General
-
Target
Versium Research.rar
-
Size
5.4MB
-
Sample
210812-n6l9952p1a
-
MD5
04d15b7cbf0569864486cc138604d68c
-
SHA1
2bdb39e458ba4e7a5e0e262262c54b0ecf685956
-
SHA256
91f4b7ae747bfd036882e084650f608782b6054ecc8ab32f5fe91b91caf80e5d
-
SHA512
1d2dcf2c1a41ab14795c7485d1a825de7f6237d726e6e1d4414dccaadf6cc77df9e5ae1ee4554321ce3b0c23899612c9be7b18ce2bf5cb829a1a04e564c3ccc0
Static task
static1
Behavioral task
behavioral1
Sample
028d53f5224f9cc8c60bd953504f1efa.exe
Resource
win11
Behavioral task
behavioral2
Sample
Bot_Checker.exe
Resource
win11
Behavioral task
behavioral3
Sample
Uninstall.exe
Resource
win11
Behavioral task
behavioral4
Sample
Versium.exe
Resource
win11
Behavioral task
behavioral5
Sample
VersiumResearch32bit.exe
Resource
win11
Behavioral task
behavioral6
Sample
VersiumResearch64bit.exe
Resource
win11
Behavioral task
behavioral7
Sample
Versiumresearch.exe
Resource
win11
Malware Config
Extracted
metasploit
windows/single_exec
Extracted
redline
7new
sytareliar.xyz:80
yabelesatg.xyz:80
ceneimarck.xyz:80
Targets
-
-
Target
028d53f5224f9cc8c60bd953504f1efa.exe
-
Size
4.4MB
-
MD5
90a0bd1a164b2af8a7b15f75ab07e3f1
-
SHA1
c8def0f5b75c51b2efa40b07ebe035566d8be1a1
-
SHA256
276387214b560792419a07b097ee76400519c2c902f378207d30acf851ac2213
-
SHA512
b0cd55af23728cbf3a63392c492aff201df688f1185eb5f577e56151c8d871d49ae392d51bdfdf0dde360d86fc919174015d6d6cabbd3c3f59cdec5ca53bf4c0
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
Bot_Checker.exe
-
Size
56KB
-
MD5
391ca27e1e5cc0da88d1fcc8df1d0d85
-
SHA1
25bd7c5b7d88bcd01610226fccb0910b48dc1eee
-
SHA256
a9ee4862c1e7931ef8366b090ac1f3212e79cc17d7737f537978d9a3fb0c5ef1
-
SHA512
2dbb84eb664798766a669c7d407be76d5154bd7d0b99f2c2371ad0ae3e1124605df0771b228f7a3406f023fa9cbba3022afb5b48207cf1eb14d94cda7a5117f9
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
Uninstall.exe
-
Size
97KB
-
MD5
a8c53399726fea24e4af993e971df5af
-
SHA1
50b4c4d3cf172106417dc0e59eaa63bf7cd0603e
-
SHA256
6b13a733947bc2395695cc6f9a8b59eae88cf6467e368a810bcac0c10d6c46a6
-
SHA512
b2159712ecfa8f7e9a75a190e858cc791bcdcd19118a6db40041d7ffbda531343a63244d35012702dda8514191e8bf6e838ab896c9db232f2c163fc4d4cd2bf9
Score6/10-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
Versium.exe
-
Size
746KB
-
MD5
393d6260e39b68b2d60300e4f62ebc83
-
SHA1
16c58c5b7dee3ce4c3a40925ba4eed3c188faf46
-
SHA256
e7431a806b1b1928256376ec29207a342f4b860f4332bb523a53ac2d9d3d35d3
-
SHA512
d1916b2f2f8deddf331735b4b6f4b329d65696481c6971694c3bf64fa38feda8472c700d15311aad3ec3eeae5a6f9e6c85f204f955555a57eeea131ec4e8a198
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Nirsoft
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
VersiumResearch32bit.exe
-
Size
504KB
-
MD5
8479bce60218cd871c118308ded82d39
-
SHA1
0388ec861b2ac5c7f4dc6eed249d92d3002fe66e
-
SHA256
15078be80772a449383c5f6a7631955039b82ebaf507ab67e61093b70b98dc43
-
SHA512
f4be47baee6baeacbe1e27174ad83700efc78ab2d02262d718c7436d2304fc16618a5911bed63ed8d2e947af3c511d17b77ddfccea9a4e6aab9f3956fcf322f8
Score10/10-
Raccoon Stealer Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
VersiumResearch64bit.exe
-
Size
252KB
-
MD5
ee19bc8a2b6c6fd7c30037389457a4df
-
SHA1
e1fca1cc33574e59dec62763ee6e7de1a5198095
-
SHA256
76af8837a5ac0384faeeeff8c8987f796206fc4a1691428dbd44a14378ff28c0
-
SHA512
38db6d4ca6f106849f2ba173e20dae0a53c3e558eb676adba380761cc0318769c6add3a2e816705c094596fc305dab1dd39eb2b83e9f3e066ffc90de580af001
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Executes dropped EXE
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
Versiumresearch.exe
-
Size
163KB
-
MD5
b1dbc3b027105d8032541bc0c5e71abb
-
SHA1
1ef1950ecb44e6bd8d0a3849868ec9a0ceaa1130
-
SHA256
b0eb54f46e5919460cb8d21fdcd695e3356b6311ab0547f18dc3d84a66a14bc4
-
SHA512
3f7fd0aa71e6fae5eeaf16cc47a1ac43cdd1f643c1e7e439eb068685558929cf3c74552ad70fbf2d6cad94cc11bb8ea9c099ef1401b868947f1a9e5e44b34f7b
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-