Resubmissions

24-04-2021 20:33

210424-t3nc6v2zm6 10

24-04-2021 20:33

210424-tvfj4vfree 10

General

  • Target

    install.rar

  • Size

    9.6MB

  • Sample

    210424-t3nc6v2zm6

  • MD5

    f1d1a1634dc25b46e06252b3c101910c

  • SHA1

    6050909d64879d01d5297fce53e78cdcb4975ca4

  • SHA256

    b2718252be051e7fbc18b319b31ef746d88407272473a465b673cea0de3c4aad

  • SHA512

    9d420dc0afa5d7e59a143871329506f7fb24e0a59cbc455819f87d166624658010d7a67e2a886383d1713f8cfe483748d83093ab5ecbc8da11c5479169fa0936

Malware Config

Extracted

Family

raccoon

Botnet

9afb493c6f82d08075dbbfa7d93ce97f1dbf4733

Attributes
  • url4cnc

    https://tttttt.me/antitantief3

rc4.plain
rc4.plain

Extracted

Family

smokeloader

Version

2020

C2

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32
rc4.i32

Extracted

Family

fickerstealer

C2

sodaandcoke.top:80

Extracted

Family

metasploit

Version

windows/single_exec

Targets

    • Target

      Install — копия.exe

    • Size

      497KB

    • MD5

      41a5f4fd1ea7cac4aa94a87aebccfef0

    • SHA1

      0d0abf079413a4c773754bf4fda338dc5b9a8ddc

    • SHA256

      97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9

    • SHA512

      5ca14bda498f26efff4e1179969b8f2c25244063c7bf25f3ec20b5cd24b5be320bbfb8b3d0b2d66f5c5b415da777a766fece5f251a4247773c6cb991417fb75f

    Score
    1/10
    • Target

      Install.exe

    • Size

      497KB

    • MD5

      41a5f4fd1ea7cac4aa94a87aebccfef0

    • SHA1

      0d0abf079413a4c773754bf4fda338dc5b9a8ddc

    • SHA256

      97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9

    • SHA512

      5ca14bda498f26efff4e1179969b8f2c25244063c7bf25f3ec20b5cd24b5be320bbfb8b3d0b2d66f5c5b415da777a766fece5f251a4247773c6cb991417fb75f

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • TelegramRat

      Telegram_rat.

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Nirsoft

    • Blocklisted process makes network request

    • Creates new service(s)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      keygen-step-4 — копия.exe

    • Size

      4.6MB

    • MD5

      563107b1df2a00f4ec868acd9e08a205

    • SHA1

      9cb9c91d66292f5317aa50d92e38834861e9c9b7

    • SHA256

      bf2bd257dde4921ce83c7c1303fafe7f9f81e53c2775d3c373ced482b22eb8a9

    • SHA512

      99a8d247fa435c4cd95be7bc64c7dd6e382371f3a3c160aac3995fd705e4fd3f6622c23784a4ae3457c87536347d15eda3f08aa616450778a99376df540d74d1

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Nirsoft

    • XMRig Miner Payload

    • Blocklisted process makes network request

    • Creates new service(s)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      keygen-step-4.exe

    • Size

      4.6MB

    • MD5

      563107b1df2a00f4ec868acd9e08a205

    • SHA1

      9cb9c91d66292f5317aa50d92e38834861e9c9b7

    • SHA256

      bf2bd257dde4921ce83c7c1303fafe7f9f81e53c2775d3c373ced482b22eb8a9

    • SHA512

      99a8d247fa435c4cd95be7bc64c7dd6e382371f3a3c160aac3995fd705e4fd3f6622c23784a4ae3457c87536347d15eda3f08aa616450778a99376df540d74d1

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • XMRig Miner Payload

    • Blocklisted process makes network request

    • Creates new service(s)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Program crash

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

Score
N/A

behavioral1

Score
1/10

behavioral2

raccoonsmokeloader9afb493c6f82d08075dbbfa7d93ce97f1dbf4733backdoordiscoverypersistencestealertrojan
Score
10/10

behavioral3

dcratfickerstealerxmrigdiscoveryinfostealerminerpersistencerat
Score
10/10

behavioral4

dcratfickerstealerxmrigdiscoveryevasioninfostealerminerpersistencerat
Score
10/10

behavioral5

Score
1/10

behavioral6

gluptebametasploitraccoonsmokeloadertofsee9afb493c6f82d08075dbbfa7d93ce97f1dbf4733backdoordiscoverydropperevasionloaderpersistenceratspywarestealertelegramtrojan
Score
10/10

behavioral7

dcratfickerstealerraccoonredlinevidarxmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealer
Score
10/10

behavioral8

dcratfickerstealertofseexmrigdiscoveryevasioninfostealerminerpersistencerattrojan
Score
10/10

behavioral9

Score
1/10

behavioral10

gluptebametasploitraccoonsmokeloadertofsee9afb493c6f82d08075dbbfa7d93ce97f1dbf4733backdoordiscoverydropperevasionloaderpersistenceratspywarestealertelegramtrojan
Score
10/10

behavioral11

dcratfickerstealerredlinexmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealer
Score
10/10

behavioral12

dcratfickerstealerraccoonredlinexmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojan
Score
10/10

behavioral13

Score
1/10

behavioral14

gluptebametasploitraccoonredlinesmokeloader9afb493c6f82d08075dbbfa7d93ce97f1dbf4733backdoordiscoverydropperevasioninfostealerloaderpersistenceratspywarestealertelegramtrojan
Score
10/10

behavioral15

dcratfickerstealerraccoonredlinexmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojan
Score
10/10

behavioral16

dcratfickerstealerraccoonredlinexmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojan
Score
10/10

behavioral17

Score
1/10

behavioral18

gluptebametasploitsmokeloadervidarbackdoordiscoverydropperevasionloaderpersistencespywarestealertrojan
Score
10/10

behavioral19

dcratfickerstealergluptebametasploitsmokeloadertofseexmrigbackdoordiscoverydropperevasioninfostealerloaderminerpersistenceratspywarestealertrojan
Score
10/10

behavioral20

dcratfickerstealergluptebametasploitsmokeloaderxmrigbackdoordiscoverydropperevasioninfostealerloaderminerpersistenceratspywarestealertrojan
Score
10/10

behavioral21

Score
1/10

behavioral22

gluptebametasploitraccoonredlinesmokeloader9afb493c6f82d08075dbbfa7d93ce97f1dbf4733backdoordiscoverydropperevasioninfostealerloaderpersistenceratspywarestealertelegramtrojan
Score
10/10

behavioral23

dcratfickerstealertofseexmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojan
Score
10/10

behavioral24

dcratfickerstealerraccoonxmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojan
Score
10/10

behavioral25

Score
1/10

behavioral26

gluptebametasploitraccoonsmokeloader9afb493c6f82d08075dbbfa7d93ce97f1dbf4733backdoordiscoverydropperevasionloaderpersistenceratstealertelegramtrojan
Score
10/10

behavioral27

dcratfickerstealerraccoonxmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojan
Score
10/10

behavioral28

dcratfickerstealerraccoonredlinexmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojan
Score
10/10

behavioral29

Score
1/10

behavioral30

gluptebametasploitraccoonredlinesmokeloader9afb493c6f82d08075dbbfa7d93ce97f1dbf4733backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealertrojan
Score
10/10

behavioral31

dcratfickerstealerraccoonredlinexmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojan
Score
10/10

behavioral32

dcratfickerstealerraccoonredlinexmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojan
Score
10/10