buran

General

Target

0aff9c5e774ab054fe3d75a025022946.exe
Size

272KB
Sample

210825-z633xs17fs
MD5

0aff9c5e774ab054fe3d75a025022946
SHA1

2686eea24d393796fd6d9b95be9363face6454bd
SHA256

2c835a908ce2e7c313393fe2689a36f087794f35583766076a0e3d842b01aee8
SHA512

cfd982c9deb7d6a125edd1e32b32c87db22a7e7e38b75abb727bd150fb3af42f21e5c11390a941101bbd468918b957e4a28958a4aebcf47db4537f6120d01231

Score

10^/10

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. PAY FAST 500$=0.013 btc or the price will increase tomorrow bitcoin address bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8 To be sure we have the decryptor and it works you can send an email: payfast290@mail2tor.com and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? payfast290@mail2tor.com TELEGRAM @ payfast290 Your personal ID: 36F-3DC-88F Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Family

smokeloader

Version

2020

C2

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Extracted

Family

raccoon

Botnet

fe582536ec580228180f270f7cb80a867860e010

Attributes

url4cnc
https://telete.in/xylichanjk

rc4.plain

Extracted

Family

redline

C2

190.2.145.47:80

Extracted

Family

redline

Botnet

@big_tastyyy

C2

87.251.71.44:80

Targets

- Target
  
  0aff9c5e774ab054fe3d75a025022946.exe
- Size
  
  272KB
- MD5
  
  0aff9c5e774ab054fe3d75a025022946
- SHA1
  
  2686eea24d393796fd6d9b95be9363face6454bd
- SHA256
  
  2c835a908ce2e7c313393fe2689a36f087794f35583766076a0e3d842b01aee8
- SHA512
  
  cfd982c9deb7d6a125edd1e32b32c87db22a7e7e38b75abb727bd150fb3af42f21e5c11390a941101bbd468918b957e4a28958a4aebcf47db4537f6120d01231
Score

10^/10

buran raccoon redline smokeloader @big_tastyyy fe582536ec580228180f270f7cb80a867860e010 backdoor discovery evasion infostealer persistence ransomware spyware stealer themida trojan suricata
- Buran
  Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
  ransomware buran
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
  suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
  suricata
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2