Resubmissions

19-08-2021 18:59

210819-yrzbdtvqln 10

18-08-2021 20:25

210818-4hztrzavcs 10

18-08-2021 17:24

210818-9p8lqjhwv2 10

17-08-2021 06:12

210817-kl4jvaaq7x 10

16-08-2021 10:04

210816-nwc3tqkr3a 10

16-08-2021 10:04

210816-5r5rafnh7e 10

16-08-2021 10:04

210816-kdgh648t5e 10

16-08-2021 09:37

210816-9esgfwsmfe 10

16-08-2021 08:13

210816-26la9rblgn 10

17-08-2021 08:51

210817-w2l5yq2wln

General

  • Target

    EB7233922891E1DAD0434FBD52623647.exe

  • Size

    7.9MB

  • Sample

    210818-4hztrzavcs

  • MD5

    eb7233922891e1dad0434fbd52623647

  • SHA1

    331126b108532ab9a1e932141bff55a38656bce9

  • SHA256

    b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8

  • SHA512

    597fbb0f397c45c8a2c5f63893c6d6bd4641e952510dfcac05dadb7afaaf4e005df1261649d4e79951979bad0be1fb09feebac7a6d23c31679590cbf40e1d4ac

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

C2

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

Ver 18.08

C2

149.202.65.221:64206

Extracted

Family

redline

Botnet

18_08_fatboy

C2

cinteyanio.xyz:80

Extracted

Family

redline

Botnet

dibild

C2

135.148.139.222:33569

Extracted

Family

redline

Botnet

FIRST_7.5k

C2

45.14.49.200:27625

Extracted

Family

redline

Botnet

installzo

C2

185.186.142.245:1778

Extracted

Family

raccoon

Botnet

171b0ea0beebb33c2d9043b095edfe8ec188b323

Attributes
  • url4cnc

    https://telete.in/fihborntoflyes

rc4.plain
rc4.plain

Targets

    • Target

      EB7233922891E1DAD0434FBD52623647.exe

    • Size

      7.9MB

    • MD5

      eb7233922891e1dad0434fbd52623647

    • SHA1

      331126b108532ab9a1e932141bff55a38656bce9

    • SHA256

      b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8

    • SHA512

      597fbb0f397c45c8a2c5f63893c6d6bd4641e952510dfcac05dadb7afaaf4e005df1261649d4e79951979bad0be1fb09feebac7a6d23c31679590cbf40e1d4ac

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • Raccoon Stealer Payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • evasion

      evasion.

    • suricata: ET MALWARE Amadey CnC Check-In

      suricata: ET MALWARE Amadey CnC Check-In

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

      suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Generic gate[.].php GET with minimal headers

      suricata: ET MALWARE Generic gate[.].php GET with minimal headers

    • suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad

      suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

      suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2

      suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Program crash

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks