Resubmissions

25-04-2021 09:42

210425-v9mttlcxke 10

25-04-2021 08:59

210425-1d89vxfyln 10

25-04-2021 07:37

210425-b8smdccdwe 10

25-04-2021 06:55

210425-1csfnkw57n 10

24-04-2021 20:32

210424-x7kp9rrf4x 10

General

  • Target

    install.rar

  • Size

    9.6MB

  • Sample

    210425-1csfnkw57n

  • MD5

    f1d1a1634dc25b46e06252b3c101910c

  • SHA1

    6050909d64879d01d5297fce53e78cdcb4975ca4

  • SHA256

    b2718252be051e7fbc18b319b31ef746d88407272473a465b673cea0de3c4aad

  • SHA512

    9d420dc0afa5d7e59a143871329506f7fb24e0a59cbc455819f87d166624658010d7a67e2a886383d1713f8cfe483748d83093ab5ecbc8da11c5479169fa0936

Malware Config

Extracted

Family

raccoon

Botnet

9afb493c6f82d08075dbbfa7d93ce97f1dbf4733

Attributes
  • url4cnc

    https://tttttt.me/antitantief3

rc4.plain
rc4.plain

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

C2

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

fickerstealer

C2

sodaandcoke.top:80

Targets

    • Target

      Install — копия.exe

    • Size

      497KB

    • MD5

      41a5f4fd1ea7cac4aa94a87aebccfef0

    • SHA1

      0d0abf079413a4c773754bf4fda338dc5b9a8ddc

    • SHA256

      97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9

    • SHA512

      5ca14bda498f26efff4e1179969b8f2c25244063c7bf25f3ec20b5cd24b5be320bbfb8b3d0b2d66f5c5b415da777a766fece5f251a4247773c6cb991417fb75f

    Score
    1/10
    • Target

      Install.exe

    • Size

      497KB

    • MD5

      41a5f4fd1ea7cac4aa94a87aebccfef0

    • SHA1

      0d0abf079413a4c773754bf4fda338dc5b9a8ddc

    • SHA256

      97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9

    • SHA512

      5ca14bda498f26efff4e1179969b8f2c25244063c7bf25f3ec20b5cd24b5be320bbfb8b3d0b2d66f5c5b415da777a766fece5f251a4247773c6cb991417fb75f

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • TelegramRat

      Telegram_rat.

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Windows security bypass

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Nirsoft

    • Blocklisted process makes network request

    • Creates new service(s)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      keygen-step-4 — копия.exe

    • Size

      4.6MB

    • MD5

      563107b1df2a00f4ec868acd9e08a205

    • SHA1

      9cb9c91d66292f5317aa50d92e38834861e9c9b7

    • SHA256

      bf2bd257dde4921ce83c7c1303fafe7f9f81e53c2775d3c373ced482b22eb8a9

    • SHA512

      99a8d247fa435c4cd95be7bc64c7dd6e382371f3a3c160aac3995fd705e4fd3f6622c23784a4ae3457c87536347d15eda3f08aa616450778a99376df540d74d1

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detected facebook phishing page

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Windows security bypass

    • fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Guloader Payload

    • Nirsoft

    • XMRig Miner Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Program crash

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      keygen-step-4.exe

    • Size

      4.6MB

    • MD5

      563107b1df2a00f4ec868acd9e08a205

    • SHA1

      9cb9c91d66292f5317aa50d92e38834861e9c9b7

    • SHA256

      bf2bd257dde4921ce83c7c1303fafe7f9f81e53c2775d3c373ced482b22eb8a9

    • SHA512

      99a8d247fa435c4cd95be7bc64c7dd6e382371f3a3c160aac3995fd705e4fd3f6622c23784a4ae3457c87536347d15eda3f08aa616450778a99376df540d74d1

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Detected facebook phishing page

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Windows security bypass

    • fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • XMRig Miner Payload

    • Blocklisted process makes network request

    • Creates new service(s)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

Score
N/A

behavioral1

Score
1/10

behavioral2

gluptebametasploitraccoonsmokeloader9afb493c6f82d08075dbbfa7d93ce97f1dbf4733backdoordiscoverydropperevasionloaderpersistenceratspywarestealertelegramtrojan
Score
10/10

behavioral3

dcratfickerstealerraccoonxmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojan
Score
10/10

behavioral4

dcratfickerstealerraccoonredlinexmrigfacebookdiscoveryevasioninfostealerminerpersistencephishingratspywarestealertrojan
Score
10/10

behavioral5

Score
1/10

behavioral6

gluptebametasploitsmokeloaderbackdoorbootkitdiscoverydropperevasionloaderpersistencespywarestealertrojan
Score
10/10

behavioral7

dcratfickerstealergluptebaguloadermetasploitsmokeloaderxmrigbackdoordiscoverydownloaderdropperevasionguloaderinfostealerloaderminerpersistenceratspywarestealertrojan
Score
10/10

behavioral8

dcratfickerstealergluptebametasploitraccoonredlinesmokeloaderxmrigbackdoorbootkitdiscoverydropperevasioninfostealerloaderminerpersistenceratspywarestealertrojan
Score
10/10

behavioral9

Score
1/10

behavioral10

gluptebametasploitraccoonsmokeloader9afb493c6f82d08075dbbfa7d93ce97f1dbf4733backdoordiscoverydropperevasionloaderpersistenceratspywarestealertelegramtrojan
Score
10/10

behavioral11

dcratfickerstealerredlinevidarxmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojan
Score
10/10

behavioral12

dcratfickerstealerraccoonredlinevidarxmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealer
Score
10/10

behavioral13

Score
1/10

behavioral14

gluptebametasploitraccoonsmokeloadertofsee9afb493c6f82d08075dbbfa7d93ce97f1dbf4733backdoordiscoverydropperevasionloaderpersistencestealertrojan
Score
10/10

behavioral15

dcratfickerstealerraccoonxmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojan
Score
10/10

behavioral16

dcratfickerstealerraccoonxmrigfacebookdiscoveryevasioninfostealerminerpersistencephishingratspywarestealertrojan
Score
10/10

behavioral17

Score
1/10

behavioral18

gluptebametasploitraccoonsmokeloadertofsee9afb493c6f82d08075dbbfa7d93ce97f1dbf4733backdoordiscoverydropperevasionloaderpersistenceratstealertelegramtrojan
Score
10/10

behavioral19

dcratfickerstealerraccoonxmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojan
Score
10/10

behavioral20

dcratfickerstealerraccoonredlinexmrigfacebookdiscoveryevasioninfostealerminerpersistencephishingratspywarestealertrojan
Score
10/10

behavioral21

Score
1/10

behavioral22

gluptebametasploitraccoonsmokeloader9afb493c6f82d08075dbbfa7d93ce97f1dbf4733backdoordiscoverydropperevasionloaderpersistenceratspywarestealertelegramtrojan
Score
10/10

behavioral23

dcratfickerstealerraccoonxmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealer
Score
10/10

behavioral24

dcratfickerstealerraccoonxmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojan
Score
10/10

behavioral25

Score
1/10

behavioral26

gluptebametasploitraccoonredlinesmokeloadervidar9afb493c6f82d08075dbbfa7d93ce97f1dbf4733backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealertrojan
Score
10/10

behavioral27

dcratfickerstealerraccoonxmrigfacebookdiscoveryevasioninfostealerminerpersistencephishingratspywarestealertrojan
Score
10/10

behavioral28

dcratfickerstealerraccoonxmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojan
Score
10/10

behavioral29

Score
1/10

behavioral30

gluptebametasploitraccoonsmokeloader9afb493c6f82d08075dbbfa7d93ce97f1dbf4733backdoordiscoverydropperevasionloaderpersistenceratspywarestealertelegramtrojan
Score
10/10

behavioral31

dcratfickerstealerraccoonxmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojan
Score
10/10

behavioral32

dcratfickerstealertofseexmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojan
Score
10/10