Resubmissions

08/08/2025, 22:24

250808-2bp6nsvms8 10

08/08/2025, 14:51

250808-r8hsrahn2y 10

05/08/2025, 18:42

250805-xclseswzf1 10

04/08/2025, 11:56

250804-n39gqsztey 10

04/08/2025, 11:53

250804-n2rkjacj8x 10

03/08/2025, 21:35

250803-1fs8fsztet 10

03/08/2025, 18:26

250803-w3ldxacn6t 10

03/08/2025, 18:23

250803-w1qwlscn31 10

03/08/2025, 17:11

250803-vqdymayry9 10

General

  • Target

    SystemMonitorPro.exe

  • Size

    30KB

  • Sample

    250802-yj3vyswnw5

  • MD5

    6768060e798f867b1a1b0d5f69126c37

  • SHA1

    5b0f2865b5e7745828eb72cb251c8bea3a274878

  • SHA256

    eb31641a82f6df9ff00cec64d912b336b15deff08dd3c375a7ef74445719ac99

  • SHA512

    3906027f87220246ec92356e37414e94561954672cadffa5c28f5a46ff59a63c153d7bda9e1d11dc226855d13f8e62a03e9f75b2e1d6aaf5449468557e3f8790

  • SSDEEP

    768:rzyx3ZkzhpHaQC2MBxUrD58iYS2QTHx11skkm:PyRZkFrMUD58NS2QTHx11PX

Malware Config

Extracted

Family

xworm

Version

5.0

C2

0.tcp.eu.ngrok.io:10358

6.tcp.eu.ngrok.io:10358

4.tcp.eu.ngrok.io:10358

ms-pupils.gl.at.ply.gg:42890

kitchen-english.gl.at.ply.gg:53578

Mutex

QvDYkhYsc5WBgCcl

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain
aes.plain
aes.plain

Extracted

Family

xworm

Version

XWorm V5.6

C2

147.185.221.27:31149

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Extracted

Family

vipkeylogger

Credentials
C2

https://api.telegram.org/bot7783104153:AAHSNrERDQS2NzJ45eSQXKJ1B2uwYNSeUQ4/sendMessage?chat_id=5630866666

Extracted

Family

quasar

Version

1.4.1

Botnet

RAT 5 (EPIC VERISON)

C2

serveo.net:11453

Mutex

7a1301f7-dc6f-4847-a8ee-ca627a9efa0f

Attributes
  • encryption_key

    3B793156AD6D884F51309D0E992DAA75D03D2783

  • install_name

    Application Frame Host.exe

  • key_salt

    bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Microsoft

  • subdirectory

    SubDir

Extracted

Family

lumma

C2

https://precisionbiomeds.com/ikg

https://mastwin.in/qsaz/api

https://physicianusepeptides.com/opu

https://vishneviyjazz.ru/neco/api

https://htsfhtdrjbyy1bgxbv.cfd/vcd

https://xurekodip.com/qpdl

https://utvp1.net/zkaj

https://orienderi.com/xori

https://biosphxere.digital/tqoa

https://geographys.run/eirq

https://woodpeckersd.run/glsk

https://tropiscbs.live/iuwxx

https://cartograhphy.top/ixau

https://topographky.top/xlak

https://climatologfy.top/kbud

https://vigorbridgoe.top/banb

Attributes
  • build_id

    67817e048448c9e3dc31ab3db328fa20

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

ratlordvc.ddns.net:6606

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    tesst.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

C2

66.63.187.164:8596

167.160.161.247:8596

Mutex

37MlZ5DDbaYD9eeaOM

Attributes
  • encryption_key

    vxlz4IJUHoKgSI9gnGkX

  • install_name

    cache.exe

  • key_salt

    bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Google Chrome

  • subdirectory

    Google Chrome

Extracted

Family

redline

Botnet

@glowfy0

C2

91.214.78.86:1912

Extracted

Family

xworm

Version

3.0

C2

soon-lp.at.ply.gg:17209

Attributes
  • Install_directory

    %AppData%

  • install_file

    NjRat Dangerous.exe

Extracted

Family

cyber_stealer

C2

https://paxrobot.digital/webpanel/

Attributes
  • pastebin

    https://pastebin.com/raw/6K66Aeyr

Extracted

Family

stealc

Botnet

system

C2

http://141.98.6.181

Attributes
  • url_path

    /4c8837c73f7c4af9.php

rc4.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

winlogson

C2

192.168.178.69:4782

coluich1220.duckdns.org:4782

Mutex

a409f48d-fe2a-4207-b2c2-585b18fb47b3

Attributes
  • encryption_key

    4A886EE72F3932EB3311C152EDED110A81EF6553

  • install_name

    winlogson.exe

  • key_salt

    bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    winlogson

  • subdirectory

    winlogson

Extracted

Family

vidar

Version

14.8

Botnet

8208070b02ab19c5bccfbdc74ec6646e

C2

https://t.me/dz25gz

https://steamcommunity.com/profiles/76561199880530249

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Extracted

Family

stealc

Botnet

LogsDillerCloud

C2

http://weathersouth.shop

Attributes
  • url_path

    /45cc90de006049c9.php

rc4.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

70.34.210.80:4782

192.168.1.203:4782

73.62.14.5:4782

Mutex

0d965223-b478-41be-af32-ad5a13d78eba

Attributes
  • encryption_key

    EBD92C218F947CFB9F2E27885F8DFFEAE9079F05

  • install_name

    MSWinpreference.exe

  • key_salt

    bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Skype

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

Stinky

C2

ef3243fsert34.ddns.net:47820

oj42315j346ng2134.myvnc.com:47820

Mutex

448b82a7-900f-48ac-b52b-73d8b9b1a9fa

Attributes
  • encryption_key

    7A23123B6E1E0CCDB27477C6C7654C7BE2FEDE54

  • install_name

    sru.exe

  • key_salt

    bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    xml

  • subdirectory

    sru

Targets

    • Target

      SystemMonitorPro.exe

    • Size

      30KB

    • MD5

      6768060e798f867b1a1b0d5f69126c37

    • SHA1

      5b0f2865b5e7745828eb72cb251c8bea3a274878

    • SHA256

      eb31641a82f6df9ff00cec64d912b336b15deff08dd3c375a7ef74445719ac99

    • SHA512

      3906027f87220246ec92356e37414e94561954672cadffa5c28f5a46ff59a63c153d7bda9e1d11dc226855d13f8e62a03e9f75b2e1d6aaf5449468557e3f8790

    • SSDEEP

      768:rzyx3ZkzhpHaQC2MBxUrD58iYS2QTHx11skkm:PyRZkFrMUD58NS2QTHx11PX

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • AthenaHTTP

      AthenaHTTP is a DDoS bot written in C++.

    • Athenahttp family

    • CyberStealer

      CyberStealer is an infostealer written in C#.

    • Cyber_stealer family

    • Detect Vidar Stealer

    • Detect Xworm Payload

    • Detects AthenaHTTP

    • Detects CyberStealer

    • Detects DonutLoader

    • Disables service(s)

    • DonutLoader

      DonutLoader is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies.

    • Donutloader family

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

    • Exelastealer family

    • Jigsaw Ransomware

      Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    • Jigsaw family

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • Mimikatz family

    • Modifies Windows Defender DisableAntiSpyware settings

    • Modifies Windows Defender Real-time Protection settings

    • Modifies Windows Defender notification settings

    • Modifies firewall policy service

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Stealc

      Stealc is an infostealer written in C++.

    • Stealc family

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Vipkeylogger family

    • Xmrig family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Async RAT payload

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Renames multiple (244) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • XMRig Miner payload

    • mimikatz is an open source tool to dump credentials on Windows

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible privilege escalation attempt

    • Stops running service(s)

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Drops startup file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Modifies file permissions

    • Modifies system executable filetype association

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • ConfuserEx .NET packer

      Detects ConfuserEx .NET packer.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v16

Tasks