopBp

    Score
    10/10
    modiloaderdiscoveryexecutiontrojandefense_evasionpersistence

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modiloader family

      modiloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

      defense_evasion

    • Looks for VirtualBox Guest Additions in registry

      defense_evasion

    • Looks for VirtualBox drivers on disk

      defense_evasion

    • ModiLoader Second Stage

    • Looks for VMWare Tools registry key

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      6c1a

    • Size

      2.9MB

    • MD5

      2342f3d5723d354f19844400bfc63b8f

    • SHA1

      535009ed27ed4364493cecd0d871c0e45505a21f

    • SHA256

      b88e6baf28fcfa45e9f951160e8dc0b017218171d4c4636fb628136c2bf6c1ac

    • SHA512

      1a0fc9d77d19d5fe1243e348b4a4938518e429ce92f3bbe453a9f0116fc5c21f78df6a7af24419fb45b0f5c322a0bcbf63ec7552758fccc9e92b713b4caee10a

    • SSDEEP

      24576:CaiYyi79nghoOKuvA2lrCuFWzYUKcqLcVFNT7zl3Xr4cqtBCGMUSDqH5uVBDcwDM:Qoig3DFHWfypES55XtB5Yg8KdaO

    Score
    10/10
    bitratdiscoverypersistencetrojanupx

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • Bitrat family

      bitrat

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral11behavioral12

    • Target

      79330

    • Size

      2.4MB

    • MD5

      4c81e4497a420aea61e717fc94e0ad86

    • SHA1

      b8cf42124816876a6f5286af46202705d2e61189

    • SHA256

      069ed36bdd5046201359415dab896f99f2e5adb89eb54c2e652786e0ccd79330

    • SHA512

      f78deb5aec91ea0557a3790e4f9bcd7846b1853264c25d85f28343e7e9e4eb6722fb3f72fcd834d2745f078b4e5ee5ea3c40848f0100f1edaab47e6f8d484b5b

    • SSDEEP

      24576:ybKtGyBB9iuK++moKnfNIGQaK83uHU/uYfo11qis3s4b+6GIAANEN2tXL6Y3TEcZ:My1iuD+moCQZhHUWYfo11q33dRGyRt7

    Score
    10/10
    eternitydiscoveryworm

    • Eternity

      Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

      eternity

    • Eternity family

      eternity

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      afc500c

    • Size

      7.3MB

    • MD5

      63926a5ec17e0838207346060ea15fec

    • SHA1

      d30179fb24c18f9d49202f5110d38ed7967fa836

    • SHA256

      67c3aedc80696d9f2bf64ec4a4c7c461605d54f169f83babdc8b90993afc500c

    • SHA512

      f0827e23038ad4fc22a0d88c2a8f466638cbb6447538f88bc8eef61b9ca585ecde215cc9c5287fc560cfc7adcb470aa312395dcad9f78e036a4769dd29ea6e48

    • SSDEEP

      196608:91O6DEFZUlN3lPS0XJjoF0Kx0iroV8H6RrzJFAkN:3OAEFZmVqBFV0iroOH6RrHAkN

    Score
    10/10
    defense_evasiondiscoveryexecutionspywarestealertrojan

    • Modifies Windows Defender Real-time Protection settings

      defense_evasiontrojan

    • Windows security bypass

      defense_evasiontrojan

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Indirect Command Execution

      Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

      defense_evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral15behavioral16

    • Target

      ef62b5a6474

    • Size

      259KB

    • MD5

      0ba4447a07a7c2c63cfe7aa69173ab6a

    • SHA1

      00273726672ded3869e15e24e09ee1053f547f0f

    • SHA256

      7c3bd96cd755ebe1e700c2b578cf83e88d10ce2529213c5bccf2def62b5a6474

    • SHA512

      0b169df73780dfe8d3e5b4c1c298e51e2cab756482a6f6cb439ddae6e66f4c918daa8aa3f059820b2639651e59bc766dc506df654d218d995e843b5f343ebd4d

    • SSDEEP

      3072:cypgerGfQDgLG96SFeQYWxK14YrLLKzxR/yrhIfD1lBqlb2PDFgvRs5xbBo2+:1xDgLzSHYKg4Yr0bTlm6Zto

    Score
    10/10
    tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Tofsee family

      tofsee

    • Windows security bypass

      defense_evasiontrojan

    • Creates new service(s)

      persistenceexecution

    • Modifies Windows Firewall

      defense_evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

3
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

2
T1562.001

Indirect Command Execution

1
T1202

Modify Registry

5
T1112

Virtualization/Sandbox Evasion

3
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Browser Information Discovery

1
T1217

File and Directory Discovery

1
T1083

Peripheral Device Discovery

1
T1120

Query Registry

7
T1012

Remote System Discovery

1
T1018

Software Discovery

1
T1518

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

3
T1497

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

snakekeyloggercollectioncredential_accessdiscoveryexecutionkeyloggerspywarestealer
Score
10/10

behavioral2

snakekeyloggercollectioncredential_accessdiscoveryexecutionkeyloggerspywarestealer
Score
10/10

behavioral3

modiloaderdiscoverytrojan
Score
10/10

behavioral4

modiloaderdiscoverytrojan
Score
10/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

modiloaderdefense_evasiondiscoveryexecutionpersistencetrojan
Score
10/10

behavioral10

modiloaderdiscoveryexecutiontrojan
Score
10/10

behavioral11

bitratdiscoverypersistencetrojanupx
Score
10/10

behavioral12

bitratdiscoverypersistencetrojanupx
Score
10/10

behavioral13

eternitydiscoveryworm
Score
10/10

behavioral14

eternitydiscoveryworm
Score
10/10

behavioral15

defense_evasiondiscoveryexecutionspywarestealertrojan
Score
10/10

behavioral16

defense_evasiondiscoveryexecutionspywarestealer
Score
8/10

behavioral17

tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral18

tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan
Score
10/10