Overview
overview
10Static
static
028d53f522...fa.exe
windows7_x64
10028d53f522...fa.exe
windows11_x64
10028d53f522...fa.exe
windows10_x64
10Bot_Checker.exe
windows7_x64
3Bot_Checker.exe
windows11_x64
10Bot_Checker.exe
windows10_x64
10Uninstall.exe
windows7_x64
3Uninstall.exe
windows11_x64
6Uninstall.exe
windows10_x64
3Versium.exe
windows7_x64
9Versium.exe
windows11_x64
10Versium.exe
windows10_x64
10VersiumRes...it.exe
windows7_x64
10VersiumRes...it.exe
windows11_x64
10VersiumRes...it.exe
windows10_x64
10VersiumRes...it.exe
windows7_x64
8VersiumRes...it.exe
windows11_x64
8VersiumRes...it.exe
windows10_x64
8Versiumresearch.exe
windows7_x64
10Versiumresearch.exe
windows11_x64
Versiumresearch.exe
windows10_x64
10General
-
Target
Versium Research.rar
-
Size
5.4MB
-
Sample
210812-sm95c1t59j
-
MD5
04d15b7cbf0569864486cc138604d68c
-
SHA1
2bdb39e458ba4e7a5e0e262262c54b0ecf685956
-
SHA256
91f4b7ae747bfd036882e084650f608782b6054ecc8ab32f5fe91b91caf80e5d
-
SHA512
1d2dcf2c1a41ab14795c7485d1a825de7f6237d726e6e1d4414dccaadf6cc77df9e5ae1ee4554321ce3b0c23899612c9be7b18ce2bf5cb829a1a04e564c3ccc0
Static task
static1
Behavioral task
behavioral1
Sample
028d53f5224f9cc8c60bd953504f1efa.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
028d53f5224f9cc8c60bd953504f1efa.exe
Resource
win11
Behavioral task
behavioral3
Sample
028d53f5224f9cc8c60bd953504f1efa.exe
Resource
win10v20210408
Behavioral task
behavioral4
Sample
Bot_Checker.exe
Resource
win7v20210410
Behavioral task
behavioral5
Sample
Bot_Checker.exe
Resource
win11
Behavioral task
behavioral6
Sample
Bot_Checker.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
Uninstall.exe
Resource
win7v20210408
Behavioral task
behavioral8
Sample
Uninstall.exe
Resource
win11
Behavioral task
behavioral9
Sample
Uninstall.exe
Resource
win10v20210410
Behavioral task
behavioral10
Sample
Versium.exe
Resource
win7v20210408
Behavioral task
behavioral11
Sample
Versium.exe
Resource
win11
Behavioral task
behavioral12
Sample
Versium.exe
Resource
win10v20210408
Behavioral task
behavioral13
Sample
VersiumResearch32bit.exe
Resource
win7v20210410
Behavioral task
behavioral14
Sample
VersiumResearch32bit.exe
Resource
win11
Behavioral task
behavioral15
Sample
VersiumResearch32bit.exe
Resource
win10v20210408
Behavioral task
behavioral16
Sample
VersiumResearch64bit.exe
Resource
win7v20210408
Behavioral task
behavioral17
Sample
VersiumResearch64bit.exe
Resource
win11
Behavioral task
behavioral18
Sample
VersiumResearch64bit.exe
Resource
win10v20210410
Behavioral task
behavioral19
Sample
Versiumresearch.exe
Resource
win7v20210410
Behavioral task
behavioral20
Sample
Versiumresearch.exe
Resource
win11
Behavioral task
behavioral21
Sample
Versiumresearch.exe
Resource
win10v20210410
Malware Config
Extracted
metasploit
windows/single_exec
Extracted
raccoon
5c07c7a19b0c108c44d95accd1e1b897aa1528e1
-
url4cnc
https://telete.in/fsp1boomgasio
Extracted
redline
7new
sytareliar.xyz:80
yabelesatg.xyz:80
ceneimarck.xyz:80
Targets
-
-
Target
028d53f5224f9cc8c60bd953504f1efa.exe
-
Size
4.4MB
-
MD5
90a0bd1a164b2af8a7b15f75ab07e3f1
-
SHA1
c8def0f5b75c51b2efa40b07ebe035566d8be1a1
-
SHA256
276387214b560792419a07b097ee76400519c2c902f378207d30acf851ac2213
-
SHA512
b0cd55af23728cbf3a63392c492aff201df688f1185eb5f577e56151c8d871d49ae392d51bdfdf0dde360d86fc919174015d6d6cabbd3c3f59cdec5ca53bf4c0
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Registers COM server for autorun
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
-
-
Target
Bot_Checker.exe
-
Size
56KB
-
MD5
391ca27e1e5cc0da88d1fcc8df1d0d85
-
SHA1
25bd7c5b7d88bcd01610226fccb0910b48dc1eee
-
SHA256
a9ee4862c1e7931ef8366b090ac1f3212e79cc17d7737f537978d9a3fb0c5ef1
-
SHA512
2dbb84eb664798766a669c7d407be76d5154bd7d0b99f2c2371ad0ae3e1124605df0771b228f7a3406f023fa9cbba3022afb5b48207cf1eb14d94cda7a5117f9
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
Uninstall.exe
-
Size
97KB
-
MD5
a8c53399726fea24e4af993e971df5af
-
SHA1
50b4c4d3cf172106417dc0e59eaa63bf7cd0603e
-
SHA256
6b13a733947bc2395695cc6f9a8b59eae88cf6467e368a810bcac0c10d6c46a6
-
SHA512
b2159712ecfa8f7e9a75a190e858cc791bcdcd19118a6db40041d7ffbda531343a63244d35012702dda8514191e8bf6e838ab896c9db232f2c163fc4d4cd2bf9
Score6/10-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
Versium.exe
-
Size
746KB
-
MD5
393d6260e39b68b2d60300e4f62ebc83
-
SHA1
16c58c5b7dee3ce4c3a40925ba4eed3c188faf46
-
SHA256
e7431a806b1b1928256376ec29207a342f4b860f4332bb523a53ac2d9d3d35d3
-
SHA512
d1916b2f2f8deddf331735b4b6f4b329d65696481c6971694c3bf64fa38feda8472c700d15311aad3ec3eeae5a6f9e6c85f204f955555a57eeea131ec4e8a198
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Nirsoft
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
VersiumResearch32bit.exe
-
Size
504KB
-
MD5
8479bce60218cd871c118308ded82d39
-
SHA1
0388ec861b2ac5c7f4dc6eed249d92d3002fe66e
-
SHA256
15078be80772a449383c5f6a7631955039b82ebaf507ab67e61093b70b98dc43
-
SHA512
f4be47baee6baeacbe1e27174ad83700efc78ab2d02262d718c7436d2304fc16618a5911bed63ed8d2e947af3c511d17b77ddfccea9a4e6aab9f3956fcf322f8
-
Raccoon Stealer Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Downloads MZ/PE file
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
VersiumResearch64bit.exe
-
Size
252KB
-
MD5
ee19bc8a2b6c6fd7c30037389457a4df
-
SHA1
e1fca1cc33574e59dec62763ee6e7de1a5198095
-
SHA256
76af8837a5ac0384faeeeff8c8987f796206fc4a1691428dbd44a14378ff28c0
-
SHA512
38db6d4ca6f106849f2ba173e20dae0a53c3e558eb676adba380761cc0318769c6add3a2e816705c094596fc305dab1dd39eb2b83e9f3e066ffc90de580af001
Score8/10-
Executes dropped EXE
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
Versiumresearch.exe
-
Size
163KB
-
MD5
b1dbc3b027105d8032541bc0c5e71abb
-
SHA1
1ef1950ecb44e6bd8d0a3849868ec9a0ceaa1130
-
SHA256
b0eb54f46e5919460cb8d21fdcd695e3356b6311ab0547f18dc3d84a66a14bc4
-
SHA512
3f7fd0aa71e6fae5eeaf16cc47a1ac43cdd1f643c1e7e439eb068685558929cf3c74552ad70fbf2d6cad94cc11bb8ea9c099ef1401b868947f1a9e5e44b34f7b
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-