General
-
Target
Shitstain.exe
-
Size
74.9MB
-
Sample
250411-2hmzws1q14
-
MD5
c7043b9b65e252b5305634da4f5515f1
-
SHA1
129a58d2c6c4de7fcead562f9729a28e517fb6d4
-
SHA256
07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a
-
SHA512
cdc28eb03dcf533d19e74d7bd86962905486902c5556c448bbf0daa69be705dc1f18c7ea2c41ba8568a1910efb711edaa259a02d35108474e412b8044b719575
-
SSDEEP
1572864:Z6x3bF0F9U7b7ewHkli+ouzl1IBMrGZHdk/6eSDFb:UBF0Fsb7ewHkliN4km+91xb
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
sharpstealer
https://api.telegram.org/bot7057429288:AAHYl5_27YU1Yjmuj33WKOqLVSgYtq3n-8k/getUpdates
Extracted
lokibot
https://rottot.shop/Devil/PWS/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
asyncrat
0.5.7B
Default
dropout-37757.portmap.host:55554
dropout-37757.portmap.host:37757
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
silverrat
1.0.0.0
clear-spice.gl.at.ply.gg:62042
SilverMutex_ZtRAjMMKxS
-
certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
-
decrypted_key
-|S.S.S|-
-
discord
https://discord.com/api/webhooks/1335733715820609557/QV6ZUiJPFo3MXmoiKBB-WTBlkHeBiFxmRY95RN_M1sHhPMswAoo2T6AL_kHvoSoCRKE0
-
key
yy6zDjAUmbB09pKvo5Hhug==
-
key_x509
dFRzdEVvbU9ZVUR2UmVzZFlPR3V3dlRGWURZdk9S
-
payload_url
https://g.top4top.io/p_2522c7w8u1.png
-
reconnect_delay
2
-
server_signature
PtC8aQAwsdmyktc6Q/l3u9a8oFTj+Ey3VIlIKXe9bX2WiEn7hNPQ0tkMLi1qQ4IBmCWOFTRIVHi2GG5zTxUlAwkitK3X3bWdHiwrf6PqZ7NdmPsSKZym4q+nKXH4df40wtjNvJ2x2m8OSi5jsVvT64/UsmRfIZbFTRp63PCTQ6lN+EL6OoW+dMidok+JH6T8pG21/HyoeykN9muipEqdoixkTFitX6aUocvGy6VZCs7eSxoXtzmYQ3tBukBHuIZAivbVLiF2aDkkpSX6763SGMYUbfASkQ/ihv1elb+XOoqprP3V4GqcllwfGzlk+8/rQD8C3cwLiQEtXgKHbyYWrNcSvis5fYgRcEDvlk2ZkbE8VQE6aNc+VN0TZNW3ldvE+h62kKCYoOb7oJDwiw86IudT01xe9YetmDuCvOIBZqGoXj0h68jOIklH4g22Fx8pOaIisv01vdSoawFzoOQNfgfZeRgjvV6QJHQiYuodn+FWlPwYxQ7FzUJy3is8d0VoJr6rG2BeEn99pW/LO+SsCfPIGZvs7oA/oEsn2BBkGVhlko0IZCxd30q3HIEIwdagGJgHVtnC5C2yMsmjV3geQMUCdRsAJEuCEVqAkTr7QQNJoSCok8jOYoOeJxzwbNzAMySliCDNoGYhhU/jnfhJKsqo355RYtvKROehEYZ0Srg=
Extracted
quasar
1.3.0.0
nigga
niggahunter-28633.portmap.io:28633
QSR_MUTEX_m0fef2zik6JZzavCsv
-
encryption_key
E3KUWr7JQZqCWN4hstks
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Runtime Broker
-
subdirectory
SubDir
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
crimsonrat
185.136.161.124
Extracted
metasploit
metasploit_stager
54.169.93.143:10549
Extracted
quasar
1.4.1
21325
146.190.110.91:13000
e5627e25-0d0e-4509-8b39-a3de07ba1545
-
encryption_key
3B7163AA2D236AA40236BB7204ED370202AD4ABE
-
install_name
explorer.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
MicrosoftQuasUpdate
-
subdirectory
explorer
Targets
-
-
Target
Shitstain.exe
-
Size
74.9MB
-
MD5
c7043b9b65e252b5305634da4f5515f1
-
SHA1
129a58d2c6c4de7fcead562f9729a28e517fb6d4
-
SHA256
07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a
-
SHA512
cdc28eb03dcf533d19e74d7bd86962905486902c5556c448bbf0daa69be705dc1f18c7ea2c41ba8568a1910efb711edaa259a02d35108474e412b8044b719575
-
SSDEEP
1572864:Z6x3bF0F9U7b7ewHkli+ouzl1IBMrGZHdk/6eSDFb:UBF0Fsb7ewHkliN4km+91xb
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
CrimsonRAT main payload
-
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Crimsonrat family
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Lokibot family
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
Sharp Stealer
Sharp Stealer is an infostealer first observed in 2024, based on Echelon and Umbral stealers.
-
Sharpstealer family
-
SilverRat
SilverRat is trojan written in C#.
-
Silverrat family
-
Sliver RAT v2
-
Sliver family
-
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
-
ModiLoader First Stage
-
mimikatz is an open source tool to dump credentials on Windows
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Downloads MZ/PE file
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Uses the VBS compiler for execution
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Modify Authentication Process
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Indicator Removal
1File Deletion
1Modify Authentication Process
1Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1