General
-
Target
250604-t5e9kagj9w.bin
-
Size
4KB
-
Sample
250604-vtzdqssxg1
-
MD5
a239a27c2169af388d4f5be6b52f272c
-
SHA1
0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
-
SHA256
98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
-
SHA512
f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
-
SSDEEP
48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt
Static task
static1
Behavioral task
behavioral1
Sample
250604-t5e9kagj9w.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
250604-t5e9kagj9w.exe
Resource
win11-20250502-en
Malware Config
Extracted
xworm
5.0
3214r214r12412-50274.portmap.io:50274
djksandjkandsa-58893.portmap.io:58893
vvvvvvase2314e214re21-22848.portmap.io:22848
e3qieuj3qidwsa-60573.portmap.io:60573
rq3wfq3t3qtw-29855.portmap.io:29855
CaFsCy2hTYV8RqjM
-
Install_directory
%AppData%
-
install_file
svchost.exe
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
127.0.0.1:6606
89.84.63.139:6606
caqxyzoxvrzhnrxwoc
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
AWS | RxR
Paste.Rs
rxrphar.duckdns.org:6606
rxrphar.duckdns.org:7707
rxrphar.duckdns.org:8808
rxrphar.duckdns.org:777
rxrphar.duckdns.org:963
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/KD5sWJRx
Extracted
asyncrat
AWS | RxR
Paste
AsyncMutex_101010101010101001101010101010101010101010101010101010101001101010110101010101010101010101010011010110011010101010101010101011001010111011111011111010011010101010101010101011010101011010101010101010101010101010101
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/TBi86jpV
Extracted
lumma
https://https://t.me/pizdenka202020/api
https://autogearw.live/tapsz
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://tinklertjp.bet/nzaf
https://diecam.top/laur/api
https://citellcagt.top/gjtu
https://witchdbhy.run/pzal
Extracted
azorult
http://195.245.112.115/index.php
Extracted
quasar
1.4.1
crypttest
78.108.216.225:4785
afec588d-ba99-4dc5-b1a2-184899a164d1
-
encryption_key
F592F433E80D21E441A0CAF7EB05F6190319999E
-
install_name
Client.exe
-
key_salt
bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
quasar
1.4.1
Office04
192.168.1.88:4782
ffc63c9d-585e-4df2-beda-4faee4bf1143
-
encryption_key
6642530AFF0B8F18CACCBD6B306915FED285B766
-
install_name
Client.exe
-
key_salt
bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update Service
-
subdirectory
SubDir
Extracted
darkcomet
Guest16
192.168.1.88:1604
DC_MUTEX-78A8SHS
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
F3699tcBulw4
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Extracted
44caliber
https://discord.com/api/webhooks/1006954410666106990/9Iy2qOgXVC_vEQnjlUpdYRCXfaWC5wOtFa4nGroibeTyQ4j03lDdl1qMLghs02XGK34k
Extracted
discordrat
-
discord_token
MTA3MTgzODcwNjk2MjUzODU2Ng.G2xOwQ.rlcRNKLD2jW5bS3u15Rgzgy_BS5em_H-902Yvo
-
server_id
1233166029094523002
Targets
-
-
Target
250604-t5e9kagj9w.bin
-
Size
4KB
-
MD5
a239a27c2169af388d4f5be6b52f272c
-
SHA1
0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
-
SHA256
98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
-
SHA512
f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
-
SSDEEP
48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt
-
44Caliber family
-
Asyncrat family
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Darkcomet family
-
Detect Xworm Payload
-
Detects DonutLoader
-
Discordrat family
-
DonutLoader
DonutLoader is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies.
-
Donutloader family
-
Lumma family
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence
-
Modiloader family
-
Quasar family
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
XMRig Miner payload
-
Xmrig family
-
Xworm family
-
Async RAT payload
-
ModiLoader Second Stage
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
1Query Registry
6System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1System Time Discovery
1