General
-
Target
Document Mod Malware.zip
-
Size
12KB
-
Sample
240701-1gjemsverk
-
MD5
d7271e018618f08b55c07521f5179ff1
-
SHA1
6bd4442b342ab5e012a8cad49fb5a19e2236cfc9
-
SHA256
b434527e3f55425dc624118395ee28b4725e81464863dfd15d175dd74fbd9a6a
-
SHA512
fc37e5922f89178a7716624a1f134472eea7b14dde88fc2895b2bafbe7877d8833ef0a34888dee6aece0f41ff96967a9cfd06bc0cdd8b42f0a9373ef3739270b
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJASHWgHWkp:efACW6DrPSHWgHWkp
Malware Config
Extracted
Protocol: ftp- Host:
45.200.236.2 - Port:
21 - Username:
user - Password:
123qwe
Extracted
Protocol: ftp- Host:
69.12.91.6 - Port:
21 - Username:
ftp - Password:
computer
Extracted
Protocol: ftp- Host:
162.218.51.12 - Port:
21 - Username:
admin - Password:
987654321
Extracted
Protocol: ftp- Host:
145.14.156.14 - Port:
21 - Username:
user - Password:
demo
Extracted
Protocol: ftp- Host:
167.114.113.16 - Port:
21 - Username:
root - Password:
1342
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Extracted
redline
LiveTraffoc
4.185.56.82:42687
Extracted
redline
newlogs
85.28.47.7:17210
Extracted
stealc
ZOV
http://40.86.87.10
-
url_path
/108e010e8f91c38c.php
Extracted
redline
newbuild
185.215.113.67:40960
Extracted
redline
666
195.20.16.103:18305
Extracted
xworm
127.0.0.1:7000
beshomandotestbesnd.run.place:7000
-
Install_directory
%ProgramData%
-
install_file
cmd.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Extracted
xworm
5.0
64.226.123.178:6098
64.23.249.117:6098
1z0ENxCLSR3XRSre
-
install_file
USB.exe
Extracted
agenttesla
Protocol: smtp- Host:
cp8nl.hyperhost.ua - Port:
587 - Username:
[email protected] - Password:
vqpF.#QRT234 - Email To:
[email protected]
Extracted
gurcu
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Extracted
Protocol: smtp- Host:
smtp.progestionchile.com - Port:
587 - Username:
[email protected] - Password:
Ebarrera2018
Extracted
Protocol: smtp- Host:
smtp.ab.em-net.ne.jp - Port:
587 - Username:
[email protected] - Password:
hanawa32
Extracted
Protocol: smtp- Host:
smtp.mgmyasoc.com - Port:
587 - Username:
[email protected] - Password:
q4tKnbszz
Extracted
Protocol: smtp- Host:
smtp.mediacat.ne.jp - Port:
587 - Username:
[email protected] - Password:
1466232
Extracted
Protocol: smtp- Host:
smtp.elettro-service.com - Port:
587 - Username:
[email protected] - Password:
*Lara1970*
Extracted
Protocol: smtp- Host:
smtp.an.em-net.ne.jp - Port:
587 - Username:
[email protected] - Password:
lovefuku1229
Extracted
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
3stooges
Extracted
Protocol: smtp- Host:
smtp.jcom.home.ne.jp - Port:
587 - Username:
[email protected] - Password:
yuuji513
Extracted
Protocol: smtp- Host:
smtp.ah.em-net.ne.jp - Port:
587 - Username:
[email protected] - Password:
kaduna715
Extracted
Protocol: smtp- Host:
smtp.nifty.ne.jp - Port:
587 - Username:
[email protected] - Password:
an0908an
Extracted
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
!Rnmawh9511054
Extracted
Protocol: smtp- Host:
smtp.pp.em-net.ne.jp - Port:
587 - Username:
[email protected] - Password:
mamu6511
Extracted
Protocol: smtp- Host:
smtp.pp.em-net.ne.jp - Port:
587 - Username:
[email protected] - Password:
miki1114
Extracted
Protocol: smtp- Host:
smtp.jcom.zaq.ne.jp - Port:
587 - Username:
[email protected] - Password:
hijiri21
Extracted
Protocol: smtp- Host:
smtp.despachantemixirica.com.br - Port:
587 - Username:
[email protected] - Password:
Rob251478
Extracted
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
Alphabeta1@
Extracted
Protocol: smtp- Host:
smtp.iau-srl.it - Port:
587 - Username:
[email protected] - Password:
elenaloi1
Extracted
Protocol: smtp- Host:
smtp.ss.em-net.ne.jp - Port:
587 - Username:
[email protected] - Password:
syunyou1217
Extracted
Protocol: smtp- Host:
smtp.xx.em-net.ne.jp - Port:
587 - Username:
[email protected] - Password:
bau80851
Extracted
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
Colepat01
Extracted
Protocol: smtp- Host:
smtp.gg.em-net.ne.jp - Port:
587 - Username:
[email protected] - Password:
mickmick
Extracted
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
Maestro222
Extracted
Protocol: smtp- Host:
ebox.gr - Port:
587 - Username:
[email protected] - Password:
symbiosis
Extracted
Protocol: smtp- Host:
smtp.gg.em-net.ne.jp - Port:
587 - Username:
[email protected] - Password:
adv29891
Extracted
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
tazan1
Extracted
Protocol: smtp- Host:
smtp.progestionchile.com - Port:
587 - Username:
[email protected] - Password:
Rrhh2020
Extracted
Protocol: smtp- Host:
smtp.kk.em-net.ne.jp - Port:
587 - Username:
[email protected] - Password:
ym2r1007
Extracted
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
chelle92@
Extracted
Protocol: smtp- Host:
smtp.mediacat.ne.jp - Port:
587 - Username:
[email protected] - Password:
shimifami
Extracted
remcos
2556
bossnacarpet.com:2556
vegetachcnc.com:2556
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
chrome-6W1HCC
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
lokibot
http://dashboardproducts.info/bally/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
vidar
https://t.me/g067n
https://steamcommunity.com/profiles/76561199707802586
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0
Targets
-
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Neshta payload
-
Detect Vidar Stealer
-
Detect Xehook Payload
-
Detect Xworm Payload
-
Detects HijackLoader (aka IDAT Loader)
-
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
-
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Phorphiex payload
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
Stealc
Stealc is an infostealer written in C++.
-
TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Xehook stealer
Xehook is an infostealer written in C#.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Contacts a large (2194) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies boot configuration data using bcdedit
-
Nirsoft
-
Renames multiple (7041) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
mimikatz is an open source tool to dump credentials on Windows
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Stops running service(s)
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Uses the VBS compiler for execution
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
New Text Document mod.exe
-
Size
8KB
-
MD5
69994ff2f00eeca9335ccd502198e05b
-
SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead
-
SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
-
SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
SSDEEP
96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
Score10/10-
Detect Neshta payload
-
Detect Vidar Stealer
-
Detect Xworm Payload
-
Detects HijackLoader (aka IDAT Loader)
-
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Modifies security service
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Stealc
Stealc is an infostealer written in C++.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass
-
Xworm
Xworm is a remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
mimikatz is an open source tool to dump credentials on Windows
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s)
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Uses the VBS compiler for execution
-
Windows security modification
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
New Text Document mod.exse
-
Size
8KB
-
MD5
69994ff2f00eeca9335ccd502198e05b
-
SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead
-
SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
-
SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
SSDEEP
96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
Score1/10 -