General

  • Target

    Vr.rar

  • Size

    9.0MB

  • Sample

    201125-xeckn6wq3s

  • MD5

    65db9d146bda563ec5749ec53091b2aa

  • SHA1

    220b5f4edfb7310ed96020cdbac22f13911304ab

  • SHA256

    cf1b38106e42989ddffb99e0163787135e7b294c5d5e88e3b47ca1b7cd0d6681

  • SHA512

    ddd8cc9178b2f5605d28dc6110bb23ba56209677c29089ee8977b11333ed677be8439183c1181f2d75b5ac97357aecf6d7fcc50748ac724e79ffd5f3a7aa46b3

Malware Config

Extracted

Path

C:\_readme.txt

Ransom Note
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-jydQMZP2Ie Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: helpmanager@mail.ch Reserve e-mail address to contact us: restoremanager@airmail.cc Your personal ID: 0267OrjkgUGkv6TOoEMNyhW6VCgrizkAUg4XiClXtVqLCdtl
Emails

helpmanager@mail.ch

restoremanager@airmail.cc

URLs

https://we.tl/t-jydQMZP2Ie

Extracted

Family

smokeloader

Version

2020

C2

http://vintrsi.com/upload/

http://woatdert.com/upload/

http://waruse.com/upload/

rc4.i32
rc4.i32

Extracted

Family

smokeloader

Version

2019

C2

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32
rc4.i32

Targets

    • Target

      0x000100000001ab86-55.exe

    • Size

      262KB

    • MD5

      e2e9483568dc53f68be0b80c34fe27fb

    • SHA1

      8919397fcc5ce4f91fe0dc4e6f55cea5d39e4bb9

    • SHA256

      205c40f2733ba3e30cc538adc6ac6ee46f4c84a245337a36108095b9280abb37

    • SHA512

      b6810288e5f9ad49dcbf13bf339eb775c52e1634cfa243535ab46fda97f5a2aac112549d21e2c30a95306a57363819be8ad5efd4525e27b6c446c17c9c587e4e

    Score
    1/10
    • Target

      0x000100000001ab87-47.exe

    • Size

      71KB

    • MD5

      f0372ff8a6148498b19e04203dbb9e69

    • SHA1

      27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

    • SHA256

      298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

    • SHA512

      65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

    Score
    1/10
    • Target

      0x000100000001ab9c-70.exe

    • Size

      977KB

    • MD5

      5c6684e8c2b678de9e2776c6b50ddd72

    • SHA1

      7d255100d811de745e6ee908d1e0f8ba4ff21add

    • SHA256

      bb5d2c07ce902c78227325bf5f336c04335874445fc0635a6b67ae5ba9d2fefc

    • SHA512

      f627ca67610f9d5c137bdae8b3f8f6c08ff9162d12b3e30d3886c72aec047d34e31b5f0e17120dc99d71b0c316e43bb946fc5d40a9babec7229ce3a3c9292acb

    Score
    8/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      0x000100000001ad02-313.exe

    • Size

      620KB

    • MD5

      7f1c0fe70e588f3bead08b64910b455e

    • SHA1

      b0d78d67ee8a703e2c5dff5f50b34c504a91cfee

    • SHA256

      4788a1207c8a83d6051a12d1bbc63e889fbf142e9479c8d2919e8dcb0e4a6cc4

    • SHA512

      e5c5227943683851d393328d41c86066ece40f6813533f010963f5515d369d3aa57175f169aef9f428deca38810be75ee8d40b735a0af8826fd7c1bb444b1a84

    Score
    8/10
    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Target

      0x000200000001aca8-173.exe

    • Size

      61KB

    • MD5

      a6279ec92ff948760ce53bba817d6a77

    • SHA1

      5345505e12f9e4c6d569a226d50e71b5a572dce2

    • SHA256

      8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

    • SHA512

      213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

    Score
    1/10
    • Target

      0x000200000001acb5-183.exe

    • Size

      10.2MB

    • MD5

      6b32791ddadc54b2e770a881eb83c260

    • SHA1

      d5815c8b204c47ebbb9f91c4f66e459e14136a32

    • SHA256

      23cb1064049da1e64c231cacee9908d9c1aed6a57b786740361d206d14bd2973

    • SHA512

      3a7334533bbcf4b1ad5b6200a9ef4c319a72ea06659e42c9b857e8e02c9115b04e63a61fb892f475456d53b907a7b7fe7fafb09d9e66cfc51481c2f170ac86fb

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner Payload

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      0x000200000001acdf-236.exe

    • Size

      274KB

    • MD5

      996ba35165bb62473d2a6743a5200d45

    • SHA1

      52169b0b5cce95c6905873b8d12a759c234bd2e0

    • SHA256

      5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

    • SHA512

      2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

    Score
    8/10
    • Drops file in Drivers directory

    • Target

      0x000200000001ace9-240.exe

    • Size

      602KB

    • MD5

      637a8b78f4985a7807c6cdb238df4534

    • SHA1

      01c47b02ec8b83a0a29590c2512c844318af8710

    • SHA256

      87dc2c320339840a39ae63d4a53a406d2c091573c9f75aa28ea614b454fcfe95

    • SHA512

      0eef7aec2cd0de345299bccda7cce486d65bde9d8d1dcfb6a90ffff79bb32d2be36452b064e4bd5da7aa5998e3398dca4bc1bf1ead863c324f7111a8ebfa0682

    Score
    7/10
    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • JavaScript code in executable

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      0x000300000001a5a2-209.exe

    • Size

      842KB

    • MD5

      185749ffbb860d3e5b705b557d819702

    • SHA1

      f09470a934d381cfc4e1504193eb58139061a645

    • SHA256

      1c5319523b316c789c5c29e87675e580a9016b4624f197df889cb942c9a32bfa

    • SHA512

      0bb85d296bdcee1fd50200af1924c73f751b08737256178052f46a8937a1a9be5656b4ea465b97ef798e48a0f600ceb7d2e18feb4026426112642d3b9213cce5

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Disables Task Manager via registry modification

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • JavaScript code in executable

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      0x000300000001ac90-122.exe

    • Size

      411KB

    • MD5

      ceec23bdfaa35e0eeee0bb318f9d339f

    • SHA1

      69337754824f165accef920ec90d25aae72da9ca

    • SHA256

      e6ba7316c20de986784a205b13617c3c13ce4daa628a26d0c2d4bbf0fe7a21c6

    • SHA512

      7d401409ab447ebbcd1412e192815a8f257e4fb947feb5f69834e4a97efa7031b4ff1fcd5f1d97277a465a96b12c78ef6ae79795e416cb14f4beb3dfa0bc6e47

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • AgentTesla Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      0x000300000001ac99-126.exe

    • Size

      300KB

    • MD5

      ca58d4cf4a5e0725f844c8eae3f8ae67

    • SHA1

      fbce92619ce23f4594846f2f789e513dab9f3239

    • SHA256

      0e3774d65577253a820f1ee272d7a0c96e4c6a869ef8f749fe7f83d2fc49f054

    • SHA512

      32bdfc2e72fff79c075d5f9ead8268f1e9e0648635fd977f6d8db62358c48d5451b64e639b1853bd87220a1157e74754e1109b3f1797f98ef02d5151fb09f4a9

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      0x000300000001ac9e-134.exe

    • Size

      311KB

    • MD5

      fdde60834af109d71f4c7d28b865c8a1

    • SHA1

      4f721105161b74e07b5ccd762d32932989bfb03a

    • SHA256

      b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87

    • SHA512

      fecd130a4431fa81a1cf9be8019464b55bfb173dde91ced3a5828516bd51db509fd547c12dd483c00cdf5ade878ab542ffb6371238ccf960622bb464187b5778

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • AgentTesla Payload

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • JavaScript code in executable

    • Suspicious use of SetThreadContext

    • Target

      0x000300000001ac9e-206.exe

    • Size

      311KB

    • MD5

      fdde60834af109d71f4c7d28b865c8a1

    • SHA1

      4f721105161b74e07b5ccd762d32932989bfb03a

    • SHA256

      b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87

    • SHA512

      fecd130a4431fa81a1cf9be8019464b55bfb173dde91ced3a5828516bd51db509fd547c12dd483c00cdf5ade878ab542ffb6371238ccf960622bb464187b5778

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • AgentTesla Payload

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Deletes itself

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    • Target

      0x000300000001ac9f-141.exe

    • Size

      19KB

    • MD5

      5898d001eedb60a637f9334965e241a9

    • SHA1

      59d543084a8230ac387dee45b027c47282256d02

    • SHA256

      08eb269d6c3bfaf4d3cde53a987e0adc96a171235d3c34e3c6e9422920e793dd

    • SHA512

      d8be87bddd9f289597221d864370dfdd1ea94d2910837e211f34eec0fee56477672d98bd0565059389ff6d9ac79002f0ffa792feb84db02b18f432c6174e71e0

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • AgentTesla Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      0x000300000001acec-245.exe

    • Size

      482KB

    • MD5

      801a4e85faeb41919a0da6fa174ada04

    • SHA1

      cf6a3be6cf3130a0d2a92ac9eec392e43029a06c

    • SHA256

      23a96527c86ed75232f146343a612a96b8a6e70433cbdf39c9a611aeb3191ddd

    • SHA512

      319b835e51c98e710a9bea852b79796f1516a5f38b092a2319e65cf21ca63be25621a8a89bd33fe32bc75fde5e115597d141fb68897738daccf476e9576dd54b

    Score
    1/10
    • Target

      0x000300000001aced-248.exe

    • Size

      620KB

    • MD5

      7f1c0fe70e588f3bead08b64910b455e

    • SHA1

      b0d78d67ee8a703e2c5dff5f50b34c504a91cfee

    • SHA256

      4788a1207c8a83d6051a12d1bbc63e889fbf142e9479c8d2919e8dcb0e4a6cc4

    • SHA512

      e5c5227943683851d393328d41c86066ece40f6813533f010963f5515d369d3aa57175f169aef9f428deca38810be75ee8d40b735a0af8826fd7c1bb444b1a84

    Score
    8/10
    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

4
T1060

Bootkit

1
T1067

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

7
T1112

File Permissions Modification

1
T1222

Install Root Certificate

2
T1130

Credential Access

Credentials in Files

12
T1081

Discovery

Query Registry

12
T1012

System Information Discovery

9
T1082

Remote System Discovery

2
T1018

Peripheral Device Discovery

5
T1120

Collection

Data from Local System

12
T1005

Tasks

static1

upxvmprotect
Score
8/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
8/10

behavioral6

Score
8/10

behavioral7

Score
8/10

behavioral8

Score
8/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

tofseexmrigevasionminerpersistencetrojan
Score
10/10

behavioral12

tofseexmrigevasionminerpersistencetrojan
Score
10/10

behavioral13

Score
8/10

behavioral14

Score
8/10

behavioral15

spywarestealer
Score
7/10

behavioral16

spywarestealer
Score
7/10

behavioral17

discoveryevasionpersistenceransomwarespywarestealer
Score
10/10

behavioral18

discoveryevasionpersistencespywarestealer
Score
10/10

behavioral19

agentteslaredlinediscoveryinfostealerkeyloggerspywarestealertrojan
Score
10/10

behavioral20

agentteslaredlinediscoveryinfostealerkeyloggerspywarestealertrojan
Score
10/10

behavioral21

smokeloaderbackdoortrojan
Score
10/10

behavioral22

smokeloaderbackdoorbootkitpersistencetrojan
Score
10/10

behavioral23

smokeloaderbackdoortrojan
Score
10/10

behavioral24

agentteslaraccoonsmokeloaderbackdoordiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral25

smokeloaderbackdoortrojan
Score
10/10

behavioral26

agentteslasmokeloaderbackdoorkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral27

agentteslaredlinediscoveryinfostealerkeyloggerspywarestealertrojan
Score
10/10

behavioral28

agentteslaredlinediscoveryinfostealerkeyloggerspywarestealertrojan
Score
10/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
8/10

behavioral32

Score
8/10