Overview

overview

10

Static

static

8

0x00030000...22.exe

windows7_x64

0x00030000...22.exe

windows10_x64

10

0x00030000...35.exe

windows7_x64

10

0x00030000...35.exe

windows10_x64

7

0x00030000...41.exe

windows7_x64

8

0x00030000...41.exe

windows10_x64

8

0x00030000...61.exe

windows7_x64

10

0x00030000...61.exe

windows10_x64

10

0x00030000...51.exe

windows7_x64

10

0x00030000...51.exe

windows10_x64

10

0x00030000...56.exe

windows7_x64

10

0x00030000...56.exe

windows10_x64

10

0x00030000...88.exe

windows7_x64

1

0x00030000...88.exe

windows10_x64

1

0x00040000...27.exe

windows7_x64

10

0x00040000...27.exe

windows10_x64

10

0x00040000...63.exe

windows7_x64

0x00040000...63.exe

windows10_x64

10

Resubmissions

08-07-2021 11:17

210708-5s29gx8mxn 10

08-07-2021 11:17

210708-lndt9d354a 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Downloads.rar

  • Size

    5.7MB

  • Sample

    210708-5s29gx8mxn

  • MD5

    d7ac6255dcc76334eb48080563b56cc8

  • SHA1

    b07031f2073b70a91834e9e40e0a4faa35092a81

  • SHA256

    a9db37183a4d7898d4ef820075d9fb5cdef55b47644cc5465b5e012c9a52b2fe

  • SHA512

    f8c3ff7c33d4f8d47074ddc79bc946d962723cf498c4b1ef9f663e7d89e109498336a5206b230c4b4df4d95d2e338468c776ce24eebf82aeb8c55471f863eeff

Score
10/10
gluptebametasploitraccoonredlinesmokeloadersocelarstofseevidar07_07_r706865newsel7servaniaspackv2backdoorbootkitdiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealerthemidatrojanupxvmprotect

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://ppcspb.com/upload/

http://mebbing.com/upload/

http://twcamel.com/upload/

http://howdycash.com/upload/

http://lahuertasonora.com/upload/

http://kpotiques.com/upload/

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

vidar

Version

39.4

Botnet

865

C2

https://sergeevih43.tumblr.com

Attributes
  • profile_id

    865

Extracted

Family

redline

Botnet

SEL7

C2

kathonaror.xyz:80

Extracted

Family

redline

Botnet

706

C2

edraquakwa.xyz:80

Extracted

Family

redline

Botnet

New

C2

qurigoraka.xyz:80

Extracted

Path

C:\_readme.txt

Ransom Note
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-mNr1oio2P6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: manager@mailtemp.ch Reserve e-mail address to contact us: helpmanager@airmail.cc Your personal ID: 0315ewgfDdSgcyhrmIFKlwG8I3XxekHbYahiFXX0aowKJPQVTk
Emails

manager@mailtemp.ch

helpmanager@airmail.cc
URLs

https://we.tl/t-mNr1oio2P6

Extracted

Family

redline

Botnet

07_07_r

C2

xtarweanda.xyz:80

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

ServAni

C2

87.251.71.195:82

Extracted

Family

vidar

Version

39.4

Botnet

706

C2

https://sergeevih43.tumblr.com

Attributes
  • profile_id

    706

Targets

    • Target

      0x00030000000130db-122.exe

    • Size

      345KB

    • MD5

      c6f791cdb3ec5ab080f0d84e9cb1d4eb

    • SHA1

      d22f28ccda8b98265f9dba0c26d3f0cc3e2b6cdf

    • SHA256

      d70b6e5dad1618f3d9f08a1d8220c6c34f959db468640b4e21f0b2b5c2507414

    • SHA512

      d41134a4b310d5e640240c1083a39e4e0ffa5c025287060a9cdd94be67a877e6e88f8d85cb6ceca432bdc3de19e95465a560642fb119820105141bd9c57a0d30

    Score
    10/10
    smokeloaderbackdoorbootkitdiscoverypersistencetrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      0x00030000000130dc-135.exe

    • Size

      680KB

    • MD5

      7837314688b7989de1e8d94f598eb2dd

    • SHA1

      889ae8ce433d5357f8ea2aff64daaba563dc94e3

    • SHA256

      d8c28d07c365873b4e8332f057f062e65f2dd0cd4d599fd8b16d82eca5cf4247

    • SHA512

      3df0c24a9f51a82716abb8e87ff44fdb6686183423d1f2f7d6bfb4cd03c3a18490f2c7987c29f3e1b2d25c48d428c2e73033998a872b185f70bb68a7aedb3e7c

    Score
    10/10

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      0x00030000000130dd-141.exe

    • Size

      972KB

    • MD5

      5668cb771643274ba2c375ec6403c266

    • SHA1

      dd78b03428b99368906fe62fc46aaaf1db07a8b9

    • SHA256

      d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384

    • SHA512

      135bd12414773cc84270af5225920a01487626528d7bbc2b703be71652265772c2e5488ee3f7e2c53b0b01c617b8c7920e0b457472b6724cfa9ec4c390b0a55a

    Score
    8/10
    upx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral5behavioral6

    • Target

      0x00030000000130de-161.exe

    • Size

      174KB

    • MD5

      f12aa4983f77ed85b3a618f7656807c2

    • SHA1

      ab29f2221d590d03756d89e63cf2802ee31ecbcf

    • SHA256

      5db1d9e50f0e0e0ba0b15920e65a1b9e3b61bcc03d5930870e0b226b600a72e2

    • SHA512

      9074af27996a11e988be7147cf387d8952b515d070ff49fec22f0e5b2d374563204eda56319447d9b5f49f056be1475f0a1a2c501fdf1a769d7d8a8077ccba8b

    Score
    10/10
    redlinediscoveryinfostealerpersistencespywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral7behavioral8

    • Target

      0x00030000000130df-151.exe

    • Size

      773KB

    • MD5

      a0b06be5d5272aa4fcf2261ed257ee06

    • SHA1

      596c955b854f51f462c26b5eb94e1b6161aad83c

    • SHA256

      475d0beeadca13ecdfd905c840297e53ad87731dc911b324293ee95b3d8b700b

    • SHA512

      1eb6b9df145b131d03224e9bb7ed3c6cc87044506d848be14d3e4c70438e575dbbd2a0964b176281b1307469872bd6404873974475cd91eb6f7534d16ceff702

    Score
    10/10
    redlinesocelarsvidar706865newsel7discoveryevasioninfostealerpersistencestealerthemidatrojanvmprotectgluptebametasploitraccoonsmokeloadertofsee07_07_rbackdoordropperloaderransomwarespywareupx

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Windows security bypass

      evasiontrojan

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • Blocklisted process makes network request

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Sets service image path in registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral9behavioral10

    • Target

      0x00030000000130e1-156.exe

    • Size

      380KB

    • MD5

      b0486bfc2e579b49b0cacee12c52469c

    • SHA1

      ac6eb40cc66eddd0589eb940e6a6ce06b00c7d30

    • SHA256

      9057ba81960258a882dee4335d947f499adabfc59bfd99e2b5f56b508a01fbe2

    • SHA512

      b7f55e346830e2a2ed99bd57bfd0cb66221675a6b0b23d35e5d7fac5eee0c3dfc771eed5fed410c2063410e048fe41765c880ebf0a48137f9135cf1d65951075

    Score
    10/10
    redlineservaniinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      0x000300000001310b-88.exe

    • Size

      290KB

    • MD5

      843e8bb487aa489044ec65dbb7393105

    • SHA1

      25de66c3300e54b3fe1ddb450c2974a26d2b4b45

    • SHA256

      0379c582a742ae0a4dfb98313d205f3b84fd493388635cefe1ccc0e96d40fb0b

    • SHA512

      2f4ead7d5e44152aeb752e481cda28034d5e8b4c1c92dade0566a519d8ffe2f308f9031ebcc39f042907e509ae2f666e1289b42a9a515b4f4c0a5f30e6d3d80f

    Score
    1/10
    behavioral13behavioral14

    • Target

      0x00040000000130bf-127.exe

    • Size

      686KB

    • MD5

      a957a80658f31c8fc864755deb2a0ca7

    • SHA1

      8692ad674194f0901ee776ba99704f061babda95

    • SHA256

      99117569330d3694ed281e0c5414c23aa33a5eb370494febb267925dd4a62208

    • SHA512

      b46056d3971718a7770fef54d8a2af34363eb2e785f5506e9cb261c331954d12b810e46b297ebb98ccdf7f9bde73290d46491aa7a3276bdef51869651f7105af

    Score
    10/10
    vidar706discoveryspywarestealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • Downloads MZ/PE file

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral15behavioral16

    • Target

      0x00040000000130e0-63.exe

    • Size

      3.1MB

    • MD5

      22b4d432a671c3f71aa1e32065f81161

    • SHA1

      9a18ff96ad8bf0f3133057c8047c10d0d205735e

    • SHA256

      4c61aeec3fa5cbd6e8cd19272d28a1e07a8ac96e3fd8b2343791ed2521dd3028

    • SHA512

      c0af739ec9a93978c8c25ad05a2c0826a8320a9ac007bbd36f6846053bc8d434e23a6edf19d1666767fd7ad404532983604fd7774cf18940f7541616700be523

    Score
    10/10
    redlinesmokeloadervidar706servaniaspackv2backdoordiscoveryevasioninfostealerstealertrojanupxsocelarstofseepersistencespywarethemida

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

5
T1060

Bootkit

1
T1067

Modify Existing Service

4
T1031

New Service

2
T1050

BITS Jobs

2
T1197

Privilege Escalation

New Service

2
T1050

Defense Evasion

File Permissions Modification

3
T1222

Modify Registry

14
T1112

Install Root Certificate

6
T1130

Disabling Security Tools

3
T1089

Virtualization/Sandbox Evasion

2
T1497

BITS Jobs

2
T1197

Credential Access

Credentials in Files

12
T1081

Discovery

System Information Discovery

21
T1082

Query Registry

19
T1012

Peripheral Device Discovery

3
T1120

Software Discovery

1
T1518

Virtualization/Sandbox Evasion

2
T1497

Security Software Discovery

1
T1063

Remote System Discovery

2
T1018

Lateral Movement

Collection

Data from Local System

12
T1005

Exfiltration

Command and Control

Web Service

3
T1102

Impact

Tasks

static1

aspackv2
Score
8/10

behavioral1

smokeloaderbackdoorbootkitdiscoverypersistencetrojan
Score
10/10

behavioral2

smokeloaderbackdoortrojan
Score
10/10

behavioral3

Score
10/10

behavioral4

Score
7/10

behavioral5

upx
Score
8/10

behavioral6

upx
Score
8/10

behavioral7

redlinediscoveryinfostealerpersistencespywarestealer
Score
10/10

behavioral8

redlinediscoveryinfostealerpersistencespywarestealer
Score
10/10

behavioral9

redlinesocelarsvidar706865newsel7discoveryevasioninfostealerpersistencestealerthemidatrojanvmprotect
Score
10/10

behavioral10

gluptebametasploitraccoonredlinesmokeloadersocelarstofseevidar07_07_r706865sel7backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealerthemidatrojanupxvmprotect
Score
10/10

behavioral11

redlineservaniinfostealer
Score
10/10

behavioral12

redlineservaniinfostealer
Score
10/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

vidar706discoveryspywarestealer
Score
10/10

behavioral16

vidar706discoveryspywarestealer
Score
10/10

behavioral17

redlinesmokeloadervidar706servaniaspackv2backdoordiscoveryevasioninfostealerstealertrojanupx
Score
10/10

behavioral18

redlinesmokeloadersocelarstofseevidar706servaniaspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealerthemidatrojanupx
Score
10/10