Resubmissions

08-07-2021 12:18

210708-8z6d5h8z2n 10

06-07-2021 17:53

210706-g6we6sa7sa 10

19-06-2021 18:17

210619-vr8bj2dzfn 10

17-06-2021 21:39

210617-a9cvlnmrbx 10

11-06-2021 17:26

210611-wvab1yw2tj 10

08-06-2021 06:47

210608-qrbpch3y46 10

08-06-2021 06:47

210608-64tndgm1ln 10

05-06-2021 18:40

210605-cd6qpr55sx 10

04-06-2021 11:56

210604-5c416rs3ns 10

04-06-2021 08:52

210604-jy9885jen2 10

General

  • Target

    install.rar

  • Size

    9.6MB

  • Sample

    210427-nx546ncy4j

  • MD5

    042cfe2da364303b208632f1b160f51e

  • SHA1

    b314aaedb8c31789b14c508bd7bad8e2e34d4f61

  • SHA256

    65fa93616cdb8c92a541dd2ad8468d6688e1b1f2606891b56db3e90fbfc9acbd

  • SHA512

    fe09d5ef9368ef9a827240a2ef5f5403d924fc77688632fadb7617dbb53bfbfa6f58f01e23df4ccaa87e9c4cbb20d8fb5e9a0505128bd02bd7df6c927b5134cd

Malware Config

Extracted

Family

redline

Botnet

EUU

C2

download3.info:80

Extracted

Family

raccoon

Botnet

9afb493c6f82d08075dbbfa7d93ce97f1dbf4733

Attributes
  • url4cnc

    https://tttttt.me/antitantief3

rc4.plain
rc4.plain

Extracted

Family

smokeloader

Version

2020

C2

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

fickerstealer

C2

sodaandcoke.top:80

Extracted

Family

redline

Botnet

1414

C2

188.119.112.16:46409

Extracted

Path

C:\Users\Admin\Desktop\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: rootiunik@cock.li and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: rootiunik@cock.li Reserved email: TimothyCrabtree@protonmail.com Your personal ID: 9CA-CC8-046 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

rootiunik@cock.li

TimothyCrabtree@protonmail.com

Extracted

Path

C:\Users\Admin\Desktop\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: rootiunik@cock.li and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: rootiunik@cock.li Reserved email: TimothyCrabtree@protonmail.com Your personal ID: 1C9-32C-83E Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

rootiunik@cock.li

TimothyCrabtree@protonmail.com

Targets

    • Target

      Install.exe

    • Size

      497KB

    • MD5

      41a5f4fd1ea7cac4aa94a87aebccfef0

    • SHA1

      0d0abf079413a4c773754bf4fda338dc5b9a8ddc

    • SHA256

      97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9

    • SHA512

      5ca14bda498f26efff4e1179969b8f2c25244063c7bf25f3ec20b5cd24b5be320bbfb8b3d0b2d66f5c5b415da777a766fece5f251a4247773c6cb991417fb75f

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • ElysiumStealer

      ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Turns off Windows Defender SpyNet reporting

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Windows security bypass

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      Install2.exe

    • Size

      497KB

    • MD5

      41a5f4fd1ea7cac4aa94a87aebccfef0

    • SHA1

      0d0abf079413a4c773754bf4fda338dc5b9a8ddc

    • SHA256

      97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9

    • SHA512

      5ca14bda498f26efff4e1179969b8f2c25244063c7bf25f3ec20b5cd24b5be320bbfb8b3d0b2d66f5c5b415da777a766fece5f251a4247773c6cb991417fb75f

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Detected facebook phishing page

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

    • ElysiumStealer

      ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Turns off Windows Defender SpyNet reporting

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Windows security bypass

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Blocklisted process makes network request

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Program crash

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      keygen-step-4.exe

    • Size

      4.6MB

    • MD5

      563107b1df2a00f4ec868acd9e08a205

    • SHA1

      9cb9c91d66292f5317aa50d92e38834861e9c9b7

    • SHA256

      bf2bd257dde4921ce83c7c1303fafe7f9f81e53c2775d3c373ced482b22eb8a9

    • SHA512

      99a8d247fa435c4cd95be7bc64c7dd6e382371f3a3c160aac3995fd705e4fd3f6622c23784a4ae3457c87536347d15eda3f08aa616450778a99376df540d74d1

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detected facebook phishing page

    • ElysiumStealer

      ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Turns off Windows Defender SpyNet reporting

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Windows security bypass

    • fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • XMRig Miner Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      keygen-step-4d.exe

    • Size

      4.6MB

    • MD5

      563107b1df2a00f4ec868acd9e08a205

    • SHA1

      9cb9c91d66292f5317aa50d92e38834861e9c9b7

    • SHA256

      bf2bd257dde4921ce83c7c1303fafe7f9f81e53c2775d3c373ced482b22eb8a9

    • SHA512

      99a8d247fa435c4cd95be7bc64c7dd6e382371f3a3c160aac3995fd705e4fd3f6622c23784a4ae3457c87536347d15eda3f08aa616450778a99376df540d74d1

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detected facebook phishing page

    • ElysiumStealer

      ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Turns off Windows Defender SpyNet reporting

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Windows security bypass

    • fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • XMRig Miner Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

2
T1059

Persistence

Registry Run Keys / Startup Folder

4
T1060

BITS Jobs

4
T1197

Bootkit

1
T1067

Defense Evasion

Impair Defenses

2
T1562

Disabling Security Tools

12
T1089

Modify Registry

24
T1112

File Permissions Modification

4
T1222

BITS Jobs

4
T1197

Install Root Certificate

4
T1130

File Deletion

4
T1107

Credential Access

Credentials in Files

20
T1081

Discovery

Software Discovery

4
T1518

Query Registry

19
T1012

System Information Discovery

23
T1082

Security Software Discovery

4
T1063

Peripheral Device Discovery

6
T1120

Remote System Discovery

4
T1018

Collection

Data from Local System

20
T1005

Command and Control

Web Service

4
T1102

Impact

Inhibit System Recovery

4
T1490

Tasks

static1

Score
N/A

behavioral1

raccoonredlinesmokeloader9afb493c6f82d08075dbbfa7d93ce97f1dbf4733euubackdoordiscoveryevasioninfostealerpersistencespywarestealertrojanupx
Score
10/10

behavioral2

raccoonredline9afb493c6f82d08075dbbfa7d93ce97f1dbf4733euudiscoveryevasioninfostealerpersistencestealerupx
Score
10/10

behavioral3

dcratelysiumstealerfickerstealerraccoonredlinexmrigfacebookdiscoveryevasioninfostealerminerpersistencephishingratspywarestealertrojanupx
Score
10/10

behavioral4

dcratfickerstealerredlinexmrigfacebookdiscoveryevasioninfostealerminerpersistencephishingratspywarestealertrojanupx
Score
10/10

behavioral5

redlinesmokeloadervidar1414euubackdoordiscoveryevasioninfostealerpersistencestealertrojanupx
Score
10/10

behavioral6

raccoonredlinesmokeloaderwarzonerat1414euubackdoorfacebookdiscoveryevasioninfostealerpersistencephishingratspywarestealertrojanupx
Score
10/10

behavioral7

dcratfickerstealerredlinexmrig1414euudiscoveryinfostealerminerpersistencerat
Score
10/10

behavioral8

dcratfickerstealerredlinesmokeloaderxmrig1414backdoordiscoveryinfostealerminerpersistenceratspywarestealertrojan
Score
10/10

behavioral9

raccoonredlinevidarwarzonerat9afb493c6f82d08075dbbfa7d93ce97f1dbf4733euudiscoveryevasioninfostealerpersistenceratspywarestealertrojanupx
Score
10/10

behavioral10

elysiumstealerraccoonredline9afb493c6f82d08075dbbfa7d93ce97f1dbf4733euubootkitdiscoveryevasioninfostealerpersistencespywarestealertrojanupx
Score
10/10

behavioral11

dcratelysiumstealerfickerstealerraccoonredlinevidarxmrigfacebookdiscoveryevasioninfostealerminerpersistencephishingratspywarestealertrojanupx
Score
10/10

behavioral12

dcratelysiumstealerfickerstealerraccoonredlinevidarwarzoneratxmrigfacebookdiscoveryevasioninfostealerminerpersistencephishingratspywarestealertrojanupx
Score
10/10

behavioral13

raccoonredline9afb493c6f82d08075dbbfa7d93ce97f1dbf4733euudiscoveryinfostealerpersistencestealerupx
Score
10/10

behavioral14

elysiumstealerraccoonredlinesmokeloader9afb493c6f82d08075dbbfa7d93ce97f1dbf4733euubackdoorfacebookdiscoveryevasioninfostealerpersistencephishingspywarestealertrojanupx
Score
10/10

behavioral15

dcratelysiumstealerfickerstealerraccoonredlinevidarxmrigeuufacebookdiscoveryevasioninfostealerminerpersistencephishingratspywarestealertrojanupx
Score
10/10

behavioral16

burandcratelysiumstealerfickerstealerraccoonredlinevidarwarzoneratxmrigeuufacebookdiscoveryevasioninfostealerminerpersistencephishingransomwareratspywarestealertrojanupx
Score
10/10

behavioral17

elysiumstealerraccoonredlinesmokeloadervidar14149afb493c6f82d08075dbbfa7d93ce97f1dbf4733backdoordiscoveryevasioninfostealerpersistencespywarestealertrojanupx
Score
10/10

behavioral18

djvuelysiumstealerraccoonredlinesmokeloadervidarwarzonerat9afb493c6f82d08075dbbfa7d93ce97f1dbf4733backdoorbootkitfacebookdiscoveryevasioninfostealerpersistencephishingransomwareratspywarestealertrojanupx
Score
10/10

behavioral19

dcratfickerstealerraccoonredlinevidarxmrigfacebookdiscoveryevasioninfostealerminerpersistencephishingratspywarestealertrojanupx
Score
10/10

behavioral20

dcratelysiumstealerfickerstealerraccoonredlinevidarwarzoneratxmrigfacebookdiscoveryevasioninfostealerminerpersistencephishingratspywarestealertrojanupx
Score
10/10

behavioral21

raccoonredlinesmokeloadervidar9afb493c6f82d08075dbbfa7d93ce97f1dbf4733euubackdoordiscoveryevasioninfostealerpersistencespywarestealertrojanupx
Score
10/10

behavioral22

elysiumstealerraccoonredlinesmokeloadervidarwarzonerat9afb493c6f82d08075dbbfa7d93ce97f1dbf4733backdoorfacebookdiscoveryevasioninfostealerpersistencephishingratspywarestealertrojanupx
Score
10/10

behavioral23

burandcratfickerstealerraccoonredlinevidarwarzoneratxmrigfacebookdiscoveryevasioninfostealerminerpersistencephishingransomwareratspywarestealertrojanupx
Score
10/10

behavioral24

dcratfickerstealerredlinevidarxmrigdiscoveryevasioninfostealerminerpersistenceratstealerupx
Score
10/10

behavioral25

discoveryevasionpersistence
Score
9/10

behavioral26

elysiumstealerraccoonredlinesmokeloadervidarwarzonerat9afb493c6f82d08075dbbfa7d93ce97f1dbf4733euubackdoorfacebookdiscoveryevasioninfostealerpersistencephishingratspywarestealertrojanupx
Score
10/10

behavioral27

dcratfickerstealerraccoonredlinevidarxmrigfacebookdiscoveryevasioninfostealerminerpersistencephishingratspywarestealertrojanupx
Score
10/10

behavioral28

dcratelysiumstealerfickerstealerraccoonredlinevidarxmrigfacebookdiscoveryevasioninfostealerminerpersistencephishingratspywarestealertrojanupx
Score
10/10

behavioral29

discoveryevasionpersistence
Score
9/10

behavioral30

raccoonredlinesmokeloader9afb493c6f82d08075dbbfa7d93ce97f1dbf4733euubackdoorfacebookdiscoveryevasioninfostealerpersistencephishingspywarestealertrojanupx
Score
10/10

behavioral31

dcratelysiumstealerfickerstealerraccoonredlinevidarxmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojanupx
Score
10/10

behavioral32

dcratfickerstealerraccoonredlinexmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojanupx
Score
10/10