Resubmissions
03-09-2021 12:16
210903-pfn3ysdac4 1003-09-2021 04:55
210903-fj6mqsfbfk 1002-09-2021 19:23
210902-x37sksbef5 1002-09-2021 15:02
210902-senycadeck 1002-09-2021 11:29
210902-4b2x2c3ahj 1002-09-2021 05:46
210902-lng5vcn31n 1002-09-2021 04:57
210902-gp7zs88ann 1001-09-2021 17:32
210901-sgcvvtysvs 1031-08-2021 12:57
210831-1v8aywj16x 1031-08-2021 07:34
210831-n7h9w45r3x 10General
-
Target
Setup.exe
-
Size
631KB
-
Sample
210901-sgcvvtysvs
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Malware Config
Extracted
redline
255
45.14.49.28:5628
Extracted
redline
193.56.146.60:16367
Extracted
redline
NORMAN2
45.14.49.184:27587
Extracted
redline
build5
65.108.48.203:48896
Extracted
metasploit
windows/single_exec
Extracted
redline
1
37.0.8.88:44263
Extracted
redline
spnewportspectr
135.148.139.222:1594
Extracted
redline
a4
185.215.113.9:57250
Extracted
raccoon
d02c5d65069fc7ce1993e7c52edf0c9c4c195c81
-
url4cnc
https://telete.in/open3entershift
Targets
-
-
Target
Setup.exe
-
Size
631KB
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Score10/10-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Accesses 2FA software files, possible credential harvesting
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
1Install Root Certificate
1Modify Registry
3Virtualization/Sandbox Evasion
1Web Service
1