Overview

overview

10

Static

static

8

0x00030000...22.exe

windows7_x64

10

0x00030000...22.exe

windows10_x64

10

0x00030000...35.exe

windows7_x64

10

0x00030000...35.exe

windows10_x64

7

0x00030000...41.exe

windows7_x64

8

0x00030000...41.exe

windows10_x64

8

0x00030000...61.exe

windows7_x64

10

0x00030000...61.exe

windows10_x64

10

0x00030000...51.exe

windows7_x64

10

0x00030000...51.exe

windows10_x64

10

0x00030000...56.exe

windows7_x64

10

0x00030000...56.exe

windows10_x64

10

0x00030000...88.exe

windows7_x64

1

0x00030000...88.exe

windows10_x64

1

0x00040000...27.exe

windows7_x64

10

0x00040000...27.exe

windows10_x64

10

0x00040000...63.exe

windows7_x64

10

0x00040000...63.exe

windows10_x64

10

Resubmissions

08-07-2021 11:17

210708-5s29gx8mxn 10

08-07-2021 11:17

210708-lndt9d354a 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Downloads.rar

  • Size

    5.7MB

  • Sample

    210708-lndt9d354a

  • MD5

    d7ac6255dcc76334eb48080563b56cc8

  • SHA1

    b07031f2073b70a91834e9e40e0a4faa35092a81

  • SHA256

    a9db37183a4d7898d4ef820075d9fb5cdef55b47644cc5465b5e012c9a52b2fe

  • SHA512

    f8c3ff7c33d4f8d47074ddc79bc946d962723cf498c4b1ef9f663e7d89e109498336a5206b230c4b4df4d95d2e338468c776ce24eebf82aeb8c55471f863eeff

Score
10/10
gluptebametasploitredlinesmokeloadersocelarsvidar07_07_r706865newsel7servaniaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealerthemidatrojanupxvmprotect

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://ppcspb.com/upload/

http://mebbing.com/upload/

http://twcamel.com/upload/

http://howdycash.com/upload/

http://lahuertasonora.com/upload/

http://kpotiques.com/upload/

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

vidar

Version

39.4

Botnet

865

C2

https://sergeevih43.tumblr.com

Attributes
  • profile_id

    865

Extracted

Family

redline

Botnet

07_07_r

C2

xtarweanda.xyz:80

Extracted

Family

redline

Botnet

SEL7

C2

kathonaror.xyz:80

Extracted

Family

redline

Botnet

706

C2

edraquakwa.xyz:80

Extracted

Family

redline

Botnet

New

C2

qurigoraka.xyz:80

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

ServAni

C2

87.251.71.195:82

Extracted

Family

vidar

Version

39.4

Botnet

706

C2

https://sergeevih43.tumblr.com

Attributes
  • profile_id

    706

Targets

    • Target

      0x00030000000130db-122.exe

    • Size

      345KB

    • MD5

      c6f791cdb3ec5ab080f0d84e9cb1d4eb

    • SHA1

      d22f28ccda8b98265f9dba0c26d3f0cc3e2b6cdf

    • SHA256

      d70b6e5dad1618f3d9f08a1d8220c6c34f959db468640b4e21f0b2b5c2507414

    • SHA512

      d41134a4b310d5e640240c1083a39e4e0ffa5c025287060a9cdd94be67a877e6e88f8d85cb6ceca432bdc3de19e95465a560642fb119820105141bd9c57a0d30

    Score
    10/10
    smokeloaderbackdoortrojan
    behavioral1behavioral2

    • Target

      0x00030000000130dc-135.exe

    • Size

      680KB

    • MD5

      7837314688b7989de1e8d94f598eb2dd

    • SHA1

      889ae8ce433d5357f8ea2aff64daaba563dc94e3

    • SHA256

      d8c28d07c365873b4e8332f057f062e65f2dd0cd4d599fd8b16d82eca5cf4247

    • SHA512

      3df0c24a9f51a82716abb8e87ff44fdb6686183423d1f2f7d6bfb4cd03c3a18490f2c7987c29f3e1b2d25c48d428c2e73033998a872b185f70bb68a7aedb3e7c

    Score
    10/10

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      0x00030000000130dd-141.exe

    • Size

      972KB

    • MD5

      5668cb771643274ba2c375ec6403c266

    • SHA1

      dd78b03428b99368906fe62fc46aaaf1db07a8b9

    • SHA256

      d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384

    • SHA512

      135bd12414773cc84270af5225920a01487626528d7bbc2b703be71652265772c2e5488ee3f7e2c53b0b01c617b8c7920e0b457472b6724cfa9ec4c390b0a55a

    Score
    8/10
    upx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral5behavioral6

    • Target

      0x00030000000130de-161.exe

    • Size

      174KB

    • MD5

      f12aa4983f77ed85b3a618f7656807c2

    • SHA1

      ab29f2221d590d03756d89e63cf2802ee31ecbcf

    • SHA256

      5db1d9e50f0e0e0ba0b15920e65a1b9e3b61bcc03d5930870e0b226b600a72e2

    • SHA512

      9074af27996a11e988be7147cf387d8952b515d070ff49fec22f0e5b2d374563204eda56319447d9b5f49f056be1475f0a1a2c501fdf1a769d7d8a8077ccba8b

    Score
    10/10
    redlinediscoveryinfostealerpersistencespywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral7behavioral8

    • Target

      0x00030000000130df-151.exe

    • Size

      773KB

    • MD5

      a0b06be5d5272aa4fcf2261ed257ee06

    • SHA1

      596c955b854f51f462c26b5eb94e1b6161aad83c

    • SHA256

      475d0beeadca13ecdfd905c840297e53ad87731dc911b324293ee95b3d8b700b

    • SHA512

      1eb6b9df145b131d03224e9bb7ed3c6cc87044506d848be14d3e4c70438e575dbbd2a0964b176281b1307469872bd6404873974475cd91eb6f7534d16ceff702

    Score
    10/10
    redlinesocelarsvidar07_07_r865sel7evasioninfostealerstealerthemidatrojanvmprotectgluptebametasploitsmokeloader706newbackdoordiscoverydropperloaderspywareupx

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral9behavioral10

    • Target

      0x00030000000130e1-156.exe

    • Size

      380KB

    • MD5

      b0486bfc2e579b49b0cacee12c52469c

    • SHA1

      ac6eb40cc66eddd0589eb940e6a6ce06b00c7d30

    • SHA256

      9057ba81960258a882dee4335d947f499adabfc59bfd99e2b5f56b508a01fbe2

    • SHA512

      b7f55e346830e2a2ed99bd57bfd0cb66221675a6b0b23d35e5d7fac5eee0c3dfc771eed5fed410c2063410e048fe41765c880ebf0a48137f9135cf1d65951075

    Score
    10/10
    redlineservaniinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      0x000300000001310b-88.exe

    • Size

      290KB

    • MD5

      843e8bb487aa489044ec65dbb7393105

    • SHA1

      25de66c3300e54b3fe1ddb450c2974a26d2b4b45

    • SHA256

      0379c582a742ae0a4dfb98313d205f3b84fd493388635cefe1ccc0e96d40fb0b

    • SHA512

      2f4ead7d5e44152aeb752e481cda28034d5e8b4c1c92dade0566a519d8ffe2f308f9031ebcc39f042907e509ae2f666e1289b42a9a515b4f4c0a5f30e6d3d80f

    Score
    1/10
    behavioral13behavioral14

    • Target

      0x00040000000130bf-127.exe

    • Size

      686KB

    • MD5

      a957a80658f31c8fc864755deb2a0ca7

    • SHA1

      8692ad674194f0901ee776ba99704f061babda95

    • SHA256

      99117569330d3694ed281e0c5414c23aa33a5eb370494febb267925dd4a62208

    • SHA512

      b46056d3971718a7770fef54d8a2af34363eb2e785f5506e9cb261c331954d12b810e46b297ebb98ccdf7f9bde73290d46491aa7a3276bdef51869651f7105af

    Score
    10/10
    vidar706stealerdiscoveryspyware

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral15behavioral16

    • Target

      0x00040000000130e0-63.exe

    • Size

      3.1MB

    • MD5

      22b4d432a671c3f71aa1e32065f81161

    • SHA1

      9a18ff96ad8bf0f3133057c8047c10d0d205735e

    • SHA256

      4c61aeec3fa5cbd6e8cd19272d28a1e07a8ac96e3fd8b2343791ed2521dd3028

    • SHA512

      c0af739ec9a93978c8c25ad05a2c0826a8320a9ac007bbd36f6846053bc8d434e23a6edf19d1666767fd7ad404532983604fd7774cf18940f7541616700be523

    Score
    10/10
    gluptebametasploitredlinesmokeloadersocelarsvidar706865servaniaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealerthemidatrojanupx

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Modify Existing Service

2
T1031

Privilege Escalation

Defense Evasion

Modify Registry

8
T1112

Install Root Certificate

4
T1130

Disabling Security Tools

2
T1089

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

9
T1081

Discovery

Query Registry

17
T1012

Peripheral Device Discovery

3
T1120

System Information Discovery

18
T1082

Virtualization/Sandbox Evasion

2
T1497

Remote System Discovery

2
T1018

Lateral Movement

Collection

Data from Local System

9
T1005

Exfiltration

Command and Control

Web Service

3
T1102

Impact

Tasks

static1

aspackv2
Score
8/10

behavioral1

smokeloaderbackdoortrojan
Score
10/10

behavioral2

smokeloaderbackdoortrojan
Score
10/10

behavioral3

Score
10/10

behavioral4

Score
7/10

behavioral5

upx
Score
8/10

behavioral6

upx
Score
8/10

behavioral7

redlinediscoveryinfostealerpersistencespywarestealer
Score
10/10

behavioral8

redlinediscoveryinfostealerpersistencespywarestealer
Score
10/10

behavioral9

redlinesocelarsvidar07_07_r865sel7evasioninfostealerstealerthemidatrojanvmprotect
Score
10/10

behavioral10

gluptebametasploitredlinesmokeloadersocelarsvidar07_07_r706865newsel7backdoordiscoverydropperevasioninfostealerloaderspywarestealerthemidatrojanupxvmprotect
Score
10/10

behavioral11

redlineservaniinfostealer
Score
10/10

behavioral12

redlineservaniinfostealer
Score
10/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

vidar706stealer
Score
10/10

behavioral16

vidar706discoveryspywarestealer
Score
10/10

behavioral17

gluptebametasploitredlinesmokeloadersocelarsvidar706865servaniaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealerthemidatrojanupx
Score
10/10

behavioral18

redlinesmokeloadervidar706servaniaspackv2backdoorevasioninfostealerpersistencestealerthemidatrojanupx
Score
10/10