Search This Blog

casual malware

Analysis every (some) day(s).

.ZIP password

Get link
Facebook
X
Pinterest
Email
Other Apps

password: malware

Get link
Facebook
X
Pinterest
Email
Other Apps

BACKLOG: NanoCore and AgentTesla double tap (maybe triple?)

Files: File name: LFPEHS.exe MD5: 450c0d7521b121a919e62401d50a2182 SHA256: 1d9526fe126321b49469341dbac0c9bbb247f896f4f836d93b4f361183e93a5e Filesize: 207872 bytes File name: MMCRLC.vbs MD5: 266f15a950f233e279095158cb2cfe8f SHA256: d391a3570354b37aafe3340aa92da365d533b4edd1adb80fffab14d0cee29a67 Filesize: 858 bytes File name: S007591119000628_XLSX.exe MD5: 792f42f7a4ba4d37015d658e1573cff2 SHA256: c4acc931c61a4b4da44510e645913f78588e2b655bf45790219407cb0b1c3132 Filesize: 1852424 bytes File name: S007591119000628_XLSX.ISO MD5: 2482a65df50ca7ef9d7445dcd5985ada SHA256: bc603a3b6ebf6e1312ad79e8e409c93ac53bfdedb65d961db6bf57cf947a19dd Filesize: 2424832 bytes File name: XAAHKP.exe MD5: 39ee891b8bdbd9ba987b5c4faafb84bd SHA256: 286803e00ea5f401dc94c9b25130716598210f33e4bf4465fb9fa0490231b176 Filesize: 207360 bytes Download (password: malware) Quick note: These files all originated from the exe inside S007591119000628_XLSX.ISO. No internet connection needed....

Loki-Bot from malspam .iso

Files: File name: GMT_20190319060920563.com.exe MD5: 3902567752c57bf36107a01990a5cc92 SHA256: 5986a088e86b2d169b3234aadf47ecddce1b8ac24e050b1423ef14ed5f06e609 Filesize: 446464 bytes File name: GMT_20190319060920563.iso MD5: c2dbe612409ef3dffded940c99cdac66 SHA256: 660e9d2de6f0223c50dfdfe512984f6a8f8400facebbca62db941a2566672458 Filesize: 507904 bytes File name: objectfrabjous.exe MD5: 89ca09b33506f659a39f8bed88103d55 SHA256: b70a7ef290cca5af3631d40e4253dd53ee8da6c8a32fe3a2e563ca27c88932b6 Filesize: 446464 bytes File name: objectfrabjous.vbs MD5: 33a60c46d369c821118edd398c45f949 SHA256: 42bc0ecf7ed5710d8c7417b19c6605c7c6cec2d6b43e9f765922bde1f3bb1339 Filesize: 110 bytes Download (password: malware) URLs: hxxp://gentography[.]ml/david/Panel/five/fre.php hxxp://gentography[.]ml/david/Panel/five/PvqDq929BSx_A_D_M1n_a.php IPs: 104.27.191.40 (cloudflare) Details: This sample caught my eye as it has similar exploit behavior to the REMCOS Rat I analyzed prev...

maldoc dropping Remcos RAT

Files: File name: PLURILITERAL.exe MD5: 6687f5ca89833f38157110f58bba8785 SHA256: 2fdb33e0895ec644222e153ab7ce485c76c8afa07c039b2c4e54aecba1e33c28 Filesize: 274432 bytes File name: PLURILITERAL.vbs MD5: 0495f6d9da19698aa3e4f55ac7f48278 SHA256: efd1a1a236041eea5b7db330b7ca304bb48b052bf2dbefb59395287a64dc1196 Filesize: 108 bytes File name: qwerty2.exe MD5: a85b0bf02ef1504f8cdf2e113294c888 SHA256: c263a793764bedabdf4aebbcc662627f7372e70ad573d42bdb752003b6a70976 Filesize: 274432 bytes File name: Resume.doc (named removed, password:1234) MD5: 8d95ababf5c6566fe65095abf8acff81 SHA256: d4c144873b11177071a5e99f70970afc36bc7a3163b6feee2945d8d37edcb8a9 Filesize: 37888 bytes Download (password: malware) URLs: hxxp://209.141.34[.]8/test1.exe hxxp://toptoptop1[.]online:2404 hxxp://toptoptop2[.]online:2404 hxxp://toptoptop3[.]site:2404 IPs: 103.1.184.108 209.141.34.8 192.64.119.33 Details: Sample source is a password protected malicious ....

Info

.ZIP password

Tweets by casual_malware

Labels

agenttesla
autoit
backlog
doc
javascript
lokibot
malware
nanocore
obfuscation
python

remcos
vbs

Show more Show less

.ZIP password

Popular posts from this blog

BACKLOG: NanoCore and AgentTesla double tap (maybe triple?)

Loki-Bot from malspam .iso

maldoc dropping Remcos RAT