Resubmissions
07/08/2025, 10:55
250807-m1bl9atnz2 1006/08/2025, 01:35
250806-bzxybazxet 1006/08/2025, 01:00
250806-bcyw4atkz2 1006/08/2025, 00:47
250806-a5mh4aan7x 1031/07/2025, 00:25
250731-aqtnvsxvg1 1029/07/2025, 11:32
250729-nns67sxny8 1023/07/2025, 19:43
250723-yfn8dsaq8v 1023/07/2025, 19:24
250723-x4gb1san4y 1022/07/2025, 22:35
250722-2hp49ahm4y 10General
-
Target
Downloaders.zip
-
Size
12KB
-
Sample
250806-bzxybazxet
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Static task
static1
Behavioral task
behavioral1
Sample
New Text Document mod.exe
Resource
win10v2004-20250619-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.pt2003.hu - Port:
587 - Username:
[email protected] - Password:
pt2003.hu1
Extracted
Protocol: ftp- Host:
160.124.119.22 - Port:
21 - Username:
ftp - Password:
ubqe
Extracted
metasploit
windows/reverse_winhttp
https://103.43.18.230/_-4iC1Ai554cFh0Xek-AugfMDAGzX3T_TPxLGmdPUIvKmkBC9Xu1smNmqYoUDvu-7A6cZl_LyfJKf2TMOqk-__
Extracted
lumma
https://mocadia.com/iuew
https://mastwin.in/qsaz/api
https://precisionbiomeds.com/ikg
https://physicianusepeptides.com/opu
https://vishneviyjazz.ru/neco/api
https://yrokistorii.ru/uqya/api
https://xurekodip.com/qpdl
https://utvp1.net/zkaj
https://orienderi.com/xori
https://htsfhtdrjbyy1bgxbv.cfd/vcd
https://t.me/RONALDOORMESSSSI
https://dravq.asia/wixj/api
https://t.me/privetroot
https://cezgroup.contact/xlak/api
https://stockwises.eu/xiut/api
-
build_id
7834f2be0ec11116374fee85c03c96522648f8
Extracted
gcleaner
185.156.73.98
45.91.200.135
Extracted
cyber_stealer
https://paxrobot.digital/webpanel/
-
pastebin
https://pastebin.com/raw/6K66Aeyr
Extracted
redline
jajaja
176.46.152.46:1911
Extracted
masslogger
-
exfiltration_mode
#SMTPEnabled
-
expire_time_date
2298-06-01
-
host_password
pt2003.hu1
-
host_port
587
- host_receiver
- host_sender
-
host_server
mail.pt2003.hu
-
ssl_slate
False
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
66.63.187.164:6666
167.160.161.247:6666
ntdmsrfntbvmlirwsz
-
delay
1
-
install
true
-
install_file
Chrome.exe
-
install_folder
%Temp%
Extracted
xworm
XWorm V6.0
66.63.187.164:8594
167.160.161.247:8594
-
Install_directory
%Temp%
-
install_file
Chrome.exe
Extracted
quasar
1.4.0.0
Office04
66.63.187.164:8596
167.160.161.247:8596
37MlZ5DDbaYD9eeaOM
-
encryption_key
vxlz4IJUHoKgSI9gnGkX
-
install_name
cache.exe
-
key_salt
bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Google Chrome
-
subdirectory
Google Chrome
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
167.160.161.247:8595
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Targets
-
-
Target
New Text Document mod.exe
-
Size
8KB
-
MD5
69994ff2f00eeca9335ccd502198e05b
-
SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead
-
SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
-
SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
SSDEEP
96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
-
Asyncrat family
-
Cyber_stealer family
-
Detect SalatStealer payload
-
Detect Xworm Payload
-
Detects CyberStealer
-
Gcleaner family
-
Lumma family
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
Masslogger family
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Njrat family
-
Quasar family
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Salatstealer family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
UAC bypass
-
Xworm family
-
Async RAT payload
-
Contacts a large (2274) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Indicator Removal: Network Share Connection Removal
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
ConfuserEx .NET packer
Detects ConfuserEx .NET packer.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1Network Share Connection Removal
1Modify Registry
3Obfuscated Files or Information
1Command Obfuscation
1Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Discovery
Browser Information Discovery
1Network Service Discovery
2Network Share Discovery
1Peripheral Device Discovery
2Process Discovery
1Query Registry
11Remote System Discovery
2System Information Discovery
8System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2