General
-
Target
0aff9c5e774ab054fe3d75a025022946.exe
-
Size
272KB
-
Sample
210825-z633xs17fs
-
MD5
0aff9c5e774ab054fe3d75a025022946
-
SHA1
2686eea24d393796fd6d9b95be9363face6454bd
-
SHA256
2c835a908ce2e7c313393fe2689a36f087794f35583766076a0e3d842b01aee8
-
SHA512
cfd982c9deb7d6a125edd1e32b32c87db22a7e7e38b75abb727bd150fb3af42f21e5c11390a941101bbd468918b957e4a28958a4aebcf47db4537f6120d01231
Static task
static1
Behavioral task
behavioral1
Sample
0aff9c5e774ab054fe3d75a025022946.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
0aff9c5e774ab054fe3d75a025022946.exe
Resource
win10v20210410
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Extracted
smokeloader
2020
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
Extracted
raccoon
fe582536ec580228180f270f7cb80a867860e010
-
url4cnc
https://telete.in/xylichanjk
Extracted
redline
190.2.145.47:80
Extracted
redline
@big_tastyyy
87.251.71.44:80
Targets
-
-
Target
0aff9c5e774ab054fe3d75a025022946.exe
-
Size
272KB
-
MD5
0aff9c5e774ab054fe3d75a025022946
-
SHA1
2686eea24d393796fd6d9b95be9363face6454bd
-
SHA256
2c835a908ce2e7c313393fe2689a36f087794f35583766076a0e3d842b01aee8
-
SHA512
cfd982c9deb7d6a125edd1e32b32c87db22a7e7e38b75abb727bd150fb3af42f21e5c11390a941101bbd468918b957e4a28958a4aebcf47db4537f6120d01231
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-