Overview

overview

10

Static

static

742ad3be42...3e.exe

windows7_x64

10

742ad3be42...3e.exe

windows10_x64

10

8b388efb71...ed.exe

windows7_x64

10

8b388efb71...ed.exe

windows10_x64

10

bce6f763f3...cf.exe

windows7_x64

10

bce6f763f3...cf.exe

windows10_x64

10

d380178c93...40.exe

windows7_x64

10

d380178c93...40.exe

windows10_x64

10

ea7a287a8e...6d.exe

windows7_x64

10

ea7a287a8e...6d.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1.zip

  • Size

    9.4MB

  • Sample

    210701-bs4vxadwn2

  • MD5

    c419ccbf50da7d51e3653cef9e0d12f9

  • SHA1

    321c59b811bcd2b690ca4302e6b8cf638a4a6040

  • SHA256

    3730331af3c27626d8e2074e29aa6c184776c61d07f56eff6a44e2a528c8c487

  • SHA512

    6207298e095aadd5ca77183c8d260f286b32f43f2be3286b3cc7421e6e8cb1e8ec24be04700604a34ad809a05ad02cd6901e73567a9527064d955769a21016ef

Score
10/10
asyncratcryptbotelysiumstealerfickerstealergluptebametasploitraccoonredlineremcosvidar18_6_bl_84s7517890mix 01.07zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzremixbackdoordiscoverydropperevasioninfostealerloaderpersistenceratspywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

redline

Botnet

18_6_bl_84s7

C2

qitoshalan.xyz:80

Extracted

Family

vidar

Version

39.4

Botnet

890

C2

https://sergeevih43.tumblr.com

Attributes
  • profile_id

    890

Extracted

Family

fickerstealer

C2

game2030.site:80

Extracted

Family

cryptbot

C2

xeibmh42.top

mororx04.top
Attributes
  • payload_url

    http://lopcpd05.top/download.php?file=lv.exe

Extracted

Family

redline

Botnet

MIX 01.07

C2

185.215.113.17:18597

Extracted

Family

asyncrat

Version

0.5.7B

C2

marcelajarakmisdhuakfsg.duckdns.org:5020

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    P46q6agnmY2Ylpj71o7G1ATzxhUTccsn

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    Default

  • host

    marcelajarakmisdhuakfsg.duckdns.org

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    5020

  • version

    0.5.7B

aes.plain

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

remcos

Version

3.1.2 Pro

Botnet

ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZREMIX

C2

dominoduck2117.duckdns.org:9804

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    data.dat

  • keylog_flag

    false

  • keylog_folder

    Appdata

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-NHNHBD

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Extracted

Family

vidar

Version

39.4

Botnet

517

C2

https://sergeevih43.tumblr.com

Attributes
  • profile_id

    517

Targets

    • Target

      742ad3be42f5023d4fbd854fa6f1eb80054b94d537aaa32e7d7ae1db6dd6683e

    • Size

      3.1MB

    • MD5

      ce7931866cf54b812ea1b2f40720eb41

    • SHA1

      0df4808c44fe7ec98d458ad1155fbbef9282960b

    • SHA256

      742ad3be42f5023d4fbd854fa6f1eb80054b94d537aaa32e7d7ae1db6dd6683e

    • SHA512

      c3beab8c016907d32775be5096b65082d4bcd0969f120d2940ecc6fb2a846a9293b52d5c2f60baa8027d58a6e120033ba9dc5485664ec5840bd25aa647fa069d

    Score
    10/10
    cryptbotfickerstealerredlinevidar18_6_bl_84s7890mix 01.07discoveryevasioninfostealerpersistencespywarestealertrojanupxvmprotectelysiumstealerraccoon

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • CryptBot Payload

    • ElysiumStealer

      ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

      stealerelysiumstealer

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

    behavioral1behavioral2

    • Target

      8b388efb71328e18ee3dd5b4c932387ddad5ee79b595751a79fe535533e2c4ed

    • Size

      849KB

    • MD5

      8596052f4363bb3e6a757b49d0a6bc4e

    • SHA1

      46c12679779db95009223d3a21ca13fc0dc4bb0b

    • SHA256

      8b388efb71328e18ee3dd5b4c932387ddad5ee79b595751a79fe535533e2c4ed

    • SHA512

      5d4235863c87dba5d044e019b2832783775440bc60849b901e683281f77ca26cfafbce3e384fc26448325a8157d058fe58cfa808bf60c6cea9a41841f54f29b7

    Score
    10/10
    asyncratrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Async RAT payload

      rat

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      bce6f763f3239bc692f34f9d6f92d6d8df6335456296940f3fe36d140818fccf

    • Size

      4.5MB

    • MD5

      25b0a9971369d767f9316067b35ef3b7

    • SHA1

      404da37439348011195d43554a9ff3fe99cc530f

    • SHA256

      bce6f763f3239bc692f34f9d6f92d6d8df6335456296940f3fe36d140818fccf

    • SHA512

      661f194cd158721cad97635503fa71a3754d94c63c9354f19b6f1efb5941421c95a8d89dde3eb7798fe6c2f9657673a18fdc4eb845211a55524355b2c09c03f6

    Score
    10/10
    gluptebametasploitbackdoordropperloadertrojan

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    behavioral5behavioral6

    • Target

      d380178c93ba5b323f915df1d3f0ab7953630bdd502b699093874cae4b581d40

    • Size

      1.2MB

    • MD5

      953bf44c0a25a64d66503833e668e12e

    • SHA1

      721b2d4aac669b9ee36a7f91cf30c6ebef4a5252

    • SHA256

      d380178c93ba5b323f915df1d3f0ab7953630bdd502b699093874cae4b581d40

    • SHA512

      c183386239dc2f5c7e22255199b3bef3a2c577acf4cd48e6d2f1fc4cf16e98f42adb8cf77ffb6ebc7de20e64f7097a013e886c6eb4d11a2f1758b224f4cc5c57

    Score
    10/10
    remcoszzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzremixrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      ea7a287a8e15a510ef664a89ee62c1b08585573d2f6d6ba8fcd3c5e66f16a16d

    • Size

      836KB

    • MD5

      de83876d36914f7a659a088bf267555e

    • SHA1

      ace23ab6e4f441cc8bfac4455db181bc1adc295d

    • SHA256

      ea7a287a8e15a510ef664a89ee62c1b08585573d2f6d6ba8fcd3c5e66f16a16d

    • SHA512

      f7a49629aee52f24ddef81e8f2927d99409ecf796a9393517876549950df3474ebb61f2f30b58a55dc2d947de43feabb81c7a8b3789ccb45b438eaefd7a9bedd

    Score
    10/10
    vidar517discoverypersistencespywarestealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral9behavioral10

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

2
T1053

Persistence

Registry Run Keys / Startup Folder

2
T1060

Scheduled Task

2
T1053

Privilege Escalation

Scheduled Task

2
T1053

Defense Evasion

Modify Registry

5
T1112

Install Root Certificate

2
T1130

File Permissions Modification

1
T1222

Credential Access

Credentials in Files

8
T1081

Discovery

Query Registry

5
T1012

System Information Discovery

8
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

8
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks

static1

Score
N/A

behavioral1

cryptbotfickerstealerredlinevidar18_6_bl_84s7890mix 01.07discoveryevasioninfostealerpersistencespywarestealertrojanupxvmprotect
Score
10/10

behavioral2

cryptbotelysiumstealerfickerstealerraccoonredlinevidar18_6_bl_84s7890discoveryinfostealerpersistencespywarestealerupxvmprotect
Score
10/10

behavioral3

asyncratrat
Score
10/10

behavioral4

asyncratrat
Score
10/10

behavioral5

gluptebametasploitbackdoordropperloadertrojan
Score
10/10

behavioral6

gluptebametasploitbackdoordropperloadertrojan
Score
10/10

behavioral7

remcoszzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzremixrat
Score
10/10

behavioral8

remcoszzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzremixrat
Score
10/10

behavioral9

vidar517discoverypersistencespywarestealer
Score
10/10

behavioral10

vidar517discoverypersistencespywarestealer
Score
10/10