Resubmissions
08/08/2025, 22:24
250808-2bp6nsvms8 1008/08/2025, 14:51
250808-r8hsrahn2y 1005/08/2025, 18:42
250805-xclseswzf1 1004/08/2025, 11:56
250804-n39gqsztey 1004/08/2025, 11:53
250804-n2rkjacj8x 1003/08/2025, 21:35
250803-1fs8fsztet 1003/08/2025, 18:26
250803-w3ldxacn6t 1003/08/2025, 18:23
250803-w1qwlscn31 1003/08/2025, 17:11
250803-vqdymayry9 10General
-
Target
SystemMonitorPro.exe
-
Size
30KB
-
Sample
250802-yj3vyswnw5
-
MD5
6768060e798f867b1a1b0d5f69126c37
-
SHA1
5b0f2865b5e7745828eb72cb251c8bea3a274878
-
SHA256
eb31641a82f6df9ff00cec64d912b336b15deff08dd3c375a7ef74445719ac99
-
SHA512
3906027f87220246ec92356e37414e94561954672cadffa5c28f5a46ff59a63c153d7bda9e1d11dc226855d13f8e62a03e9f75b2e1d6aaf5449468557e3f8790
-
SSDEEP
768:rzyx3ZkzhpHaQC2MBxUrD58iYS2QTHx11skkm:PyRZkFrMUD58NS2QTHx11PX
Static task
static1
Behavioral task
behavioral1
Sample
SystemMonitorPro.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
SystemMonitorPro.exe
Resource
win10ltsc2021-20250610-en
Behavioral task
behavioral3
Sample
SystemMonitorPro.exe
Resource
win11-20250619-en
Malware Config
Extracted
xworm
5.0
0.tcp.eu.ngrok.io:10358
6.tcp.eu.ngrok.io:10358
4.tcp.eu.ngrok.io:10358
ms-pupils.gl.at.ply.gg:42890
kitchen-english.gl.at.ply.gg:53578
QvDYkhYsc5WBgCcl
-
Install_directory
%AppData%
-
install_file
XClient.exe
Extracted
xworm
XWorm V5.6
147.185.221.27:31149
-
Install_directory
%AppData%
-
install_file
XClient.exe
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.jhxkgroup.online - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@ - Email To:
[email protected]
https://api.telegram.org/bot7783104153:AAHSNrERDQS2NzJ45eSQXKJ1B2uwYNSeUQ4/sendMessage?chat_id=5630866666
Extracted
quasar
1.4.1
RAT 5 (EPIC VERISON)
serveo.net:11453
7a1301f7-dc6f-4847-a8ee-ca627a9efa0f
-
encryption_key
3B793156AD6D884F51309D0E992DAA75D03D2783
-
install_name
Application Frame Host.exe
-
key_salt
bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft
-
subdirectory
SubDir
Extracted
lumma
https://precisionbiomeds.com/ikg
https://mastwin.in/qsaz/api
https://physicianusepeptides.com/opu
https://vishneviyjazz.ru/neco/api
https://htsfhtdrjbyy1bgxbv.cfd/vcd
https://xurekodip.com/qpdl
https://utvp1.net/zkaj
https://orienderi.com/xori
https://biosphxere.digital/tqoa
https://geographys.run/eirq
https://woodpeckersd.run/glsk
https://tropiscbs.live/iuwxx
https://cartograhphy.top/ixau
https://topographky.top/xlak
https://climatologfy.top/kbud
https://vigorbridgoe.top/banb
-
build_id
67817e048448c9e3dc31ab3db328fa20
Extracted
asyncrat
0.5.7B
Default
ratlordvc.ddns.net:6606
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
tesst.exe
-
install_folder
%AppData%
Extracted
quasar
1.4.0.0
Office04
66.63.187.164:8596
167.160.161.247:8596
37MlZ5DDbaYD9eeaOM
-
encryption_key
vxlz4IJUHoKgSI9gnGkX
-
install_name
cache.exe
-
key_salt
bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Google Chrome
-
subdirectory
Google Chrome
Extracted
redline
@glowfy0
91.214.78.86:1912
Extracted
xworm
3.0
soon-lp.at.ply.gg:17209
-
Install_directory
%AppData%
-
install_file
NjRat Dangerous.exe
Extracted
cyber_stealer
https://paxrobot.digital/webpanel/
-
pastebin
https://pastebin.com/raw/6K66Aeyr
Extracted
stealc
system
http://141.98.6.181
-
url_path
/4c8837c73f7c4af9.php
Extracted
quasar
1.4.1
winlogson
192.168.178.69:4782
coluich1220.duckdns.org:4782
a409f48d-fe2a-4207-b2c2-585b18fb47b3
-
encryption_key
4A886EE72F3932EB3311C152EDED110A81EF6553
-
install_name
winlogson.exe
-
key_salt
bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
winlogson
-
subdirectory
winlogson
Extracted
vidar
14.8
8208070b02ab19c5bccfbdc74ec6646e
https://t.me/dz25gz
https://steamcommunity.com/profiles/76561199880530249
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Extracted
stealc
LogsDillerCloud
http://weathersouth.shop
-
url_path
/45cc90de006049c9.php
Extracted
quasar
1.4.1
Office04
70.34.210.80:4782
192.168.1.203:4782
73.62.14.5:4782
0d965223-b478-41be-af32-ad5a13d78eba
-
encryption_key
EBD92C218F947CFB9F2E27885F8DFFEAE9079F05
-
install_name
MSWinpreference.exe
-
key_salt
bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Skype
-
subdirectory
SubDir
Extracted
quasar
1.4.1
Stinky
ef3243fsert34.ddns.net:47820
oj42315j346ng2134.myvnc.com:47820
448b82a7-900f-48ac-b52b-73d8b9b1a9fa
-
encryption_key
7A23123B6E1E0CCDB27477C6C7654C7BE2FEDE54
-
install_name
sru.exe
-
key_salt
bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
xml
-
subdirectory
sru
Targets
-
-
Target
SystemMonitorPro.exe
-
Size
30KB
-
MD5
6768060e798f867b1a1b0d5f69126c37
-
SHA1
5b0f2865b5e7745828eb72cb251c8bea3a274878
-
SHA256
eb31641a82f6df9ff00cec64d912b336b15deff08dd3c375a7ef74445719ac99
-
SHA512
3906027f87220246ec92356e37414e94561954672cadffa5c28f5a46ff59a63c153d7bda9e1d11dc226855d13f8e62a03e9f75b2e1d6aaf5449468557e3f8790
-
SSDEEP
768:rzyx3ZkzhpHaQC2MBxUrD58iYS2QTHx11skkm:PyRZkFrMUD58NS2QTHx11PX
Score10/10athenahttpxmrigxwormbotnetdefense_evasiondiscoveryexecutionexploitimpactminerpersistencephishingransomwareratthemidatrojanamadeyasyncratcyber_stealerdonutloaderjigsawlummamimikatzquasarredlinestealcvidarvipkeylogger8208070b02ab19c5bccfbdc74ec6646e@glowfy0defaultlogsdillercloudoffice04rat 5 (epic verison)systemwinlogsonbootkitcollectioninfostealerkeyloggerloaderspywarestealerupxexelastealerstinkycredential_accessevasionprivilege_escalationpyinstaller-
Amadey family
-
Asyncrat family
-
Athenahttp family
-
Cyber_stealer family
-
Detect Vidar Stealer
-
Detect Xworm Payload
-
Detects AthenaHTTP
-
Detects CyberStealer
-
Detects DonutLoader
-
Disables service(s)
-
DonutLoader
DonutLoader is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies.
-
Donutloader family
-
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
-
Exelastealer family
-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Jigsaw family
-
Lumma family
-
Mimikatz family
-
Modifies Windows Defender Real-time Protection settings
-
Modifies Windows Defender notification settings
-
Modifies firewall policy service
-
Quasar family
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Stealc family
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vidar family
-
Vipkeylogger family
-
Xmrig family
-
Xworm family
-
Async RAT payload
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Renames multiple (244) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
XMRig Miner payload
-
mimikatz is an open source tool to dump credentials on Windows
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible privilege escalation attempt
-
Stops running service(s)
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Drops startup file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Modifies file permissions
-
Modifies system executable filetype association
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
ConfuserEx .NET packer
Detects ConfuserEx .NET packer.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Hide Artifacts: Hidden Files and Directories
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Windows Management Instrumentation
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
7Windows Service
7Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Netsh Helper DLL
1Power Settings
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
7Windows Service
7Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
6Disable or Modify System Firewall
2Disable or Modify Tools
3Indicator Removal
3File Deletion
3Modify Registry
9Obfuscated Files or Information
1Command Obfuscation
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Discovery
Browser Information Discovery
1Network Service Discovery
1Peripheral Device Discovery
1Permission Groups Discovery
1Local Groups
1Process Discovery
1Query Registry
10Remote System Discovery
1System Information Discovery
11System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1System Network Connections Discovery
1Virtualization/Sandbox Evasion
2