Overview

overview

10

Static

static

10

9e0a427b0b...e7.exe

windows7-x64

10

9e0a427b0b...e7.exe

windows10-2004-x64

10

9e25b8a175...7c.exe

windows7-x64

10

9e25b8a175...7c.exe

windows10-2004-x64

10

9e55090245...e4.exe

windows7-x64

10

9e55090245...e4.exe

windows10-2004-x64

10

9e5b7ffaab...05.exe

windows7-x64

10

9e5b7ffaab...05.exe

windows10-2004-x64

10

9e74a20e4e...38.exe

windows7-x64

10

9e74a20e4e...38.exe

windows10-2004-x64

10

9e8b382868...39.exe

windows7-x64

10

9e8b382868...39.exe

windows10-2004-x64

10

9e9642daec...94.exe

windows7-x64

10

9e9642daec...94.exe

windows10-2004-x64

10

9ef950b123...99.exe

windows7-x64

3

9ef950b123...99.exe

windows10-2004-x64

9f17d0e9bc...f7.exe

windows7-x64

6

9f17d0e9bc...f7.exe

windows10-2004-x64

6

9f1ccfcf5e...7d.exe

windows7-x64

1

9f1ccfcf5e...7d.exe

windows10-2004-x64

9f2ebb9c98...4f.exe

windows7-x64

10

9f2ebb9c98...4f.exe

windows10-2004-x64

10

9f461fa033...0b.exe

windows7-x64

10

9f461fa033...0b.exe

windows10-2004-x64

10

9f6a6c8041...f9.exe

windows7-x64

7

9f6a6c8041...f9.exe

windows10-2004-x64

7

9fc6b7a531...e4.exe

windows7-x64

10

9fc6b7a531...e4.exe

windows10-2004-x64

10

9fef837bde...4e.exe

windows7-x64

10

9fef837bde...4e.exe

windows10-2004-x64

10

9ff5970462...e0.exe

windows7-x64

10

9ff5970462...e0.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_39.zip

  • Size

    123.5MB

  • Sample

    250322-gznbrstjy5

  • MD5

    f193d4b404eed6ccd9213a2816f892b7

  • SHA1

    5896c3b034b2aac99d109d0750c17b8026dfc968

  • SHA256

    63b2109d651e58bdceb6dcd68821e723f4a5ce45875405cf395ff04937ea26b8

  • SHA512

    c4286d112f0c979cdd6c1d7d812a47be86bc642eb89699126a7abfa74e1879a62af4fdf3e1eb3ac9da900e89f5ee523a4c5ce980f31b83ceffa036271d35957d

  • SSDEEP

    3145728:IwTj6ju2BzsizFU9ZSgJU+d3ULaShPdFdFitiXeZy0LPQ7W53Qg:eOIO98gJbd+H6ypW5gg

Score
10/10
agenttesladcratformbooklummananocorenjratredlinesectopratvidarxredxwormf6faed200cf5221824faa77f2904ee3dhackedtest_class mj25backdoorcollectioncredential_accessdefense_evasiondiscoveryexecutioninfostealerkeyloggermacropersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

26.ip.gl.ply.gg:43299

127.0.0.1:4351

funds-zoning.gl.at.ply.gg:4351
Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:51521

santifzm-51521.portmap.host:51521
Mutex

SSfldUd6VoUjvd4l

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Extracted

Family

redline

Botnet

test_class

C2

45.66.248.144:39544

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

tibeve7951.ddns.net:1177

Mutex

f1b509f6431f987b9c60ddbb144b23ef

Attributes
  • reg_key

    f1b509f6431f987b9c60ddbb144b23ef

  • splitter

    |'|'|

Extracted

Family

nanocore

Version

1.2.2.0

C2

[email protected]:46218

178.32.224.116:46218
Mutex

4af74541-e3f1-469c-8af7-efe4071b81cf

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    178.32.224.116

  • backup_dns_server

  • buffer_size

    65535

  • build_time

    2018-07-28T12:59:38.488799236Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    46218

  • default_group

    tourex

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    4af74541-e3f1-469c-8af7-efe4071b81cf

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    [email protected]

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

vidar

C2

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Extracted

Family

vidar

Version

13.1

Botnet

f6faed200cf5221824faa77f2904ee3d

C2

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Extracted

Family

lumma

C2

https://gadgethgfub.icu/api

https://explorebieology.run/api

https://moderzysics.top/api

https://techmindzs.live/api

https://mcodxefusion.top/api

https://phygcsforum.life/api

https://techspherxe.top/api

https://earthsymphzony.today/api

Extracted

Family

lumma

C2

https://moderzysics.top/api

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Boy12345#

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7828202228:AAHkdf9t5lpLwaCERqNSg_8EuuR0ho-xJ5M/

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

formbook

Version

4.1

Campaign

mj25

Decoy

resencepeople.net

okebowlkoning.online

owevrcast.store

ynursery.xyz

isefyxerprotech.info

nventrobots-br.xyz

rojetos3d.shop

confyxerengine.info

litdugunsalonu.xyz

uporexinaluvo.click

attwecan.net

r154359.xyz

airtidy.store

headvancestore.shop

urolube.xyz

apnovis.online

adychef.shop

armhouse.world

unspotgambit.top

nline-dating-for-now.today

Targets

    • Target

      9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe

    • Size

      1.6MB

    • MD5

      4d0d9e2f3b8a29bd81895302e6b96923

    • SHA1

      400acf93d23144e814d99769db2796e71b802c42

    • SHA256

      9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7

    • SHA512

      6284cb80bfde21bdcd41b0474a92b5f5516a92bfb77256cf6fda6072b4de483334480d4e66f556a861d2592077ece71578e9cae224639c4ad63818f578637913

    • SSDEEP

      24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral1behavioral2

    • Target

      9e25b8a1755d29ec471d8df1d98f317c.exe

    • Size

      653KB

    • MD5

      9e25b8a1755d29ec471d8df1d98f317c

    • SHA1

      03ccf41be940c9f3b4188e8255e0da279b0ef353

    • SHA256

      9e823b1176abb26551e17313ffce881ef7cf3955abe9d77653d7ff561e42f895

    • SHA512

      13ba192517dfe100eb28b6015e3a755b05106457d855c8393bb050adf6b5f0347fc818245bd978230c47a632dae2714255252c2f773fe1e583f152d3211f5437

    • SSDEEP

      12288:qi9pXxw2qAJwI1s+pTFr9S1iUe6a10F8F5qg96GqKHaWWCQyaFZqT20jf:q+L51s+xFrQFt45qlGqmaWfQFFN0

    Score
    10/10
    agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      9e55090245947d9d81138b405be61fe4.exe

    • Size

      64KB

    • MD5

      9e55090245947d9d81138b405be61fe4

    • SHA1

      56b3e7d5facac608648adb6a30628761703300e3

    • SHA256

      4476a29d069a9b28a1779cdd11ed835ee5287fdc1829dab97f221dfc4f5301a2

    • SHA512

      759923edf00532a2e8340f0b1cfcc7d6d1b3611a2cd8588690920739355287433a90b54af8b0c3657584b7397f16d5138d4dda19ac60f84b9f744d062a2e1d1c

    • SSDEEP

      1536:1fQJBWB1aIfBHrgAIZ+bz167WN6w6YOA8zN/lWP:171aKUT+bz167sOAWgP

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral5behavioral6

    • Target

      9e5b7ffaabf5b7b87ae5351d2bb0eb05.exe

    • Size

      653KB

    • MD5

      9e5b7ffaabf5b7b87ae5351d2bb0eb05

    • SHA1

      c35998b70509afccf22b084212b679a9c2651b94

    • SHA256

      16bd0dcc57418cd1689dc890eca5e224eba7ab58c42920ba8209489a5dd35fe4

    • SHA512

      b53875b42fa07f3550646a3aa447d9318f88c7aa4c58b4ae6f8130f8ed6155c8013f038c105e34f7c035d37df536d93510658cce92d2f0bf61e05f6f4bd859c5

    • SSDEEP

      12288:MffeNPINJUCFMDRuBPJadJMDcg71J7rt+6rYjF+KWdDzeWHahs/:MffeNPJ6+umdyrrEQ

    Score
    10/10
    formbookmj25discoveryexecutionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook family

      formbook

    • Formbook payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      9e74a20e4ecbeedc5ad6b4cfb0c41a38.exe

    • Size

      418KB

    • MD5

      9e74a20e4ecbeedc5ad6b4cfb0c41a38

    • SHA1

      b9b94587d9cd26acc5c634b8eec072e63ec88104

    • SHA256

      9c803b229134118deb86378c075255be2c8081fe2f9b4b8a7104edaad7f87d55

    • SHA512

      c7fcf604ca2a09ee309f504c83e481ac44143c2eeec7d70297cdbda84f741a0318714445fa7c2991b91a02034691d3a82088f41ad505ea41da3b4ad6a17cd09f

    • SSDEEP

      6144:ITNE3ZRrnaBVlvphVxmP+6CiejgcME1cwYfU+va+RUK:ITNYrnE3bm/CiejewY5vp

    Score
    10/10
    nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • Nanocore family

      nanocore

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      9e8b38286839f4eb5f1854ff289ba939.exe

    • Size

      1.1MB

    • MD5

      9e8b38286839f4eb5f1854ff289ba939

    • SHA1

      69b8eb34721395d1acab1dcbb6762c6cf53e8f23

    • SHA256

      f7e2594c8b7a36e1279ae8ff2acfa754259ef9f04ff99e7dd3d0889caeb9f96a

    • SHA512

      7a4367c603bcb5d6da028db6cf3709cbe7c0356cdcbc5c204f44de31c3b80fd449d76b42dab30345cc86a0af792b0ecf05cd8b22e08919c888e03c4311c23942

    • SSDEEP

      24576:TvLHt8lES5uOU6PPbw9r0VSIC49ykhlLt7Lsn:zLHtqsSPbw9mSId9yk/I

    Score
    10/10
    vidarf6faed200cf5221824faa77f2904ee3ddiscoverystealerlummacredential_accessspyware

    • Detect Vidar Stealer

      stealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      9e9642daecce85c22839d2da2451d575e39e53e3678d59346a08d7a20fdff494.exe

    • Size

      686KB

    • MD5

      882736af79fb15364f7edb2cb55c893f

    • SHA1

      0880a994a805ee4a8cf456d9aa3bc65ce4b2d035

    • SHA256

      9e9642daecce85c22839d2da2451d575e39e53e3678d59346a08d7a20fdff494

    • SHA512

      0d8e8cb355629ff7c896eff65e9cfc69320a9c7985eecb676768676516a3de4b1162d9e4be6ccbcbd129e9ec1e8d59c9db3b56fe6c88c30452718b081a98e337

    • SSDEEP

      6144:xtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rCc7:76u7+487IFjvelQypyfy7Cc7

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      9ef950b12378580cc039c1ad6a089ae2fd9fc5b47b2b380cfe0b953a44fbce99.exe

    • Size

      16.7MB

    • MD5

      fd6975e9f9ab6af2744d5411c49fecc2

    • SHA1

      658610fd18c946e5ff1d3500d0c994862d3cd525

    • SHA256

      9ef950b12378580cc039c1ad6a089ae2fd9fc5b47b2b380cfe0b953a44fbce99

    • SHA512

      48cb3591ebe882fd9296cbbb6750dd825af8ce81a5f84d30a60989e76efe7f19b95bf494114c3f2dd60f7dd7bcbad8a4f7f52c56063b91965650698635aee45e

    • SSDEEP

      196608:G1lPsK+W36QqOyjr2LF3Ye6YmnwqdU142UafXsyFqBc:jK+c1cjSLFoBYmn5U1PFXsyFqB

    Score
    3/10
    discovery
    behavioral15behavioral16

    • Target

      9f17d0e9bc37b8d8f59a92b9ee6e0ff7.exe

    • Size

      3.8MB

    • MD5

      9f17d0e9bc37b8d8f59a92b9ee6e0ff7

    • SHA1

      a881aeb52537a065cb93a781c47a7aedd1d52bad

    • SHA256

      bd78488c88c8843888932c93f1ee8e976732cc08b3e98cabcd1ecec9d9ff48cd

    • SHA512

      355d44470d6df39afa5f742d7086487065eeb0b27750043610f425fd647cd8510ea1afd0d7e0cfb2bd44a40f266ef01416c7e95ec2c11c4244a36d4a3698fe8c

    • SSDEEP

      24576:k2ccX+yJ90eA5O0hqlNuh1nycJMe1ZlKzzRjGvwq3uXWhdecRtzADcinyyzq2y1y:yeNllM7ycyyy9Ce2s7g7Jn1o

    Score
    6/10

    • Legitimate hosting services abused for malware hosting/C2

    behavioral17behavioral18

    • Target

      9f1ccfcf5e175ae4c6ef4cb297ce5f7d.exe

    • Size

      16.8MB

    • MD5

      9f1ccfcf5e175ae4c6ef4cb297ce5f7d

    • SHA1

      6be3dc287bfeb4b4ff0c016a2f9616df8a7ad5c5

    • SHA256

      d6b3e829442d9c0c7d6553c084dc666391704f2390d96216763edc1af0046721

    • SHA512

      dfb334cea9425d4bc185459a09f539adc3e95d06ed0baec8475ddcdb7e44acda57a919977029baf9cf2af0617e0a95fe9efcfee818dcc357a8df99c6869d8021

    • SSDEEP

      196608:8/j3V6QqOyjr2LF3Ye6YmnwqdU142UUZG7xKj/46:UV1cjSLFoBYmn5U1PlZG7xKH

    Score
    1/10
    behavioral19behavioral20

    • Target

      9f2ebb9c9810b867e79b44304e12d14f.exe

    • Size

      221KB

    • MD5

      9f2ebb9c9810b867e79b44304e12d14f

    • SHA1

      7f1c83d87f310b825a6e3715d7ad334e8b85030c

    • SHA256

      b6a72c7e36baebcdd4a6c99b7a770031f66ad0c3f809b72e577db7b69b103ea1

    • SHA512

      0d6d9c03cfd141d9b24360048ba0aa094a4a405ca9632c5c33e2d05ae023634566073d7509fe489f4ef3b11d493c55dfff967349d777905a2adc707003731f92

    • SSDEEP

      3072:YsXRmUIMitiMQose27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwRmE:ZR5IuMQoseGk7RZBGxAycKpSPX2D

    Score
    10/10
    defense_evasiondiscoverypersistencespywarestealer

    • Modifies WinLogon for persistence

      persistence

    • Modifies visiblity of hidden/system files in Explorer

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      9f461fa033a1285118131ac30901150b.exe

    • Size

      41KB

    • MD5

      9f461fa033a1285118131ac30901150b

    • SHA1

      5e41153ef326c5b67ac457c89ba06166442edd4b

    • SHA256

      17aa06c1b1bc77ebe77a226117bda474c640f340e7e9fc1c63aba0952044a0fb

    • SHA512

      9672595bfd7188461e7dc69a94dc09bf5362a682ddd9aa4cd9329a2b496c0f02544925f237d33fe2e4d7cb8d554a7d947eacfcf79df561101dc0a314847ec641

    • SSDEEP

      768:WHzZwCyfrD6QdI9EfsbGxFPw9b2w6sOuh+Petrp9:8C9vtdI/iFY9qw6sOu42rp9

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral23behavioral24

    • Target

      9f6a6c80412876ea03ad4f91bde1f4f9.exe

    • Size

      441KB

    • MD5

      9f6a6c80412876ea03ad4f91bde1f4f9

    • SHA1

      fc790ac37fe77fee5fb4f38faea0484735bca3ac

    • SHA256

      efb79eb15122d2db2c044077ec6b477ddcb468cf643a4373be39d745a010f3d7

    • SHA512

      75af93120e1c0e4ff8eb53697457c59dd9c3344c160010674a9794831b36ad327268bd4d2487d5e64d3e8350f72657513e2318d7f204149ddcf450c04441382e

    • SSDEEP

      1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral25behavioral26

    • Target

      9fc6b7a531664647e76420f006504fe4.exe

    • Size

      783KB

    • MD5

      9fc6b7a531664647e76420f006504fe4

    • SHA1

      719f7a1a72fd0a3868802dba03915489e405096d

    • SHA256

      1b9c3ff779aff3d88db47afc5230aeaa0b3332db3fb39f8604eadc5c13a351d3

    • SHA512

      9a340891c5a12cc53e3a0466b4c7e8aa6aa89a0110f8a789d5a1950ab7541fbb707d0af98c90517894ea0acdd63f94a7d6d58b69cdb26f7e5cf30a4848587d3d

    • SSDEEP

      12288:GqnOYxdAgpoNeF91rg5iFdr0yQ9gYx+EIpakCYJRU7Q9bWoFzqK:G+OQbpbgsFdAyQvzSqaq8q

    Score
    10/10
    dcratdefense_evasioninfostealerpersistencerattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Drops file in System32 directory

    behavioral27behavioral28

    • Target

      9fef837bdea2dc9e761d7e177419aa4e.exe

    • Size

      1.1MB

    • MD5

      9fef837bdea2dc9e761d7e177419aa4e

    • SHA1

      528d8bfbcd30c1bb1a4d18798d6c1721607a8854

    • SHA256

      d5f6ca5a453ca37f5b13c6babe8a28e400411adb2b49f348340ec30b8a342d2d

    • SHA512

      73da2bde88483ea1c50b83b15012250e50f0e26cd5e7b6646249fc576041bdc9b002033775bab919f99e42b02effa98978302dc69a4baa6a3a21c2a27b1762bb

    • SSDEEP

      12288:p49I/nL8TnKZPVHR3E/bS2vkRNJLXseJQdErvNKj6SKm+eAIhu181d6rsPH:pngTKZ5RU/xG7zsEyEve6SZ+dIe8usv

    Score
    10/10
    dcratdefense_evasionexecutioninfostealerpersistencerattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Drops file in System32 directory

    behavioral29behavioral30

    • Target

      9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe

    • Size

      11.1MB

    • MD5

      a22ee5e739a2ac8369547f4fce22b08a

    • SHA1

      8e4a30c3f03682b057307548e83af8b3a5ff12f6

    • SHA256

      9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0

    • SHA512

      aa0a9be779940a26d2adb13f3380d1556d4de6a1f2b6eb7e5bf05e02342cb9fbc6b5417b903fd49382d1d0508af4189aca1f528c496e7c111e93ccdca50669fd

    • SSDEEP

      196608:INsg4AMgAyNsg4AMgAINsg4AMgAFNsg4AMgAINsg4AMgAENsg4AMgAiNsg4AMgA8:IGg4adGg4a3Gg4aqGg4ajGg4aDGg4a1f

    Score
    10/10
    xredbackdoorcollectiondiscoveryexecutionmacropersistencespywarestealer

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Suspicious Office macro

      Office document equipped with macros.

      macro

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Modify Authentication Process

1
T1556

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Authentication Process

1
T1556

Modify Registry

6
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

6
T1552

Credentials In Files

5
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Browser Information Discovery

1
T1217

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

5
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

rattest_class hackeddcratxwormredlinesectopratnjrat
Score
10/10

behavioral1

dcratexecutioninfostealerrat
Score
10/10

behavioral2

dcratexecutioninfostealerrat
Score
10/10

behavioral3

agenttesladiscoveryexecutionkeyloggerspywarestealertrojan
Score
10/10

behavioral4

agenttesladiscoveryexecutionkeyloggerspywarestealertrojan
Score
10/10

behavioral5

xwormexecutionpersistencerattrojan
Score
10/10

behavioral6

xwormexecutionpersistencerattrojan
Score
10/10

behavioral7

formbookmj25discoveryexecutionratspywarestealertrojan
Score
10/10

behavioral8

formbookmj25discoveryexecutionratspywarestealertrojan
Score
10/10

behavioral9

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral10

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral11

vidarf6faed200cf5221824faa77f2904ee3ddiscoverystealer
Score
10/10

behavioral12

lummavidarf6faed200cf5221824faa77f2904ee3dcredential_accessdiscoveryspywarestealer
Score
10/10

behavioral13

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral14

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
3/10

behavioral17

Score
6/10

behavioral18

Score
6/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

defense_evasiondiscoverypersistencespywarestealer
Score
10/10

behavioral22

defense_evasiondiscoverypersistencespywarestealer
Score
10/10

behavioral23

xwormrattrojan
Score
10/10

behavioral24

xwormrattrojan
Score
10/10

behavioral25

discovery
Score
7/10

behavioral26

discovery
Score
7/10

behavioral27

dcratdefense_evasioninfostealerpersistencerattrojan
Score
10/10

behavioral28

dcratdefense_evasioninfostealerpersistencerattrojan
Score
10/10

behavioral29

dcratdefense_evasionexecutioninfostealerpersistencerattrojan
Score
10/10

behavioral30

dcratdefense_evasionexecutioninfostealerpersistencerattrojan
Score
10/10

behavioral31

xredbackdoorcollectiondiscoveryexecutionmacropersistencespywarestealer
Score
10/10

behavioral32

xredbackdoorcollectiondiscoveryexecutionpersistencespywarestealer
Score
10/10