Overview

overview

10

Static

static

3

test.exe

windows7-x64

7

test.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    test.exe

  • Size

    14.3MB

  • Sample

    250319-dvmynavpz8

  • MD5

    8a44ee98217bc81f0869d793eefab1f0

  • SHA1

    4756ed10cbf5dbad09746a8fa2c2e62c2f2b7200

  • SHA256

    c26e2475ef60ba969bb66c9b464b498efb1da0bf7360ff7545c1db3b707bdbed

  • SHA512

    4f18f54d791929cb24c02e8865d520e6263c096bef7ebd422578bca0600cadb6ea4b046654ef007ba056bf568ff3a19b068bf4313b4a218953a5bd2ecb0e6a02

  • SSDEEP

    393216:vOWd863huc1dQJlAwF3MnG3InVFedWm7NS/xHWgnHz:2893hr1dQ53MG4VAHsT

Score
10/10
agentteslaammyyadmindarkcometflawedammyylokibotlummamodiloaderquasarvidarxredxwormautref083f1f6fa006fbbc744aa9888fb3e8asigortatiktokbackdoorcollectioncredential_accessdefense_evasiondiscoveryexecutionkeyloggerpersistenceprivilege_escalationpyinstallerratspywarestealertrojanupx

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.chinaplasticsac.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    8ZBcRV7dC~bT

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    176.65.144.3
  • Port:
    21
  • Username:
    admin
  • Password:
    Admin56@@

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    176.65.144.3
  • Port:
    21
  • Username:
    Believe
  • Password:
    Believe56@@

Extracted

Family

xworm

Version

5.0

C2

116.250.190.209:4567

92.255.85.2:4372

92.255.57.221:4414

92.255.85.66:7000

127.0.0.1:7000

178.173.236.10:7000
Mutex

J3k8MjpWYHnLberu

Attributes
  • install_file

    USB.exe

aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain

Extracted

Family

lumma

C2

https://phygcsforum.life/api

https://0explorebieology.run/api

https://gadgethgfub.icu/api

https://84moderzysics.top/api

https://techmindzs.live/api

https://ucodxefusion.top/api

https://techspherxe.top/api

https://-earthsymphzony.today/api

https://.cocjkoonpillow.today/api

https://zfeatureccus.shop/api

https://mrodularmall.top/api

https://jowinjoinery.icu/api

https://legenassedk.top/api

https://yhtardwarehu.icu/api

https://cjlaspcorne.icu/api

https://bugildbett.top/api

https://latchclan.shop/api

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://176.65.144.3
  • Port:
    21
  • Username:
    admin
  • Password:
    Admin56@@

Extracted

Family

vidar

Version

13.2

Botnet

f083f1f6fa006fbbc744aa9888fb3e8a

C2

https://t.me/g_etcontent

https://steamcommunity.com/profiles/76561199832267488
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0

Extracted

Family

quasar

Version

176.65.144.14:4567;

Botnet

tiktok

C2

https://pastebin.com/raw/5KMaxFkV

Mutex

6b91ceb8-fdf6-44ae-8d03-cf7d52a55ba9

Attributes
  • encryption_key

    6DB4822E80CF23FD4665B760183906FE57378512

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Chrome Updated

  • subdirectory

    SubDir

Extracted

Family

xworm

Version

3.1

C2

needforrat.hopto.org:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Extracted

Family

quasar

Version

1.3.0.0

Botnet

sigorta

C2

213.238.177.46:1604

Mutex

QSR_MUTEX_dxT1m3RtSBLlUoRqXL

Attributes
  • encryption_key

    AZfjKXCnqT1oHdxEyyKo

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

lokibot

C2

http://bauxx.xyz/mtk1/w2/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

darkcomet

Botnet

AUTRE

C2

voltazur.ddns.net:1604

Mutex

DC_MUTEX-0F1C40C

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    djHf5i8YgrmK

  • install

    true

  • offline_keylogger

    false

  • persistence

    true

  • reg_key

    MicroUpdate

rc4.plain

Extracted

Family

lumma

C2

https://moderzysics.top/api

Targets

    • Target

      test.exe

    • Size

      14.3MB

    • MD5

      8a44ee98217bc81f0869d793eefab1f0

    • SHA1

      4756ed10cbf5dbad09746a8fa2c2e62c2f2b7200

    • SHA256

      c26e2475ef60ba969bb66c9b464b498efb1da0bf7360ff7545c1db3b707bdbed

    • SHA512

      4f18f54d791929cb24c02e8865d520e6263c096bef7ebd422578bca0600cadb6ea4b046654ef007ba056bf568ff3a19b068bf4313b4a218953a5bd2ecb0e6a02

    • SSDEEP

      393216:vOWd863huc1dQJlAwF3MnG3InVFedWm7NS/xHWgnHz:2893hr1dQ53MG4VAHsT

    Score
    10/10
    agentteslaammyyadmindarkcometflawedammyylokibotlummamodiloaderquasarvidarxredxwormautref083f1f6fa006fbbc744aa9888fb3e8asigortatiktokbackdoorcollectioncredential_accessdefense_evasiondiscoveryexecutionkeyloggerpersistenceprivilege_escalationratspywarestealertrojanupx

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Ammyy Admin

      Remote admin tool with various capabilities.

      ratammyyadmin

    • AmmyyAdmin payload

    • Ammyyadmin family

      ammyyadmin

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • Detect Vidar Stealer

      stealer

    • Detect Xworm Payload

    • FlawedAmmyy RAT

      Remote-access trojan based on leaked code for the Ammyy remote admin software.

      trojanflawedammyy

    • Flawedammyy family

      flawedammyy

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modifies WinLogon for persistence

      persistence

    • Modiloader family

      modiloader

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • ModiLoader Second Stage

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      defense_evasion

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Modify Authentication Process

1
T1556

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Authentication Process

1
T1556

Modify Registry

4
T1112

Subvert Trust Controls

2
T1553

Install Root Certificate

1
T1553.004

SIP and Trust Provider Hijacking

1
T1553.003

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

8
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks