Overview

overview

10

Static

static

ﱞﱞﱞï...ฺฺ

windows10_x64

10

ﱞﱞﱞï...ﱞﱞ

windows10_x64

10

ﱞﱞﱞï...ﱞﱞ

windows10_x64

10

Resubmissions

25-03-2021 19:54

210325-1my3wzl72x 8

25-03-2021 19:06

210325-bvf4p5t18e 10

Analysis

  • max time kernel
    67s
  • max time network
    600s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    25-03-2021 19:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    COVERT-Pro-Inst (1).exe

  • Size

    30.9MB

  • MD5

    604aaadd302aac9e9d783bd8910ce594

  • SHA1

    f6500c98ff55c6a974ed02194ff0be25d96ec9f8

  • SHA256

    41a0c8a3158186712649e53fce67714641bf8d3e485731255ab9b3a954da7046

  • SHA512

    b25b97fb60aeb9baa15f68be02963d9ac074040f989705fbfcfae825bcc8799998e705c9691371538d64401b1432444df60b2a7881b6b5b3b6f1b21b7eba0feb

Score
10/10
icedidredlinevidar1235390667bankerinfostealerstealertrojan

Malware Config

Extracted

Family

icedid

Campaign

1235390667

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 15 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 19 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 6 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\COVERT-Pro-Inst (1).exe
    "C:\Users\Admin\AppData\Local\Temp\COVERT-Pro-Inst (1).exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3116
    • C:\Program Files (x86)\COVERT Pro\Protection.exe
      "C:\Program Files (x86)\COVERT Pro\Protection.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\COVERT Pro\Bases\SU1.kms
    MD5

    a3f93cabd94efc086d87a5a47f2b2a4e

    SHA1

    1c49d2737c7d2c6f5d4bb083a113fb3bee4a67ea

    SHA256

    f4ca15357003927d9962ddfe9211d68a5d11fd2f25a7e5b6e96267d5dd0035eb

    SHA512

    755ea134838e999a2c8cd5a9fcc09d8c36e621b8155e24620ed44e95b7315a3d64fd9d0763ae39cb75aee7092d4cb5fa35f8350639205dcf0e1acfdac53f027c

    Download Submit
  • C:\Program Files (x86)\COVERT Pro\Protection.exe
    MD5

    94b3c08f74c955864ebee9090e81e220

    SHA1

    e60ec6c9d4aa885afb8006e98e43b0a861b5f5d8

    SHA256

    b851d2dd00742b6c20c8c84980ce56fe7c3df85aaa469ec78a5189d0d3b8c79f

    SHA512

    2d5946ce2d5105ba37b3693fe7fde86704706f39165de4dae120264542bd25ed24167fa4e1280fffd889deb3cc1fb1c3ae4606667da2b92facbf4a0a91a352ca

    Download Submit
  • C:\Program Files (x86)\COVERT Pro\Protection.exe
    MD5

    94b3c08f74c955864ebee9090e81e220

    SHA1

    e60ec6c9d4aa885afb8006e98e43b0a861b5f5d8

    SHA256

    b851d2dd00742b6c20c8c84980ce56fe7c3df85aaa469ec78a5189d0d3b8c79f

    SHA512

    2d5946ce2d5105ba37b3693fe7fde86704706f39165de4dae120264542bd25ed24167fa4e1280fffd889deb3cc1fb1c3ae4606667da2b92facbf4a0a91a352ca

    Download Submit
  • C:\Program Files (x86)\COVERT Pro\language\Russian.lng
    MD5

    8f85d3f7609e6600f6c942daacf353f4

    SHA1

    f37f26d9f9982a8e897b2665a4d3ce9a8b26566c

    SHA256

    5dea64e85c341102388ddafb66f8f3fae42976abd255396e502e1aad823445f5

    SHA512

    b9e1620ffa7bfd795b444831b515f46b68acd88bdb1c9bfee92afabd199370ba231e86455a9fc4d622f8c10e4324ae796a29198fcdb1118a7b1ae83f7c388926

    Download Submit
  • C:\Program Files (x86)\COVERT Pro\language\Select.ini
    MD5

    b21efb65b67f1519a0200dbd8ea510c1

    SHA1

    234dcec83d08495ac92daadfa2bfb09f79f598a1

    SHA256

    9bac02fa0daea3fba778a1bf6b3ed86ccb8efa59ffdb4b38a5f34b8c093e1210

    SHA512

    f31ca3d337d39b516de13ee67793e31ec92e0c21e24d2c746d5dc2a99d64b1551432b23bcf62ec6d8fd2115de0b445399bfcbde2647efd35b51962b9d4406af2

    Download Submit
  • memory/2108-2-0x0000000000000000-mapping.dmp
    Download