Overview

overview

10

Static

static

Setup.exe

windows7_x64

10

Setup.exe

windows10_x64

10

rkill.exe

windows7_x64

10

rkill.exe

windows10_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Setup.zip

  • Size

    1.4MB

  • Sample

    210811-grwnqbkj3s

  • MD5

    01258eaa51c084ea92b1d48312e06146

  • SHA1

    274d0e2a86fcadb7409e1d442cc5824067e92708

  • SHA256

    a8792f56e1551e5d640be438830297e1e8a2503201e8b41062d4e2ba99131fd9

  • SHA512

    b4467cec707bc6e0c9df4fa6b2ec57551f33a279044af9d1ff0546520b0b97aaa30d858c41908146dc983521689ef48e8649eaa5197cb219da006f9fbbf1a1fa

Score
10/10
gluptebametasploitraccoonredlinesmokeloadervidar83fbe81dd43f775dd8af3cd619f88f428fbd9a96937c8a4bc819c641415a3c45622368953a684036cdbbackdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealersuricatathemidatrojanupxvmprotect

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/
rc4.i32
rc4.i32

Extracted

Family

vidar

Version

40

Botnet

937

C2

https://lenak513.tumblr.com/

Attributes
  • profile_id

    937

Extracted

Family

raccoon

Botnet

83fbe81dd43f775dd8af3cd619f88f428fbd9a96

Attributes
  • url4cnc

    https://telete.in/opa4kiprivatem

rc4.plain
rc4.plain

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://91.241.19.52/Api/GetFile2

Extracted

Family

raccoon

Botnet

c8a4bc819c641415a3c45622368953a684036cdb

Attributes
  • url4cnc

    https://telete.in/jjbadb0y

rc4.plain
rc4.plain

Targets

    • Target

      Setup.exe

    • Size

      1.6MB

    • MD5

      ce6eaa52767b2df78b34519231966588

    • SHA1

      ab32d09951189022a1a39e9204ec9ce2926b3fcf

    • SHA256

      40924781ba072ea88bd7cad3f6d2a48e87f370e1c1ee334a3415dd26b5ea17e5

    • SHA512

      36a09fe704823d6db5d0982d761ba1976c940b82b7c1ca650627d66e16b420612b78c761f2ed00e533453eeb2dd7e431cf47b0c2cf826354aa6e779fda531067

    Score
    10/10
    gluptebametasploitraccoonredlinesmokeloadervidar83fbe81dd43f775dd8af3cd619f88f428fbd9a96937backdoordropperevasioninfostealerloaderspywarestealersuricatathemidatrojanc8a4bc819c641415a3c45622368953a684036cdbdiscoverypersistenceupxvmprotect

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • Raccoon Stealer Payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • suricata: ET MALWARE GCleaner Downloader Activity M1

      suricata: ET MALWARE GCleaner Downloader Activity M1

      suricata

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

      suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

      suricata

    • suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)

      suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)

      suricata

    • suricata: ET MALWARE Possible Dridex Download URI Struct with no referer

      suricata: ET MALWARE Possible Dridex Download URI Struct with no referer

      suricata

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

      suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

      evasion

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Nirsoft

    • Vidar Stealer

      stealer

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      rkill.exe

    • Size

      1.7MB

    • MD5

      6d622dcc87edc9a7b10d35372ade816b

    • SHA1

      47d98825b03c507b85dec02a2297e03ebc925f30

    • SHA256

      d4ac5b3c525a5fd94019d80ff81b552e73b19b1bd0a554b9609cdd5e1b00955a

    • SHA512

      ed06f872a7c66ffeeb8cb8f6fedca06ccabf623f9cd188c4c7105428e8d6521ef8da0bac0564e14d2da914d2846369a9c04577a8cf7fb80cb62831e5497f2a58

    Score
    10/10
    persistence

    • Modifies system executable filetype association

      persistence

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks