Resubmissions

19-08-2021 18:59

210819-yrzbdtvqln 10

18-08-2021 20:25

210818-4hztrzavcs 10

18-08-2021 17:24

210818-9p8lqjhwv2 10

17-08-2021 06:12

210817-kl4jvaaq7x 10

16-08-2021 10:04

210816-nwc3tqkr3a 10

16-08-2021 10:04

210816-5r5rafnh7e 10

16-08-2021 10:04

210816-kdgh648t5e 10

16-08-2021 09:37

210816-9esgfwsmfe 10

16-08-2021 08:13

210816-26la9rblgn 10

17-08-2021 08:51

210817-w2l5yq2wln

General

  • Target

    EB7233922891E1DAD0434FBD52623647.exe

  • Size

    7.9MB

  • Sample

    210817-w2l5yq2wln

  • MD5

    eb7233922891e1dad0434fbd52623647

  • SHA1

    331126b108532ab9a1e932141bff55a38656bce9

  • SHA256

    b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8

  • SHA512

    597fbb0f397c45c8a2c5f63893c6d6bd4641e952510dfcac05dadb7afaaf4e005df1261649d4e79951979bad0be1fb09feebac7a6d23c31679590cbf40e1d4ac

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

4

C2

213.166.68.170:16810

Extracted

Family

smokeloader

Version

2020

C2

http://manicord.top/forum/

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

vidar

Version

40

Botnet

937

C2

https://lenak513.tumblr.com/

Attributes
  • profile_id

    937

Extracted

Family

redline

C2

205.185.119.191:18846

Extracted

Family

redline

Botnet

32222

C2

188.124.36.242:25802

Extracted

Family

redline

Botnet

SewPalpadin

C2

185.215.113.114:8887

Targets

    • Target

      EB7233922891E1DAD0434FBD52623647.exe

    • Size

      7.9MB

    • MD5

      eb7233922891e1dad0434fbd52623647

    • SHA1

      331126b108532ab9a1e932141bff55a38656bce9

    • SHA256

      b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8

    • SHA512

      597fbb0f397c45c8a2c5f63893c6d6bd4641e952510dfcac05dadb7afaaf4e005df1261649d4e79951979bad0be1fb09feebac7a6d23c31679590cbf40e1d4ac

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • evasion

      evasion.

    • suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

      suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

      suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

      suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Nirsoft

    • Vidar Stealer

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks