Overview

overview

10

Static

static

eufive_202...1).exe

windows7_x64

1

eufive_202...1).exe

windows10_x64

1

eufive_202...1).exe

windows7_x64

10

eufive_202...1).exe

windows10_x64

10

eufive_202...41.exe

windows7_x64

10

eufive_202...41.exe

windows10_x64

10

mixazed_20...1).exe

windows7_x64

8

mixazed_20...1).exe

windows10_x64

8

mixazed_20...1).exe

windows7_x64

8

mixazed_20...1).exe

windows10_x64

8

mixazed_20...1).exe

windows7_x64

8

mixazed_20...1).exe

windows10_x64

8

mixsix_202...1).exe

windows7_x64

8

mixsix_202...1).exe

windows10_x64

8

usfive_202...1).exe

windows7_x64

10

usfive_202...1).exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    gcleaner 27July.zip

  • Size

    2.8MB

  • Sample

    210727-v21jpeshts

  • MD5

    eef97e21331f6cee5979d4b2ee0d0e58

  • SHA1

    33b83bb71b6045cbcbbbc73b127cf89d11677918

  • SHA256

    3e458be66bcf00d7be180728e6b4abda715cadd1788dbcdbeda322d64b47e999

  • SHA512

    e782528407ef86134d052ad1649c4c7fb9f592b23569c53d3753de16717226e4a596b364cf9d8aed634d5ee93afdb3a7f5625f375d4c5bab63dd3e81434b54a3

Score
10/10
lu0botvidar818discoveryspywarestealersuricatatrojan

Malware Config

Extracted

Family

vidar

Version

39.7

Botnet

818

C2

https://shpak125.tumblr.com/

Attributes
  • profile_id

    818

Targets

    • Target

      eufive_20210727-123655(1)

    • Size

      3KB

    • MD5

      8705b09520e5b460cdee9b5e9fbba0a0

    • SHA1

      28a6a1ecdd518b457fcfd9cd492c44b91f299cdd

    • SHA256

      2c6a67dfddb50c345b9b168994067d82d126315930c84d00b549dc6a8e8aa711

    • SHA512

      0d77222abf2099fd20847e138d206c609fa383fe6dc7dc1c419017de55dcf1da88df84f91fce5b34ffd4a756c1820b653400fbf6139d389ff63f6aa79dc8c7ac

    Score
    1/10
    behavioral1behavioral2

    • Target

      eufive_20210727-125230(1)

    • Size

      3KB

    • MD5

      a761191fcfbb734c45f3d7ba61d2ccde

    • SHA1

      3d37da91baf133d14e746d85cc9d8197d78cd0b9

    • SHA256

      545b3f1af9322de70ef2b27c9b383be4f6c22f508320d55d4b3787cc0eebce50

    • SHA512

      6add2e95ba16cac3ffc60697df7df9ba30b437aed94a1593bce7808ae686f980792a7327e8a204e40ba149b9d42045a3952ba1e32b0a5f24a0d3e38488f8a6ed

    Score
    10/10
    lu0botdiscoverystealersuricatatrojan

    • Lu0bot

      Lu0bot is a lightweight infostealer written in NodeJS.

      trojanstealerlu0bot

    • suricata: ET MALWARE lu0bot Loader HTTP Request

      suricata

    • suricata: ET MALWARE lu0bot Loader HTTP Response

      suricata

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery
    behavioral3behavioral4

    • Target

      eufive_20210727-174641

    • Size

      3KB

    • MD5

      13e7feb9430554945b5aa4f6b5524d66

    • SHA1

      3d644cfe881c9c5e80f94f0173dc3fa3169e145b

    • SHA256

      bf44cfa6534d38b172ea611502230f1978f26a28cb1b510ed1c2cd6bd15f007f

    • SHA512

      271912df0b8a74a9081a1c3457ac4290c19cd88ade2d42a48683d187aea9391c3fa6505154dcfa15358c3ca273c2203548c3d579dad0b4d063fd91d72bf4cc08

    Score
    10/10
    lu0botdiscoverystealersuricatatrojan

    • Lu0bot

      Lu0bot is a lightweight infostealer written in NodeJS.

      trojanstealerlu0bot

    • suricata: ET MALWARE lu0bot Loader HTTP Request

      suricata

    • suricata: ET MALWARE lu0bot Loader HTTP Response

      suricata

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery
    behavioral5behavioral6

    • Target

      mixazed_20210727-123659(1)

    • Size

      587KB

    • MD5

      cf0e22b94c52719fe9ea4bf41a78bacd

    • SHA1

      b3065e236f7084da9648fd6e7d835746b9697ef7

    • SHA256

      29f1fb21f3d56e989819a03d69270f700adcc6112f15d63c61bc8b950d08bfbd

    • SHA512

      4174f0b3f45b49cbdc84bedddc18b108394a08d46bbfa6271999d1156ddb9689967742abb63ebdf1de44d3494a832f5afcc7d4d45585bf991028c95406791f82

    Score
    8/10
    discoveryspywarestealer

    • Downloads MZ/PE file

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral7behavioral8

    • Target

      mixazed_20210727-132631(1)

    • Size

      587KB

    • MD5

      245892804c29606229b19495b5821203

    • SHA1

      9cba70fd93c62a836473acec047a5e564eb20279

    • SHA256

      6e42f1d40f5b6081f5fcf108855ea6d41ff66f2d2f29a0116d8bef13511a2d0c

    • SHA512

      382d29e1031c1681bc68198bad432698daea1bc46a43a599f19c43bbbb42566c3109b74f4fc4b234ff82d8ecf856ef4907d3dca40f53357f827d475b7d79b8b8

    Score
    8/10
    discoveryspywarestealer

    • Downloads MZ/PE file

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral9behavioral10

    • Target

      mixazed_20210727-134206(1)

    • Size

      586KB

    • MD5

      f41543a644518a10310dc1ad0f426a2f

    • SHA1

      ff264d3050f0ba4b051297436d179f8ae085f0dd

    • SHA256

      4cadd46b6ff2ab3dc1ebcf6687480e22da27c4b44902a9d13d3a0c7454b6c854

    • SHA512

      f2b95fd006cb9b77bd0c820158bf39d32f983fbffac86defa662c5430e3db8c789aa69a7593aa9a26c9737066e8b55a550b83f66231d5b816c7523e4bf67194e

    Score
    8/10
    discoveryspywarestealer

    • Downloads MZ/PE file

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral11behavioral12

    • Target

      mixsix_20210727-190432(1)

    • Size

      1.2MB

    • MD5

      a534cfd4be201d21fadbf222466b4bca

    • SHA1

      ff937711252ca8b2394cb8baa29573de74b6c337

    • SHA256

      c62ad002abbd09658ffd493be169df816d4432bdcbb4f34e054cbf8615c26308

    • SHA512

      4f6ca1ab46ffa09d4c45af46670de439b06e534e179b65b6c3a9f5be444784db8845f2646302efd900bc7c5dab638da9f0078cf0f13912260d832ceb0c8c1e2d

    Score
    8/10
    discoveryspywarestealer

    • Downloads MZ/PE file

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      usfive_20210727-123716(1)

    • Size

      665KB

    • MD5

      47753a43e07b40887ebb2ebe814ef4f0

    • SHA1

      3f7dbd5d3407b7250bf0cc9a2c8dc83167c209be

    • SHA256

      38dabf5820cdd270c14b0157c883e2e53f38bc24824e66948dad824d7b077de1

    • SHA512

      b6c62d1c5c809027433380ae8186300ef0f2b6b2fa8e79a581f4575020c4feadfce000a65e7d5f4c7d25051e79b4908dfbc7f48598a03e5142ff1f97cfdccf32

    Score
    10/10
    vidar818discoveryspywarestealersuricata

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata

    • Vidar Stealer

      stealer

    • Downloads MZ/PE file

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral15behavioral16

MITRE ATT&CK Enterprise v6

Tasks

static1

Score
N/A

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

lu0botdiscoverystealersuricatatrojan
Score
10/10

behavioral4

lu0botdiscoverystealersuricatatrojan
Score
10/10

behavioral5

lu0botdiscoverystealersuricatatrojan
Score
10/10

behavioral6

lu0botdiscoverystealersuricatatrojan
Score
10/10

behavioral7

discoveryspywarestealer
Score
8/10

behavioral8

discoveryspywarestealer
Score
8/10

behavioral9

discoveryspywarestealer
Score
8/10

behavioral10

discoveryspywarestealer
Score
8/10

behavioral11

discoveryspywarestealer
Score
8/10

behavioral12

discoveryspywarestealer
Score
8/10

behavioral13

discoveryspywarestealer
Score
8/10

behavioral14

discoveryspywarestealer
Score
8/10

behavioral15

vidar818discoveryspywarestealersuricata
Score
10/10

behavioral16

vidar818discoveryspywarestealersuricata
Score
10/10