Overview

overview

10

Static

static

8

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺ�...ฺฺ

windows10_x64

1

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

8

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

8

ฺฺฺ�...ฺฺ

windows10_x64

8

ฺฺฺ�...ฺฺ

windows10_x64

1

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

8

ฺฺฺ�...ฺฺ

windows10_x64

8

ฺฺฺ�...ฺฺ

windows10_x64

8

ฺฺฺ�...ฺฺ

windows10_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Downloads3.rar

  • Size

    9.5MB

  • Sample

    201201-qhpngbd7yx

  • MD5

    e40c43e926a96a84bcc6cc1edcf50cae

  • SHA1

    03a97fe0910c0320fe147b6ffe80f2ca6de3f863

  • SHA256

    661d12b5e6cb61f54086d48b865ef5989ec00379f52b92fdb68b2ef59eddef43

  • SHA512

    5ac6661e5088defccf3d849eb450cf3d68c3542cdcd5cf56f4b4d71c469bdaf4ae94abe252c795fc8d4cb687608976e5345208dde0b55215630d2753de9c024e

Score
10/10
agentteslaplugxredlinesmokeloadertofseexmrigbackdoorbootkitdiscoveryevasioninfostealerkeyloggermacrominerpersistencespywarestealertrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://dbi.dbimages.com/?need=negato0&vid=dpec22&42686

Extracted

Family

smokeloader

Version

2020

C2

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/

http://vintrsi.com/upload/

http://woatdert.com/upload/

http://waruse.com/upload/
rc4.i32
rc4.i32

Extracted

Family

smokeloader

Version

2019

C2

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/
rc4.i32
rc4.i32

Targets

    • Target

      Downloads3/139.bin

    • Size

      1.7MB

    • MD5

      21a20f8d011e93292fccb0ac2a07195e

    • SHA1

      1b41b3bad19eb60a14779fd2267e88128127b88b

    • SHA256

      8ff2e48da213d039b917af0acacfe09ad49bf44211857d0034a0899826d3227e

    • SHA512

      0c40401dbce1b761e8ceebc07057fab376d61094a32126a3c5aa2d70be7153bc3fd77692c9b85f483c45f8b82265e6d7012e661bbe6f8776b87d0695a51679f1

    Score
    1/10
    behavioral1behavioral7behavioral13

    • Target

      Downloads3/425895848735145103942784.doc

    • Size

      11.0MB

    • MD5

      a5bcfb89c89476bb2de69a52c0be5a35

    • SHA1

      c554019dd6f9ff674c92d0b153f0620e21efecb5

    • SHA256

      dc6a23a597caacf95adcba017b20909f48bb79a80e50fa00e4b496640199d8bc

    • SHA512

      13d07fbca3d6022ff2d1d630de7acdaac4c51daca52770c5007ce29deff6d0983af2e51d091fdd85cd09835f61cc78c70b4cc28dc23106158c54dcaa4371ad4f

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral2behavioral8behavioral14

    • Target

      Downloads3/IgqbCYuTw.bin

    • Size

      831KB

    • MD5

      a53b06d097028f1e72d5cc2047a4a3cb

    • SHA1

      1a48ac9fe688ecc2e92d4ee5c0bcd1d3cc85587e

    • SHA256

      0e00f18b21735e6e76c96cb5f0930d71bd78c4347e100260547c12e931ff15ff

    • SHA512

      391ca5003bf5a6165ec1e3dda7ba7f24ed936f4a811bc76808843fd5cf4ce46013fa9fdf4e074fab4825b6e0472cf8f014a7c4c615fafa9f600ebc12eef3f7af

    Score
    8/10
    spyware

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral9behavioral15

    • Target

      Downloads3/SetupFille-v48.09.45.bin

    • Size

      4.5MB

    • MD5

      c05ddb2a410ea04438f007017b097a86

    • SHA1

      11f49966eec106ebb28c902ac1a98b8d7a4d7df1

    • SHA256

      a4ed325ac7da7720a5426ca756d2c700a46cd087eab062ef287734360deebd4f

    • SHA512

      fba4a5af7371f7991f5dfed9597f8d90579e0224db3a917fab47e6bf439d143c9e7c6e4732c7241d734b0f5bdca5a66ae44e1c6ec19abd2b596b78bdc3df4ec2

    Score
    10/10
    agentteslaplugxredlinesmokeloadertofseexmrigbackdoorbootkitdiscoveryevasioninfostealerkeyloggermacrominerpersistencespywarestealertrojanupx

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • PlugX

      PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

      trojanplugx

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • AgentTesla Payload

      keyloggerstealer

    • ServiceHost packer

      Detects ServiceHost packer used for .NET malware

    • XMRig Miner Payload

      miner

    • Creates new service(s)

      persistence

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

      macro

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • JavaScript code in executable

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral4behavioral10behavioral16

    • Target

      Downloads3/finfisher.1.bin

    • Size

      771KB

    • MD5

      074919f13d07cd6ce92bb0738971afc7

    • SHA1

      9f9a18e81e9b39bd2f047004b8e3b4cb0fb505c9

    • SHA256

      f827c92fbe832db3f09f47fe0dcaafd89b40c7064ab90833a1f418f2d1e75e8e

    • SHA512

      cdd87c636df500053ec1b410bc467e09186df953c1e1bcb1dc9a8d4bba82df486f59f0bd9942051f84301b05201952cb137b8364bf93d0c066822eb065b9b749

    Score
    8/10

    • Executes dropped EXE

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral5behavioral11behavioral17

    • Target

      Downloads3/speakoniasetup-1.0.bin

    • Size

      2.6MB

    • MD5

      4e6aece633baf0155331ac4e5e537fef

    • SHA1

      daad322125235cce7742a6f95a428922843e7a6b

    • SHA256

      20652fdf3561c2f840597cf5a610ad4c581f2e41240e58caf9da8c3ce216d080

    • SHA512

      790b08a355a9e389210829e50801e6b5bf59ab80900dfafc0919ea8104b01a9d8650d9b5e045bbedc4f1f5e30f0c5566274838ef83bf4e318362ffb61f9abccd

    Score
    8/10
    discoverypersistence

    • Executes dropped EXE

    • Modifies Installed Components in the registry

      persistence

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    behavioral6behavioral12behavioral18

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

4
T1060

Bootkit

1
T1067

Privilege Escalation

New Service

1
T1050

Defense Evasion

Modify Registry

6
T1112

File Permissions Modification

1
T1222

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

8
T1012

System Information Discovery

7
T1082

Peripheral Device Discovery

2
T1120

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks

static1

macro
Score
8/10

behavioral1

Score
1/10

behavioral2

Score
10/10

behavioral3

spyware
Score
8/10

behavioral4

agentteslaplugxredlinesmokeloadertofseexmrigbackdoorbootkitdiscoveryevasioninfostealerkeyloggermacrominerpersistencespywarestealertrojanupx
Score
10/10

behavioral5

Score
8/10

behavioral6

discoverypersistence
Score
8/10

behavioral7

Score
1/10

behavioral8

Score
10/10

behavioral9

spyware
Score
8/10

behavioral10

agentteslaplugxredlinesmokeloadertofseebackdoorbootkitdiscoveryevasioninfostealerkeyloggermacropersistencespywarestealertrojanupx
Score
10/10

behavioral11

Score
8/10

behavioral12

discoverypersistence
Score
8/10

behavioral13

Score
1/10

behavioral14

Score
10/10

behavioral15

spyware
Score
8/10

behavioral16

bootkitmacropersistencespyware
Score
8/10

behavioral17

Score
8/10

behavioral18

discoverypersistence
Score
8/10