General
-
Target
Setup.zip
-
Size
1.4MB
-
Sample
210811-grwnqbkj3s
-
MD5
01258eaa51c084ea92b1d48312e06146
-
SHA1
274d0e2a86fcadb7409e1d442cc5824067e92708
-
SHA256
a8792f56e1551e5d640be438830297e1e8a2503201e8b41062d4e2ba99131fd9
-
SHA512
b4467cec707bc6e0c9df4fa6b2ec57551f33a279044af9d1ff0546520b0b97aaa30d858c41908146dc983521689ef48e8649eaa5197cb219da006f9fbbf1a1fa
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
rkill.exe
Resource
win7v20210410
Behavioral task
behavioral4
Sample
rkill.exe
Resource
win10v20210410
Malware Config
Extracted
metasploit
windows/single_exec
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
vidar
40
937
https://lenak513.tumblr.com/
-
profile_id
937
Extracted
raccoon
83fbe81dd43f775dd8af3cd619f88f428fbd9a96
-
url4cnc
https://telete.in/opa4kiprivatem
Extracted
http://91.241.19.52/Api/GetFile2
Extracted
raccoon
c8a4bc819c641415a3c45622368953a684036cdb
-
url4cnc
https://telete.in/jjbadb0y
Targets
-
-
Target
Setup.exe
-
Size
1.6MB
-
MD5
ce6eaa52767b2df78b34519231966588
-
SHA1
ab32d09951189022a1a39e9204ec9ce2926b3fcf
-
SHA256
40924781ba072ea88bd7cad3f6d2a48e87f370e1c1ee334a3415dd26b5ea17e5
-
SHA512
36a09fe704823d6db5d0982d761ba1976c940b82b7c1ca650627d66e16b420612b78c761f2ed00e533453eeb2dd7e431cf47b0c2cf826354aa6e779fda531067
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon Stealer Payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE GCleaner Downloader Activity M1
-
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
-
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
-
suricata: ET MALWARE Possible Dridex Download URI Struct with no referer
suricata: ET MALWARE Possible Dridex Download URI Struct with no referer
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
CustAttr .NET packer
Detects CustAttr .NET packer in memory.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Nirsoft
-
Vidar Stealer
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
rkill.exe
-
Size
1.7MB
-
MD5
6d622dcc87edc9a7b10d35372ade816b
-
SHA1
47d98825b03c507b85dec02a2297e03ebc925f30
-
SHA256
d4ac5b3c525a5fd94019d80ff81b552e73b19b1bd0a554b9609cdd5e1b00955a
-
SHA512
ed06f872a7c66ffeeb8cb8f6fedca06ccabf623f9cd188c4c7105428e8d6521ef8da0bac0564e14d2da914d2846369a9c04577a8cf7fb80cb62831e5497f2a58
Score10/10-
Modifies system executable filetype association
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Loads dropped DLL
-
MITRE ATT&CK Enterprise v6
Persistence
Change Default File Association
1Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
1Install Root Certificate
1Modify Registry
4Virtualization/Sandbox Evasion
1Web Service
1