General

  • Target

    56a28391d309102557fcf9bc34351a50b49054282f2007851dcbc4e825e7c37a.exe

  • Size

    13.1MB

  • Sample

    250806-mdjdksyky3

  • MD5

    c942a56638772644d847709d906fa23d

  • SHA1

    12d6b77fec2244cdc4050a083aa741185cc48010

  • SHA256

    56a28391d309102557fcf9bc34351a50b49054282f2007851dcbc4e825e7c37a

  • SHA512

    efb2eca57f55b667dd13a22c7769563fd03e127df36680916d5c350db3174bac41a6c17a3223b7367f974aa740f69afde7e9a1ebc39239a9d550b366dacf893f

  • SSDEEP

    196608:38PuglgpIUeR24iMqWNo2mtKVzurHm5lMP/XRL234tSoz2/Tsj+51nOxd:MPuhpI1R2JtWNhqKVzuC5EXA34tSQ

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMxNTQxMDg0NDg3NTQ4OTI4MA.Gx5ptK.HY1OYsjGMP1MsOoyD2E7T9pCvkfHTdOPozmb_c

  • server_id

    1315411300192616569

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.pt2003.hu
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    pt2003.hu1

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    187.45.239.1
  • Port:
    21
  • Username:
    administrator
  • Password:
    abcd1234

Extracted

Family

vipkeylogger

Credentials
C2

https://api.telegram.org/bot7783104153:AAHSNrERDQS2NzJ45eSQXKJ1B2uwYNSeUQ4/sendMessage?chat_id=5630866666

Extracted

Family

cyber_stealer

C2

https://paxrobot.digital/webpanel/

Attributes
  • pastebin

    https://pastebin.com/raw/6K66Aeyr

Extracted

Family

lumma

C2

https://physicianusepeptides.com/opu

https://mastwin.in/qsaz/api

https://precisionbiomeds.com/ikg

https://vishneviyjazz.ru/neco/api

https://yrokistorii.ru/uqya/api

https://xurekodip.com/qpdl

https://utvp1.net/zkaj

https://orienderi.com/xori

Attributes
  • build_id

    54fa9f80c392c1c67632c3e50e68ea62

Extracted

Family

asyncrat

Version

LoaderPanel

Botnet

Default

C2

8fnuawbfuac.click:8888

8eh18dhq9wd.click:8888

8hdfiqowchq.click:8888

8nioqhxciwoqc.click:8888

8fhd2idhacas.click:8888

Mutex

kuuumhncic

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

koiloader

C2

http://5.101.82.4/sparkles.php

http://94.156.152.54/defatigate.php

Attributes
  • payload_url

    https://kavacanada.ca/catalog/model

Extracted

Family

xworm

Version

XWorm V6.0

C2

66.63.187.164:8594

167.160.161.247:8594

Attributes
  • Install_directory

    %Temp%

  • install_file

    Chrome.exe

Extracted

Family

masslogger

Attributes
  • exfiltration_mode

    #SMTPEnabled

  • expire_time_date

    2298-06-01

  • host_password

    pt2003.hu1

  • host_port

    587

  • host_receiver

    [email protected]

  • host_sender

    [email protected]

  • host_server

    mail.pt2003.hu

  • ssl_slate

    False

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

66.63.187.164:6666

167.160.161.247:6666

Mutex

ntdmsrfntbvmlirwsz

Attributes
  • delay

    1

  • install

    true

  • install_file

    Chrome.exe

  • install_folder

    %Temp%

aes.plain

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

167.160.161.247:8595

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Extracted

Family

xworm

Version

5.0

C2

45.141.26.47:7000

Mutex

0Bve8vBwYWtqFYCA

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Java Update Schedule (64 bit).exe

aes.plain

Targets

    • Target

      56a28391d309102557fcf9bc34351a50b49054282f2007851dcbc4e825e7c37a.exe

    • Size

      13.1MB

    • MD5

      c942a56638772644d847709d906fa23d

    • SHA1

      12d6b77fec2244cdc4050a083aa741185cc48010

    • SHA256

      56a28391d309102557fcf9bc34351a50b49054282f2007851dcbc4e825e7c37a

    • SHA512

      efb2eca57f55b667dd13a22c7769563fd03e127df36680916d5c350db3174bac41a6c17a3223b7367f974aa740f69afde7e9a1ebc39239a9d550b366dacf893f

    • SSDEEP

      196608:38PuglgpIUeR24iMqWNo2mtKVzurHm5lMP/XRL234tSoz2/Tsj+51nOxd:MPuhpI1R2JtWNhqKVzuC5EXA34tSQ

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • AthenaHTTP

      AthenaHTTP is a DDoS bot written in C++.

    • Athenahttp family

    • CyberStealer

      CyberStealer is an infostealer written in C#.

    • Cyber_stealer family

    • Detect Neshta payload

    • Detect SalatStealer payload

    • Detect Vidar Stealer

    • Detect Xworm Payload

    • Detects AthenaHTTP

    • Detects CyberStealer

    • Discord RAT

      A RAT written in C# using Discord as a C2.

    • Discordrat family

    • KoiLoader

      KoiLoader is a malware loader written in C++.

    • Koiloader family

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • Masslogger family

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Modiloader family

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Neshta family

    • Njrat family

    • Salatstealer family

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Vipkeylogger family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • salatstealer

      SalatStealer is a stealer that takes sceenshot written in Golang.

    • Async RAT payload

    • Detects KoiLoader payload

    • ModiLoader Second Stage

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Contacts a large (1711) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • ConfuserEx .NET packer

      Detects ConfuserEx .NET packer.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v16

Tasks