Resubmissions
07/08/2025, 10:55
250807-m1bl9atnz2 1006/08/2025, 01:35
250806-bzxybazxet 1006/08/2025, 01:00
250806-bcyw4atkz2 1006/08/2025, 00:47
250806-a5mh4aan7x 1031/07/2025, 00:25
250731-aqtnvsxvg1 1029/07/2025, 11:32
250729-nns67sxny8 1023/07/2025, 19:43
250723-yfn8dsaq8v 1023/07/2025, 19:24
250723-x4gb1san4y 1022/07/2025, 22:35
250722-2hp49ahm4y 10General
-
Target
Downloaders.zip
-
Size
12KB
-
Sample
250806-a5mh4aan7x
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Static task
static1
Behavioral task
behavioral1
Sample
Downloaders.zip
Resource
win10v2004-20250610-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.pt2003.hu - Port:
587 - Username:
[email protected] - Password:
pt2003.hu1
Extracted
metasploit
windows/reverse_winhttp
https://103.43.18.230/_-4iC1Ai554cFh0Xek-AugfMDAGzX3T_TPxLGmdPUIvKmkBC9Xu1smNmqYoUDvu-7A6cZl_LyfJKf2TMOqk-__
Extracted
quasar
1.6.0
Office03
mjoatboating.ydns.eu:4787
2b2454a3-872c-4f0d-b0bd-24c628d5ff0b
-
encryption_key
00393B0225056730419D70586E1F489FB4E99224
-
install_name
application.exe
-
key_salt
5a23f8394640cb9e40658446a04c0bbae82dc93d0470e1b2a406a90fd2520382
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
User Startup
-
subdirectory
SubDir
Extracted
lumma
https://mocadia.com/iuew
https://mastwin.in/qsaz/api
https://precisionbiomeds.com/ikg
https://physicianusepeptides.com/opu
https://vishneviyjazz.ru/neco/api
https://yrokistorii.ru/uqya/api
https://xurekodip.com/qpdl
https://utvp1.net/zkaj
https://orienderi.com/xori
https://htsfhtdrjbyy1bgxbv.cfd/vcd
https://t.me/privetroot
-
build_id
7834f2be0ec11116374fee85c03c96522648f8
Extracted
gcleaner
185.156.73.98
45.91.200.135
Extracted
cyber_stealer
https://paxrobot.digital/webpanel/
-
pastebin
https://pastebin.com/raw/6K66Aeyr
Extracted
redline
jajaja
176.46.152.46:1911
Targets
-
-
Target
Downloaders.zip
-
Size
12KB
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
-
Asyncrat family
-
Cyber_stealer family
-
Detect Neshta payload
-
Detect SalatStealer payload
-
Detect Xworm Payload
-
Detects CyberStealer
-
Gcleaner family
-
Lumma family
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Quasar family
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Salatstealer family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
UAC bypass
-
Xworm family
-
Async RAT payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Contacts a large (1918) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Downloads MZ/PE file
-
Indicator Removal: Network Share Connection Removal
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
ConfuserEx .NET packer
Detects ConfuserEx .NET packer.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1Network Share Connection Removal
1Modify Registry
4Obfuscated Files or Information
1Command Obfuscation
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Discovery
Browser Information Discovery
1Network Service Discovery
1Peripheral Device Discovery
2Process Discovery
1Query Registry
11Remote System Discovery
1System Information Discovery
9System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2