gcleaner 27July.zip

General
Target

gcleaner 27July.zip

Size

2MB

Sample

210727-v21jpeshts

Score
10 /10
MD5

eef97e21331f6cee5979d4b2ee0d0e58

SHA1

33b83bb71b6045cbcbbbc73b127cf89d11677918

SHA256

3e458be66bcf00d7be180728e6b4abda715cadd1788dbcdbeda322d64b47e999

SHA512

e782528407ef86134d052ad1649c4c7fb9f592b23569c53d3753de16717226e4a596b364cf9d8aed634d5ee93afdb3a7f5625f375d4c5bab63dd3e81434b54a3

Malware Config

Extracted

Family vidar
Version 39.7
Botnet 818
C2

https://shpak125.tumblr.com/

Attributes
profile_id
818
Targets
Target

eufive_20210727-123655(1)

MD5

8705b09520e5b460cdee9b5e9fbba0a0

Filesize

3KB

Score
1 /10
SHA1

28a6a1ecdd518b457fcfd9cd492c44b91f299cdd

SHA256

2c6a67dfddb50c345b9b168994067d82d126315930c84d00b549dc6a8e8aa711

SHA512

0d77222abf2099fd20847e138d206c609fa383fe6dc7dc1c419017de55dcf1da88df84f91fce5b34ffd4a756c1820b653400fbf6139d389ff63f6aa79dc8c7ac

Related Tasks

Target

eufive_20210727-125230(1)

MD5

a761191fcfbb734c45f3d7ba61d2ccde

Filesize

3KB

Score
10 /10
SHA1

3d37da91baf133d14e746d85cc9d8197d78cd0b9

SHA256

545b3f1af9322de70ef2b27c9b383be4f6c22f508320d55d4b3787cc0eebce50

SHA512

6add2e95ba16cac3ffc60697df7df9ba30b437aed94a1593bce7808ae686f980792a7327e8a204e40ba149b9d42045a3952ba1e32b0a5f24a0d3e38488f8a6ed

Tags

Signatures

  • Lu0bot

    Description

    Lu0bot is a lightweight infostealer written in NodeJS.

    Tags

  • suricata: ET MALWARE lu0bot Loader HTTP Request

    Tags

  • suricata: ET MALWARE lu0bot Loader HTTP Response

    Tags

  • Blocklisted process makes network request

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification

Related Tasks

Target

eufive_20210727-174641

MD5

13e7feb9430554945b5aa4f6b5524d66

Filesize

3KB

Score
10 /10
SHA1

3d644cfe881c9c5e80f94f0173dc3fa3169e145b

SHA256

bf44cfa6534d38b172ea611502230f1978f26a28cb1b510ed1c2cd6bd15f007f

SHA512

271912df0b8a74a9081a1c3457ac4290c19cd88ade2d42a48683d187aea9391c3fa6505154dcfa15358c3ca273c2203548c3d579dad0b4d063fd91d72bf4cc08

Tags

Signatures

  • Lu0bot

    Description

    Lu0bot is a lightweight infostealer written in NodeJS.

    Tags

  • suricata: ET MALWARE lu0bot Loader HTTP Request

    Tags

  • suricata: ET MALWARE lu0bot Loader HTTP Response

    Tags

  • Blocklisted process makes network request

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification

Related Tasks

Target

mixazed_20210727-123659(1)

MD5

cf0e22b94c52719fe9ea4bf41a78bacd

Filesize

587KB

Score
8 /10
SHA1

b3065e236f7084da9648fd6e7d835746b9697ef7

SHA256

29f1fb21f3d56e989819a03d69270f700adcc6112f15d63c61bc8b950d08bfbd

SHA512

4174f0b3f45b49cbdc84bedddc18b108394a08d46bbfa6271999d1156ddb9689967742abb63ebdf1de44d3494a832f5afcc7d4d45585bf991028c95406791f82

Tags

Signatures

  • Downloads MZ/PE file

  • Deletes itself

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry

Related Tasks

Target

mixazed_20210727-132631(1)

MD5

245892804c29606229b19495b5821203

Filesize

587KB

Score
8 /10
SHA1

9cba70fd93c62a836473acec047a5e564eb20279

SHA256

6e42f1d40f5b6081f5fcf108855ea6d41ff66f2d2f29a0116d8bef13511a2d0c

SHA512

382d29e1031c1681bc68198bad432698daea1bc46a43a599f19c43bbbb42566c3109b74f4fc4b234ff82d8ecf856ef4907d3dca40f53357f827d475b7d79b8b8

Tags

Signatures

  • Downloads MZ/PE file

  • Deletes itself

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry

Related Tasks

Target

mixazed_20210727-134206(1)

MD5

f41543a644518a10310dc1ad0f426a2f

Filesize

586KB

Score
8 /10
SHA1

ff264d3050f0ba4b051297436d179f8ae085f0dd

SHA256

4cadd46b6ff2ab3dc1ebcf6687480e22da27c4b44902a9d13d3a0c7454b6c854

SHA512

f2b95fd006cb9b77bd0c820158bf39d32f983fbffac86defa662c5430e3db8c789aa69a7593aa9a26c9737066e8b55a550b83f66231d5b816c7523e4bf67194e

Tags

Signatures

  • Downloads MZ/PE file

  • Deletes itself

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry

Related Tasks

Target

mixsix_20210727-190432(1)

MD5

a534cfd4be201d21fadbf222466b4bca

Filesize

1MB

Score
8 /10
SHA1

ff937711252ca8b2394cb8baa29573de74b6c337

SHA256

c62ad002abbd09658ffd493be169df816d4432bdcbb4f34e054cbf8615c26308

SHA512

4f6ca1ab46ffa09d4c45af46670de439b06e534e179b65b6c3a9f5be444784db8845f2646302efd900bc7c5dab638da9f0078cf0f13912260d832ceb0c8c1e2d

Tags

Signatures

  • Downloads MZ/PE file

  • Deletes itself

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Suspicious use of SetThreadContext

Related Tasks

Target

usfive_20210727-123716(1)

MD5

47753a43e07b40887ebb2ebe814ef4f0

Filesize

665KB

Score
10 /10
SHA1

3f7dbd5d3407b7250bf0cc9a2c8dc83167c209be

SHA256

38dabf5820cdd270c14b0157c883e2e53f38bc24824e66948dad824d7b077de1

SHA512

b6c62d1c5c809027433380ae8186300ef0f2b6b2fa8e79a581f4575020c4feadfce000a65e7d5f4c7d25051e79b4908dfbc7f48598a03e5142ff1f97cfdccf32

Tags

Signatures

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    Tags

  • Vidar Stealer

    Tags

  • Downloads MZ/PE file

  • Deletes itself

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Exfiltration
      Impact
        Initial Access
          Lateral Movement
            Persistence
              Privilege Escalation
                Tasks

                static1

                behavioral1

                1/10

                behavioral2

                1/10

                behavioral7

                8/10

                behavioral8

                8/10

                behavioral9

                8/10

                behavioral10

                8/10

                behavioral11

                8/10

                behavioral12

                8/10

                behavioral13

                8/10

                behavioral14

                8/10