Resubmissions
05-09-2023 01:34
230905-by5lrsch46 10General
-
Target
2023-09-04.zip
-
Size
299.5MB
-
Sample
230905-by5lrsch46
-
MD5
eea227737face033b823122d906dabed
-
SHA1
a35c1ae86ff0aa50fb2b1e941c9b35f711c354bd
-
SHA256
5695a75d96e56497ab5f7175d5c1da59a4565df668cb89db774eefbb5bfb6cf5
-
SHA512
99d7bf96ba029cd723671754bae514200697806a0fa32eeb3a7cf6e7237d30e51987bea15b31932b08de0b4332c4ba0d5e4a71283a5574d4780d593510b8d760
-
SSDEEP
6291456:QH0GuwBg8s1enBP7CXaDOl7R0Y/2f9Jzwnq92kYqYnLxyRPI:QK8UenRLK2fDz3bWn1yFI
Malware Config
Extracted
nanocore
1.2.2.0
0.tcp.ngrok.io:19529
e8dc0029-2692-4710-a5f6-d65df0a729cd
-
activate_away_mode
true
-
backup_connection_host
0.tcp.ngrok.io
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2023-06-12T19:31:10.719245436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
19529
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
e8dc0029-2692-4710-a5f6-d65df0a729cd
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
0.tcp.ngrok.io
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
mirai
BOTNET
Extracted
mirai
BOTNET
Extracted
mirai
2.59.254.14
Extracted
mirai
BOTNET
Extracted
njrat
im523
svchost.exe
5.tcp.eu.ngrok.io:15312
0c7caa8c30ecac23145985ecdefb5649
-
reg_key
0c7caa8c30ecac23145985ecdefb5649
-
splitter
|'|'|
Extracted
agenttesla
Protocol: smtp- Host:
mail.elhamdelevator.com - Port:
587 - Username:
[email protected] - Password:
01221417748 - Email To:
[email protected]
https://discordapp.com/api/webhooks/1141171534019436636/rsmn69Lcmg35Ga7bqVUGtuetk3b-HNiKLnmDMzvt91gHtESYIARmGI9pQQxxg2F5Q3mM
Extracted
mirai
o.do.do
Extracted
mirai
BOTNET
Extracted
mirai
8.8.8.8
Extracted
mirai
8.8.8.8
2.59.254.14
Extracted
mirai
zerobot.zc.al
2.59.254.14
Extracted
njrat
0.7NC
NYAN CAT
4Mekey.myftp.biz:1011
adminbogota.duckdns.org:2015
unicornio2020.duckdns.org:9966
cfcfc4ede74345f998
-
reg_key
cfcfc4ede74345f998
-
splitter
@!#&^%$
Extracted
mirai
BOTNET
Extracted
mirai
LZRD
Extracted
mirai
2.59.254.14
Extracted
mirai
LZRD
Extracted
mirai
SORA
Extracted
asyncrat
1.0.7
VBS09
4Mekey.myftp.biz:8848
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
metasploit
encoder/shikata_ga_nai
Extracted
metasploit
windows/reverse_tcp
156.223.59.18:4444
Extracted
mirai
2.59.254.14
Extracted
mirai
SORA
Extracted
darkcloud
https://api.telegram.org/bot6342175884:AAGNYnOE8HN_cXImf1tA6GQfayeeb18yP84/sendMessage?chat_id=5990783030
-
email_from
tsctubesales.co.in
- email_to
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Extracted
mirai
2.59.254.14
Extracted
strrat
powerful.ddnsfree.com:7802
judepower.duckdns.org:7817
-
license_id
EBGS-IHJV-5E77-T3MF-HBXL
-
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
-
scheduled_task
false
-
secondary_startup
true
-
startup
false
Extracted
asyncrat
1.0.7
PIJAO 4 SEPT
16agostok.duckdns.org:8004
DcRatMutex_qwqdanchunfdsaf
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
metasploit
windows/reverse_tcp_dns
privacy-now.org:8888
Extracted
asyncrat
0.5.7B
VBS09
4Mekey.myftp.biz:6606
4Mekey.myftp.biz:7707
4Mekey.myftp.biz:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
mirai
BOTNET
Targets
-
-
Target
2023-09-04.zip
-
Size
299.5MB
-
MD5
eea227737face033b823122d906dabed
-
SHA1
a35c1ae86ff0aa50fb2b1e941c9b35f711c354bd
-
SHA256
5695a75d96e56497ab5f7175d5c1da59a4565df668cb89db774eefbb5bfb6cf5
-
SHA512
99d7bf96ba029cd723671754bae514200697806a0fa32eeb3a7cf6e7237d30e51987bea15b31932b08de0b4332c4ba0d5e4a71283a5574d4780d593510b8d760
-
SSDEEP
6291456:QH0GuwBg8s1enBP7CXaDOl7R0Y/2f9Jzwnq92kYqYnLxyRPI:QK8UenRLK2fDz3bWn1yFI
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Fabookie payload
-
Fabookie
Fabookie is facebook account info stealer.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry
-
Adds policy Run key to start application
-
Contacts a large (843) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Downloads MZ/PE file
-
Looks for VMWare Tools registry key
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1