General
-
Target
56a28391d309102557fcf9bc34351a50b49054282f2007851dcbc4e825e7c37a.exe
-
Size
13.1MB
-
Sample
250806-mdjdksyky3
-
MD5
c942a56638772644d847709d906fa23d
-
SHA1
12d6b77fec2244cdc4050a083aa741185cc48010
-
SHA256
56a28391d309102557fcf9bc34351a50b49054282f2007851dcbc4e825e7c37a
-
SHA512
efb2eca57f55b667dd13a22c7769563fd03e127df36680916d5c350db3174bac41a6c17a3223b7367f974aa740f69afde7e9a1ebc39239a9d550b366dacf893f
-
SSDEEP
196608:38PuglgpIUeR24iMqWNo2mtKVzurHm5lMP/XRL234tSoz2/Tsj+51nOxd:MPuhpI1R2JtWNhqKVzuC5EXA34tSQ
Behavioral task
behavioral1
Sample
56a28391d309102557fcf9bc34351a50b49054282f2007851dcbc4e825e7c37a.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
56a28391d309102557fcf9bc34351a50b49054282f2007851dcbc4e825e7c37a.exe
Resource
win11-20250619-en
Malware Config
Extracted
discordrat
-
discord_token
MTMxNTQxMDg0NDg3NTQ4OTI4MA.Gx5ptK.HY1OYsjGMP1MsOoyD2E7T9pCvkfHTdOPozmb_c
-
server_id
1315411300192616569
Extracted
Protocol: smtp- Host:
mail.pt2003.hu - Port:
587 - Username:
[email protected] - Password:
pt2003.hu1
Extracted
Protocol: ftp- Host:
187.45.239.1 - Port:
21 - Username:
administrator - Password:
abcd1234
Extracted
vipkeylogger
Protocol: smtp- Host:
hosting2.ro.hostsailor.com - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@# - Email To:
[email protected]
https://api.telegram.org/bot7783104153:AAHSNrERDQS2NzJ45eSQXKJ1B2uwYNSeUQ4/sendMessage?chat_id=5630866666
Extracted
cyber_stealer
https://paxrobot.digital/webpanel/
-
pastebin
https://pastebin.com/raw/6K66Aeyr
Extracted
lumma
https://physicianusepeptides.com/opu
https://mastwin.in/qsaz/api
https://precisionbiomeds.com/ikg
https://vishneviyjazz.ru/neco/api
https://yrokistorii.ru/uqya/api
https://xurekodip.com/qpdl
https://utvp1.net/zkaj
https://orienderi.com/xori
-
build_id
54fa9f80c392c1c67632c3e50e68ea62
Extracted
asyncrat
LoaderPanel
Default
8fnuawbfuac.click:8888
8eh18dhq9wd.click:8888
8hdfiqowchq.click:8888
8nioqhxciwoqc.click:8888
8fhd2idhacas.click:8888
kuuumhncic
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
koiloader
http://5.101.82.4/sparkles.php
http://94.156.152.54/defatigate.php
-
payload_url
https://kavacanada.ca/catalog/model
Extracted
xworm
XWorm V6.0
66.63.187.164:8594
167.160.161.247:8594
-
Install_directory
%Temp%
-
install_file
Chrome.exe
Extracted
masslogger
-
exfiltration_mode
#SMTPEnabled
-
expire_time_date
2298-06-01
-
host_password
pt2003.hu1
-
host_port
587
- host_receiver
- host_sender
-
host_server
mail.pt2003.hu
-
ssl_slate
False
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
66.63.187.164:6666
167.160.161.247:6666
ntdmsrfntbvmlirwsz
-
delay
1
-
install
true
-
install_file
Chrome.exe
-
install_folder
%Temp%
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
167.160.161.247:8595
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Extracted
xworm
5.0
45.141.26.47:7000
0Bve8vBwYWtqFYCA
-
Install_directory
%ProgramData%
-
install_file
Java Update Schedule (64 bit).exe
Targets
-
-
Target
56a28391d309102557fcf9bc34351a50b49054282f2007851dcbc4e825e7c37a.exe
-
Size
13.1MB
-
MD5
c942a56638772644d847709d906fa23d
-
SHA1
12d6b77fec2244cdc4050a083aa741185cc48010
-
SHA256
56a28391d309102557fcf9bc34351a50b49054282f2007851dcbc4e825e7c37a
-
SHA512
efb2eca57f55b667dd13a22c7769563fd03e127df36680916d5c350db3174bac41a6c17a3223b7367f974aa740f69afde7e9a1ebc39239a9d550b366dacf893f
-
SSDEEP
196608:38PuglgpIUeR24iMqWNo2mtKVzurHm5lMP/XRL234tSoz2/Tsj+51nOxd:MPuhpI1R2JtWNhqKVzuC5EXA34tSQ
-
Amadey family
-
Asyncrat family
-
Athenahttp family
-
Cyber_stealer family
-
Detect Neshta payload
-
Detect SalatStealer payload
-
Detect Vidar Stealer
-
Detect Xworm Payload
-
Detects AthenaHTTP
-
Detects CyberStealer
-
Discordrat family
-
Koiloader family
-
Lumma family
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
Masslogger family
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Njrat family
-
Salatstealer family
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vidar family
-
Vipkeylogger family
-
Xworm family
-
Async RAT payload
-
Detects KoiLoader payload
-
ModiLoader Second Stage
-
Contacts a large (1711) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
ConfuserEx .NET packer
Detects ConfuserEx .NET packer.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Installer Packages
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Installer Packages
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify System Firewall
1Indicator Removal
1File Deletion
1System Binary Proxy Execution
1Msiexec
1