Vr.rar

General
Target

Vr.rar

Size

8MB

Sample

201125-xeckn6wq3s

Score
10 /10
MD5

65db9d146bda563ec5749ec53091b2aa

SHA1

220b5f4edfb7310ed96020cdbac22f13911304ab

SHA256

cf1b38106e42989ddffb99e0163787135e7b294c5d5e88e3b47ca1b7cd0d6681

SHA512

ddd8cc9178b2f5605d28dc6110bb23ba56209677c29089ee8977b11333ed677be8439183c1181f2d75b5ac97357aecf6d7fcc50748ac724e79ffd5f3a7aa46b3

Malware Config

Extracted

Path C:\_readme.txt
Ransom Note
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-jydQMZP2Ie Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: helpmanager@mail.ch Reserve e-mail address to contact us: restoremanager@airmail.cc Your personal ID: 0267OrjkgUGkv6TOoEMNyhW6VCgrizkAUg4XiClXtVqLCdtl
Emails

helpmanager@mail.ch

restoremanager@airmail.cc

URLs

https://we.tl/t-jydQMZP2Ie

Extracted

Family smokeloader
Version 2020
C2

http://vintrsi.com/upload/

http://woatdert.com/upload/

http://waruse.com/upload/

rc4.i32
rc4.i32

Extracted

Family smokeloader
Version 2019
C2

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

http://10022020test61-service1002012510022020.website/

http://10022020test51-service1002012510022020.xyz/

http://10022020test41-service100201pro2510022020.ru/

http://10022020yest31-service100201rus2510022020.ru/

http://10022020rest21-service1002012510022020.eu/

http://10022020test11-service1002012510022020.press/

http://10022020newfolder4561-service1002012510022020.ru/

http://10022020rustest213-service1002012510022020.ru/

http://10022020test281-service1002012510022020.ru/

http://10022020test261-service1002012510022020.space/

http://10022020yomtest251-service1002012510022020.ru/

http://10022020yirtest231-service1002012510022020.ru/

rc4.i32
rc4.i32
Targets
Target

0x000100000001ab86-55.exe

MD5

e2e9483568dc53f68be0b80c34fe27fb

Filesize

262KB

Score
1 /10
SHA1

8919397fcc5ce4f91fe0dc4e6f55cea5d39e4bb9

SHA256

205c40f2733ba3e30cc538adc6ac6ee46f4c84a245337a36108095b9280abb37

SHA512

b6810288e5f9ad49dcbf13bf339eb775c52e1634cfa243535ab46fda97f5a2aac112549d21e2c30a95306a57363819be8ad5efd4525e27b6c446c17c9c587e4e

Related Tasks

Target

0x000100000001ab87-47.exe

MD5

f0372ff8a6148498b19e04203dbb9e69

Filesize

71KB

Score
1 /10
SHA1

27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256

298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512

65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Related Tasks

Target

0x000100000001ab9c-70.exe

MD5

5c6684e8c2b678de9e2776c6b50ddd72

Filesize

977KB

Score
8 /10
SHA1

7d255100d811de745e6ee908d1e0f8ba4ff21add

SHA256

bb5d2c07ce902c78227325bf5f336c04335874445fc0635a6b67ae5ba9d2fefc

SHA512

f627ca67610f9d5c137bdae8b3f8f6c08ff9162d12b3e30d3886c72aec047d34e31b5f0e17120dc99d71b0c316e43bb946fc5d40a9babec7229ce3a3c9292acb

Signatures

  • Executes dropped EXE

  • Loads dropped DLL

Related Tasks

Target

0x000100000001ad02-313.exe

MD5

7f1c0fe70e588f3bead08b64910b455e

Filesize

620KB

Score
8 /10
SHA1

b0d78d67ee8a703e2c5dff5f50b34c504a91cfee

SHA256

4788a1207c8a83d6051a12d1bbc63e889fbf142e9479c8d2919e8dcb0e4a6cc4

SHA512

e5c5227943683851d393328d41c86066ece40f6813533f010963f5515d369d3aa57175f169aef9f428deca38810be75ee8d40b735a0af8826fd7c1bb444b1a84

Signatures

  • Executes dropped EXE

  • Drops startup file

  • Loads dropped DLL

Related Tasks

Target

0x000200000001aca8-173.exe

MD5

a6279ec92ff948760ce53bba817d6a77

Filesize

61KB

Score
1 /10
SHA1

5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256

8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512

213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Related Tasks

Target

0x000200000001acb5-183.exe

MD5

6b32791ddadc54b2e770a881eb83c260

Filesize

10MB

Score
10 /10
SHA1

d5815c8b204c47ebbb9f91c4f66e459e14136a32

SHA256

23cb1064049da1e64c231cacee9908d9c1aed6a57b786740361d206d14bd2973

SHA512

3a7334533bbcf4b1ad5b6200a9ef4c319a72ea06659e42c9b857e8e02c9115b04e63a61fb892f475456d53b907a7b7fe7fafb09d9e66cfc51481c2f170ac86fb

Tags

Signatures

  • Tofsee

    Description

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • xmrig

    Description

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    Tags

  • XMRig Miner Payload

    Tags

  • Creates new service(s)

    Tags

    TTPs

    New Service
  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Deletes itself

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

Target

0x000200000001acdf-236.exe

MD5

996ba35165bb62473d2a6743a5200d45

Filesize

274KB

Score
8 /10
SHA1

52169b0b5cce95c6905873b8d12a759c234bd2e0

SHA256

5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

SHA512

2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

Signatures

  • Drops file in Drivers directory

Related Tasks

Target

0x000200000001ace9-240.exe

MD5

637a8b78f4985a7807c6cdb238df4534

Filesize

602KB

Score
7 /10
SHA1

01c47b02ec8b83a0a29590c2512c844318af8710

SHA256

87dc2c320339840a39ae63d4a53a406d2c091573c9f75aa28ea614b454fcfe95

SHA512

0eef7aec2cd0de345299bccda7cce486d65bde9d8d1dcfb6a90ffff79bb32d2be36452b064e4bd5da7aa5998e3398dca4bc1bf1ead863c324f7111a8ebfa0682

Tags

Signatures

  • Deletes itself

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • JavaScript code in executable

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

Related Tasks

Target

0x000300000001a5a2-209.exe

MD5

185749ffbb860d3e5b705b557d819702

Filesize

842KB

Score
10 /10
SHA1

f09470a934d381cfc4e1504193eb58139061a645

SHA256

1c5319523b316c789c5c29e87675e580a9016b4624f197df889cb942c9a32bfa

SHA512

0bb85d296bdcee1fd50200af1924c73f751b08737256178052f46a8937a1a9be5656b4ea465b97ef798e48a0f600ceb7d2e18feb4026426112642d3b9213cce5

Tags

Signatures

  • Deletes Windows Defender Definitions

    Description

    Uses mpcmdrun utility to delete all AV definitions.

    Tags

    TTPs

    Disabling Security Tools Command-Line Interface
  • Disables Task Manager via registry modification

    Tags

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Loads dropped DLL

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • JavaScript code in executable

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

Related Tasks

Target

0x000300000001ac90-122.exe

MD5

ceec23bdfaa35e0eeee0bb318f9d339f

Filesize

411KB

Score
10 /10
SHA1

69337754824f165accef920ec90d25aae72da9ca

SHA256

e6ba7316c20de986784a205b13617c3c13ce4daa628a26d0c2d4bbf0fe7a21c6

SHA512

7d401409ab447ebbcd1412e192815a8f257e4fb947feb5f69834e4a97efa7031b4ff1fcd5f1d97277a465a96b12c78ef6ae79795e416cb14f4beb3dfa0bc6e47

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • AgentTesla Payload

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

Related Tasks

Target

0x000300000001ac99-126.exe

MD5

ca58d4cf4a5e0725f844c8eae3f8ae67

Filesize

300KB

Score
10 /10
SHA1

fbce92619ce23f4594846f2f789e513dab9f3239

SHA256

0e3774d65577253a820f1ee272d7a0c96e4c6a869ef8f749fe7f83d2fc49f054

SHA512

32bdfc2e72fff79c075d5f9ead8268f1e9e0648635fd977f6d8db62358c48d5451b64e639b1853bd87220a1157e74754e1109b3f1797f98ef02d5151fb09f4a9

Tags

Signatures

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Deletes itself

  • Loads dropped DLL

  • Executes dropped EXE

  • Writes to the Master Boot Record (MBR)

    Description

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    Tags

    TTPs

    Bootkit

Related Tasks

Target

0x000300000001ac9e-134.exe

MD5

fdde60834af109d71f4c7d28b865c8a1

Filesize

311KB

Score
10 /10
SHA1

4f721105161b74e07b5ccd762d32932989bfb03a

SHA256

b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87

SHA512

fecd130a4431fa81a1cf9be8019464b55bfb173dde91ced3a5828516bd51db509fd547c12dd483c00cdf5ade878ab542ffb6371238ccf960622bb464187b5778

Tags

Signatures

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Deletes itself

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • AgentTesla Payload

  • Executes dropped EXE

  • Modifies Installed Components in the registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • JavaScript code in executable

Related Tasks

Target

0x000300000001ac9e-206.exe

MD5

fdde60834af109d71f4c7d28b865c8a1

Filesize

311KB

Score
10 /10
SHA1

4f721105161b74e07b5ccd762d32932989bfb03a

SHA256

b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87

SHA512

fecd130a4431fa81a1cf9be8019464b55bfb173dde91ced3a5828516bd51db509fd547c12dd483c00cdf5ade878ab542ffb6371238ccf960622bb464187b5778

Tags

Signatures

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Deletes itself

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • AgentTesla Payload

  • Executes dropped EXE

  • Modifies Installed Components in the registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery

Related Tasks

Target

0x000300000001ac9f-141.exe

MD5

5898d001eedb60a637f9334965e241a9

Filesize

19KB

Score
10 /10
SHA1

59d543084a8230ac387dee45b027c47282256d02

SHA256

08eb269d6c3bfaf4d3cde53a987e0adc96a171235d3c34e3c6e9422920e793dd

SHA512

d8be87bddd9f289597221d864370dfdd1ea94d2910837e211f34eec0fee56477672d98bd0565059389ff6d9ac79002f0ffa792feb84db02b18f432c6174e71e0

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • AgentTesla Payload

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

Related Tasks

Target

0x000300000001acec-245.exe

MD5

801a4e85faeb41919a0da6fa174ada04

Filesize

482KB

Score
1 /10
SHA1

cf6a3be6cf3130a0d2a92ac9eec392e43029a06c

SHA256

23a96527c86ed75232f146343a612a96b8a6e70433cbdf39c9a611aeb3191ddd

SHA512

319b835e51c98e710a9bea852b79796f1516a5f38b092a2319e65cf21ca63be25621a8a89bd33fe32bc75fde5e115597d141fb68897738daccf476e9576dd54b

Related Tasks

Target

0x000300000001aced-248.exe

MD5

7f1c0fe70e588f3bead08b64910b455e

Filesize

620KB

Score
8 /10
SHA1

b0d78d67ee8a703e2c5dff5f50b34c504a91cfee

SHA256

4788a1207c8a83d6051a12d1bbc63e889fbf142e9479c8d2919e8dcb0e4a6cc4

SHA512

e5c5227943683851d393328d41c86066ece40f6813533f010963f5515d369d3aa57175f169aef9f428deca38810be75ee8d40b735a0af8826fd7c1bb444b1a84

Signatures

  • Executes dropped EXE

  • Drops startup file

  • Loads dropped DLL

Related Tasks

Tasks

static1

8/10

behavioral1

1/10

behavioral2

1/10

behavioral3

1/10

behavioral4

1/10

behavioral5

8/10

behavioral6

8/10

behavioral7

8/10

behavioral8

8/10

behavioral9

1/10

behavioral10

1/10

behavioral13

8/10

behavioral14

8/10

behavioral15

7/10

behavioral16

7/10

behavioral21

10/10

behavioral23

10/10

behavioral25

10/10

behavioral29

1/10

behavioral30

1/10

behavioral31

8/10

behavioral32

8/10