0x000400000001b0ea-1226.exe

General
Target

0x000400000001b0ea-1226.exe

Size

504MB

Sample

201125-jg9y6w1y66

Score
10 /10
MD5

0f88fd9d557ffbe67a8897fb0fc08ee7

SHA1

61ab5f32d49b08173ee8470f0e332abda0c13471

SHA256

2f1436120017a1b23d27c9adc8ce999ef60080703a0971f183348498809785cf

SHA512

f28f9a5a71ecc82f6160a167c12835b44c67d707434265a88f72ab9249d48109a546ef31d968aa0dbcd6513648267221f9998e80250683a06605b007ea2c1a7c

Malware Config

Extracted

Family smokeloader
Version 2020
C2

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/

http://vintrsi.com/upload/

http://woatdert.com/upload/

http://waruse.com/upload/

rc4.i32
rc4.i32

Extracted

Family smokeloader
Version 2019
C2

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

http://10022020test61-service1002012510022020.website/

http://10022020test51-service1002012510022020.xyz/

http://10022020test41-service100201pro2510022020.ru/

http://10022020yest31-service100201rus2510022020.ru/

http://10022020rest21-service1002012510022020.eu/

http://10022020test11-service1002012510022020.press/

http://10022020newfolder4561-service1002012510022020.ru/

http://10022020rustest213-service1002012510022020.ru/

http://10022020test281-service1002012510022020.ru/

http://10022020test261-service1002012510022020.space/

http://10022020yomtest251-service1002012510022020.ru/

http://10022020yirtest231-service1002012510022020.ru/

rc4.i32
rc4.i32

Extracted

Path C:\_readme.txt
Ransom Note
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-jydQMZP2Ie Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: helpmanager@mail.ch Reserve e-mail address to contact us: restoremanager@airmail.cc Your personal ID: 0267OrjkiqiNQfi2f1JJsnrIJTHTcPk1Hz012cqr8C2lfeYf
Emails

helpmanager@mail.ch

restoremanager@airmail.cc

URLs

https://we.tl/t-jydQMZP2Ie

Targets
Target

0x000400000001b0ea-1226.exe

MD5

0f88fd9d557ffbe67a8897fb0fc08ee7

Filesize

504MB

Score
10 /10
SHA1

61ab5f32d49b08173ee8470f0e332abda0c13471

SHA256

2f1436120017a1b23d27c9adc8ce999ef60080703a0971f183348498809785cf

SHA512

f28f9a5a71ecc82f6160a167c12835b44c67d707434265a88f72ab9249d48109a546ef31d968aa0dbcd6513648267221f9998e80250683a06605b007ea2c1a7c

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • PlugX

    Description

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    Tags

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Tofsee

    Description

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • xmrig

    Description

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    Tags

  • AgentTesla Payload

  • XMRig Miner Payload

    Tags

  • Creates new service(s)

    Tags

    TTPs

    New Service
  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Suspicious Office macro

    Description

    Office document equipped with 4.0 macros.

    Tags

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • VMProtect packed file

    Description

    Detects executables packed with VMProtect commercial packer.

    Tags

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • JavaScript code in executable

  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Description

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    Tags

    TTPs

    Bootkit
  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • Deletes Windows Defender Definitions

    Description

    Uses mpcmdrun utility to delete all AV definitions.

    Tags

    TTPs

    Disabling Security Tools Command-Line Interface
  • Disables Task Manager via registry modification

    Tags

  • Drops file in Drivers directory

  • Modifies Installed Components in the registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Deletes itself

Related Tasks