General

  • Target

    2021-07-25.zip

  • Size

    90.2MB

  • Sample

    210812-lfwqlzmgsn

  • MD5

    a39f8cc07a7b3c6db1cfaad3e4b3383e

  • SHA1

    8e7aeba56e32a4301bd1eb633ee1514e9d26a711

  • SHA256

    bbdfbae01162597428b8a4538245e09cb393945a54bea8cea69d6307ab60fe43

  • SHA512

    93186a07eb3aae69a12763a2e52212472ed42ad1110018ee6110e6be0b9d2312508e80c4f9383f0adc1a0c9c0eef1b99a2cf51ee81de8edbb74e3c89864b175d

Malware Config

Extracted

Family

pony

C2

http://afobal.cl/mine/gate.php

Attributes
  • payload_url

    http://myp0nysite.ru/shit.exe

Extracted

Family

oski

C2

aegismd.ca/cgi/

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    webmail.ombakparadise.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ce$%^mirah

Extracted

Family

raccoon

Botnet

e593428d572f64087cbbaacf2f970ff1f26a86b7

Attributes
  • url4cnc

    https://telete.in/opa4kiprivatem

rc4.plain
rc4.plain

Extracted

Family

lokibot

C2

http://rnofinancial.com.au/wp01/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

redline

C2

193.56.146.60:51431

Extracted

Family

redline

Botnet

26.07

C2

185.215.113.15:61506

Extracted

Family

redline

Botnet

SewPalpadin

C2

185.215.113.114:8887

Targets

    • Target

      00c50c96fd2b57f718d98eb68cbcfa47c01f585a05babdf1b2cbf8c6491cd39a.exe

    • Size

      492KB

    • MD5

      b53b50b3e0463aa12561ed9bbe79d0c7

    • SHA1

      a841c492247ed3c9f74a71f319954e2a6da33a90

    • SHA256

      00c50c96fd2b57f718d98eb68cbcfa47c01f585a05babdf1b2cbf8c6491cd39a

    • SHA512

      47037e1e022b14a92ffdaf5a78a5c271276f2916d67bc77818c61b7c291a74f832240fe328a4c1663fc8295a0ed7027597e19c766af772bafb73e14c381bfcfb

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • Raccoon Stealer Payload

    • Target

      024bf5f59189e5578dabdef60f55f1675f6563ba9f3cc028397596c0b3a58ce8.elf

    • Size

      82KB

    • MD5

      4ca737c5620dd9cbbcb53d2d9dfa83b2

    • SHA1

      1c0623ae4e0c5bd95107934e1939b60ab097a216

    • SHA256

      024bf5f59189e5578dabdef60f55f1675f6563ba9f3cc028397596c0b3a58ce8

    • SHA512

      7b2795fe42bf1b484084fe9f27658abd6cf7ec4aacb14a2da6163e97715ae22f06277fb237a2c65c92916e81a363f8274c22699db6ae7e93d47b753791bf45b5

    Score
    1/10
    • Target

      05a6f0219a5a1d798e6765a35d9e6c03160fb0153dcedec3b090e8237a1f8937.exe

    • Size

      992KB

    • MD5

      22b3832571cf3a8d67d972e318c3b30c

    • SHA1

      3beeef7f246cbc69844de14fb737a0cc10708881

    • SHA256

      05a6f0219a5a1d798e6765a35d9e6c03160fb0153dcedec3b090e8237a1f8937

    • SHA512

      241a44c324eb547e72aef055f82074f0d0cb118e45514efb532ae45a90f99025d9f6a6e21a36fbd1ff6b974f43abb10aaafd990d4c97fceda8a3570492380bb6

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    • Suspicious use of SetThreadContext

    • Target

      07a5d8fbad6ee496b8ff07c1e8085a92a892b2788c5fa2a5d7e599080b6fd532.elf

    • Size

      89KB

    • MD5

      b6cc1d875a376de217f1d8f3f8e9ae4e

    • SHA1

      d9b3ac59fe91b10619ece637287d61f8d3257946

    • SHA256

      07a5d8fbad6ee496b8ff07c1e8085a92a892b2788c5fa2a5d7e599080b6fd532

    • SHA512

      eb1daa441d99122b7a91cd82e8500b2d9443ed56456525f80db255f037162becf556c5e858e213f3554fb365885ad6a1bb8077ac178133424ee76b24777f87d1

    Score
    1/10
    • Target

      07f22e9c1e4b0a1fadcbc9c8e5fd33f396f4415fe88901bab89756521d765809.elf

    • Size

      66KB

    • MD5

      fadd45ac0861382c0451c23160a9eb40

    • SHA1

      a1dd02367ea66751e6e94a557400304ae565833a

    • SHA256

      07f22e9c1e4b0a1fadcbc9c8e5fd33f396f4415fe88901bab89756521d765809

    • SHA512

      7fb705266db977a61f096de56218e1b6f00974fad28bea7abe0ad360c6ce506aa86a3a244e6a75b4d84e3c468a6a71f111d9adeb5f67e51fd86d5ab78109954c

    Score
    1/10
    • Target

      083428863c14a04d4a179a3e0b21e9349805585226f971fc43c4784842271f74.elf

    • Size

      43KB

    • MD5

      70504e546caa3236769026e43226f444

    • SHA1

      09f054c8ce8f655d8b6e1d075ffdf404b09f3378

    • SHA256

      083428863c14a04d4a179a3e0b21e9349805585226f971fc43c4784842271f74

    • SHA512

      b0adf569522f9e6f946ba5df5f3a42cc631f414a71e926ea8b65674f04af6ae3535600a2c8003dc83e777d1a1167e1bf98aa0fca20a3da4284c0860f6ed1613d

    Score
    1/10
    • Target

      08f364a8accfbfc972aeca76586e11ab3367a663dd31e6d046cb9973b6da88b0.elf

    • Size

      64KB

    • MD5

      97878b01745d44d58b6d2a22e850fd35

    • SHA1

      8d1ce62daa26d72c0af27481e1e3d10a4d65ee80

    • SHA256

      08f364a8accfbfc972aeca76586e11ab3367a663dd31e6d046cb9973b6da88b0

    • SHA512

      d310403b527b546f5fca71420cd8ad13ce206dfda5d5555c7ea1dacc9e34511a5cc5e5189692fb944c843c35090d0f4d1f02d3c80f4f2a21f6ff9cfc7006fabb

    Score
    1/10
    • Target

      0a52f644a577430406569d01e8257e9d30917fa2e535a789b42e019fd132f30d.elf

    • Size

      114KB

    • MD5

      7bd98317b305d563ca8f0a939e2a1fc9

    • SHA1

      684f6e5d876624311d1c5379f7820a6ed345efe5

    • SHA256

      0a52f644a577430406569d01e8257e9d30917fa2e535a789b42e019fd132f30d

    • SHA512

      d55ebfa4ffab192e3bd26d204f1b02579518eb1437541e1438344dd3b20c6459d14c4cced21bcb01edeafdbed7645e38d5ff1ff83519b91b235e554f3fa212eb

    Score
    1/10
    • Target

      0a9ff0b46182a441c0f9c021722817984ec884266c123d2fd6257f9c70d322ab.exe

    • Size

      395KB

    • MD5

      97e8e525e2fc27c2634da7d235f5ff5c

    • SHA1

      63e628501bd54422ebfc6857039d50fd97cbe55d

    • SHA256

      0a9ff0b46182a441c0f9c021722817984ec884266c123d2fd6257f9c70d322ab

    • SHA512

      4cf5470c485449c02f48fface72e7e729916854399ca41f8fb2a701b73bed4b78a46233b9f0f79efda95874789b4d3953f4640272275fa823339eb970614fdb9

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      0b85f1a068b41f2529481734b5385e394f87d9da47c333327b23462b6e4ea29d.elf

    • Size

      36KB

    • MD5

      7481ff2091954fd2ab2fb4975488d789

    • SHA1

      8cbbf87c2a2878bd72343afcd30d884f34268939

    • SHA256

      0b85f1a068b41f2529481734b5385e394f87d9da47c333327b23462b6e4ea29d

    • SHA512

      ebb90412d612c00eaf178deaa3a30e080209ac2f6d9938b4e81beeda8da42bef95fc359350fee4388e0d1a8dc0873f4b1fac4dd13628322ed3af54b6726ce75b

    Score
    1/10
    • Target

      0c16b313253259d25a77c5019df1985e6c356c56f4ce19f8119829efec7db43d.exe

    • Size

      387KB

    • MD5

      25b64c0bad59caa2bb89de749ce69e2b

    • SHA1

      26bd53222cdce89e0ab183db7fa9df6dd489982b

    • SHA256

      0c16b313253259d25a77c5019df1985e6c356c56f4ce19f8119829efec7db43d

    • SHA512

      930569743201567d74d32e34361ad13b801c6ef492543d805a1ba1553a4aa037738214e4b8e3546a69187b72478072c78ee526e77ebb77d1113e463ea6e0e173

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      0cff428e9607d1819a4da397dafba7380734315daaace0ea129144755cc5706f.exe

    • Size

      239KB

    • MD5

      e9f323a2cf1fff2fd364f6bb8f7764d7

    • SHA1

      4f2b7d3df800b97bda3b3bb303b85b30bda99180

    • SHA256

      0cff428e9607d1819a4da397dafba7380734315daaace0ea129144755cc5706f

    • SHA512

      cc606d6b055a89ebe3e1a1e0cd77f894c20e3e67b75028e58dce02ba191ddd2e4c1fbe140e4068fd4f86140efb84b32f8ff50dca3b926bc77d0d3ac38bbadafa

    Score
    10/10
    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

      suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

      suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • Nirsoft

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      0fc2088b8cb286ca22b3b753c133cca59414c6a1298fb76af5d54ddb6c61a873.exe

    • Size

      303KB

    • MD5

      a5c4f315da3e205c9f3af915ebb19668

    • SHA1

      504f2125ca265d93e281f69a3e7e547fc7118f64

    • SHA256

      0fc2088b8cb286ca22b3b753c133cca59414c6a1298fb76af5d54ddb6c61a873

    • SHA512

      c954588ddf724f1df77a1988bb8e2ed5fdec1c5f7538c7fe0882eb52b33b46223046b3d2361f83893ae84fc30fbe7be39a90d6535d9ccf240e55f3f2d3d25d08

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      103578df44dbe6a55c4298130df5c3dca804ce8ae84c692396b89fc84ddf71c8.elf

    • Size

      67KB

    • MD5

      b905bf6e2c0c5fb8596c6ff3944dcb14

    • SHA1

      1be588c84eb35458d15af2b4264ea545daf5c352

    • SHA256

      103578df44dbe6a55c4298130df5c3dca804ce8ae84c692396b89fc84ddf71c8

    • SHA512

      cb17f1cc88c0382f30419ae17372c55bad1defb2cb15054369c3fc84c23586e8bdf9589a3fe2720d234e9e794f29a7cb156151563a83866531a787a83be033f7

    Score
    1/10

MITRE ATT&CK Enterprise v6

Tasks

static1

themidavmprotectupxponybitratoskimiraiagenttesla
Score
10/10

behavioral1

raccoone593428d572f64087cbbaacf2f970ff1f26a86b7stealer
Score
10/10

behavioral2

raccoone593428d572f64087cbbaacf2f970ff1f26a86b7stealer
Score
10/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

lokibotspywarestealersuricatatrojan
Score
10/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

redline26.07discoveryinfostealerspywarestealer
Score
10/10

behavioral22

redline26.07discoveryinfostealerspywarestealer
Score
10/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

redlinediscoveryinfostealerspywarestealer
Score
10/10

behavioral27

redlinediscoveryinfostealerspywarestealer
Score
10/10

behavioral28

suricata
Score
10/10

behavioral29

suricata
Score
10/10

behavioral30

redlinesewpalpadindiscoveryinfostealerspywarestealer
Score
10/10

behavioral31

redlinesewpalpadindiscoveryinfostealerspywarestealer
Score
10/10

behavioral32

Score
1/10