General
-
Target
Malware with taskmgr.zip
-
Size
2.9MB
-
Sample
240614-w6arkswcll
-
MD5
a964aeb3e8cf59d3b8708af99731abf4
-
SHA1
77a9caa0eb747c0d5bba1d2b86dd13537516f849
-
SHA256
39345b9dc44db0aec3ceb63efa9f4b0bb74753da4fa421745acff9835f50debc
-
SHA512
9109666afd9cb90a9ba44ef14a9914afcd7749169b2e4a04f6066f470a7a89503ddf90a21adeadd4dfd2056aa66854f99db532824be64c95bc0d94ad7439c79a
-
SSDEEP
49152:x7yeTYZ5z0vegABI2egr4OecHvD5m33UZRQDRfPapjj6axvkVxureuIiBAkpwESc:xnTYZ5z0WgH234RUI3UrQ1uHlvkxuhLd
Static task
static1
Behavioral task
behavioral1
Sample
Malware with taskmgr.zip
Resource
win11-20240508-en
Behavioral task
behavioral2
Sample
processhacker-2.39-setup.exe
Resource
win11-20240611-en
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Extracted
redline
@LOGSCLOUDYT_BOT
185.172.128.33:8970
Extracted
xworm
5.0
64.226.123.178:6098
1z0ENxCLSR3XRSre
-
install_file
USB.exe
Extracted
xworm
3.1
185.91.127.220:7000
200.9.155.204:7000
0liuzqSbSYrrf5nM
-
install_file
USB.exe
Extracted
redline
0011
185.91.127.219:33455
Extracted
xworm
127.0.0.1:7000
beshomandotestbesnd.run.place:7000
-
Install_directory
%ProgramData%
-
install_file
cmd.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Targets
-
-
Target
Malware with taskmgr.zip
-
Size
2.9MB
-
MD5
a964aeb3e8cf59d3b8708af99731abf4
-
SHA1
77a9caa0eb747c0d5bba1d2b86dd13537516f849
-
SHA256
39345b9dc44db0aec3ceb63efa9f4b0bb74753da4fa421745acff9835f50debc
-
SHA512
9109666afd9cb90a9ba44ef14a9914afcd7749169b2e4a04f6066f470a7a89503ddf90a21adeadd4dfd2056aa66854f99db532824be64c95bc0d94ad7439c79a
-
SSDEEP
49152:x7yeTYZ5z0vegABI2egr4OecHvD5m33UZRQDRfPapjj6axvkVxureuIiBAkpwESc:xnTYZ5z0WgH234RUI3UrQ1uHlvkxuhLd
-
Gh0st RAT payload
-
Drops file in Drivers directory
-
Sets DLL path for service in the registry
-
Sets file execution options in registry
-
Sets service image path in registry
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
-
-
Target
processhacker-2.39-setup.exe
-
Size
3.5MB
-
MD5
b634c2030dcfbff51a9427f7091ee945
-
SHA1
96793c81fa09c5fe1e5d353b9c12837fa2e12ddd
-
SHA256
efa43d5920d7306c8b8aab1479d418f74e8e9ddc2078b6f40c1775b6deac33f5
-
SHA512
9c1eb150aacdbcfc0630a26aa66e210d200bb439621c115775dc70ba07f3be495cf9472b0811ae4728a4f72d6773f09a169458dc5cb4c24e19953ed6ccbed923
-
SSDEEP
98304:kGdVyVT9nOgmhRWh9/ULkjKxtTGP6VZd2rAcvOSE6Nq:bWT9nO7js/ULRjVZdLSE
-
Detect Xehook Payload
-
Detect Xworm Payload
-
Gh0st RAT payload
-
Modifies firewall policy service
-
Modifies security service
-
Phorphiex payload
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies boot configuration data using bcdedit
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Sets DLL path for service in the registry
-
Sets file execution options in registry
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
An obfuscated cmd.exe command-line is typically used to evade detection.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Scheduled Task/Job
1Persistence
Boot or Logon Autostart Execution
8Registry Run Keys / Startup Folder
8Create or Modify System Process
5Windows Service
5Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
8Registry Run Keys / Startup Folder
8Create or Modify System Process
5Windows Service
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Defense Evasion
Modify Registry
16Subvert Trust Controls
2Install Root Certificate
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
5Disable or Modify Tools
3Disable or Modify System Firewall
1Virtualization/Sandbox Evasion
2Pre-OS Boot
1Bootkit
1