Resubmissions

23-09-2021 21:08

210923-zyzyaafbfr 10

22-09-2021 10:40

210922-mqyzssehck 10

22-09-2021 05:21

210922-f114ksecck 10

21-09-2021 05:29

210921-f6zspsgdg2 10

20-09-2021 21:51

210920-1qj3jafed9 10

20-09-2021 19:44

210920-yftswafca9 10

20-09-2021 08:28

210920-kczcasgahr 10

20-09-2021 04:42

210920-fb3acafedj 10

20-09-2021 04:42

210920-fb2zksfecr 10

General

  • Target

    setup_x86_x64_install.exe

  • Size

    4.0MB

  • Sample

    210922-mqyzssehck

  • MD5

    73491325fde5366b31c09da701d07dd6

  • SHA1

    a4e1ada57e590c2df30fc26fad5f3ca57ad922b1

  • SHA256

    56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11

  • SHA512

    28b5008c542e9c486529934f74774d6d2de4b98531483b24c3c7cf82bf2214b959a1feb0085014026dd278d2a18ac6ae8a0e5a7ebb36be28abf6dccbf2d38e88

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

janesam

C2

65.108.20.195:6774

Extracted

Family

redline

Botnet

UTS

C2

45.9.20.20:13441

Extracted

Family

vidar

Version

40.7

Botnet

706

C2

https://petrenko96.tumblr.com/

Attributes
  • profile_id

    706

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\7zS26D7.tmp\__data__\config.txt

Family

ryuk

Ransom Note
Fqy��"zL�R�cD����|����F�Ƴ� �&s%��������d�<9���3��/�O� �^6��GG7�2_�+�����4�S� ��ObrL����� ���.�b��r?-\t-��~�'����r7�J�U�6ʊ�im��Bw�Úe^3�*��)_w�y���I��3���$N4up2���+Z=ߩ�-?�f�T�hc��1/ʷ2�\!*͵No��4��D0~\T����"��c���85m�B���)��M)���`C���_=z,~Qj�߸�eG��9u)�:%�!�A4���ɱ�9�9m�� 0N�o��k/�'M���ք�K,�� :��]��t!_�Sݶ�4����F<�JY���z�w�[�4��� ,}��W��7�`��)G�)�� .1#AESK��Z�J�_&���T����du��=^��h%t��D�M˛�A���bN�3��&��K ��hh����㱦;d4M��M��(Fb٫CF���I�� ��<R�����6�c1), ��p��!�����v�??� ��r(8{6��=���H�K�����I��! �E}�6Tp��*T8.]�i.(m��Y�-�D�Qˠ���.nݢ+�H���97�)���A(D`b�S����g������O5�7v�j���k��@����5��Ea�AF�@,��Z�n�����B�Lk���w��: s4�6mO�}o�� ���������/rٮл����hTs��� ��2���� Ʌ�=�us*0��d�����{����+q͚'P,|{��c�~�(O�#._Y�/J����9�΅6�J}bp��4��Ú@\�/�B��")>|���� �\�4{1�g݁�/)�QUq����K;��b�Q*����;��.�2.X)* �W�3� ����l���h�^�a��!dO��,�L�����{�q"c����s̔�|f���:��xD���v��? ��J�L)�����r' �%��$��@���7�F���C;���������?����_\��"w��P�ˁ9���K&�>��D��L��v(lns2m뎽��XQ��7,�1������0ŤpIy����o{?E�kXil�|���<5�4�Q酆/!�+�2N�ݘ� ������@´�b�%oLW��w�I��,�߮�\��&���\�� �/��xy��ވ�Cߊ0�΍�y�lZ[�Ud�e��#������sDd��gW'��O�}�G�\Wa8��9%�Ӆaٿ�������y:�ZP{ͦ�G.Bj��6�q ��niY/� �4�3��D�U�!�Q����<v�� L����g�1^G�h �d��taqxo�%�u�3��!�����z�qGf�Be?��9�y��W�c����n�j�1�+3��� ��aI7��pJ�q��f��[t�j�^fY��P&A~}�骰�������D+F1 �Jsx\�[�����6�*�L����K��Pw,,��sE|cT!���*F_�pBa\:$�y�E�`۱��:��<�7ơ�d�-����R�1Ͷl�uNۿ�D;/}ẻ�?���cO��ln�d���d�D�� ��R�C�O'���<�H���DK��.��D �S�b-����H���������`n����� �-��pL���W�Q ��+�E��|���%�=����S8�$ZND�`���y�L����sbLv����_�ǻ`0}٫u<*xb�;@�7K}�t`�"�0[�/ǩI߆(��y�F�Hα���"�w��sVo��4�\�C�Ͷ�`k������J{����+=���=���A�f0��� ŵ��90��_��Ae�Bf&)���AJU��z�K��Qls����8�&(1�[�؎����,ZL�����cפ��(KS$5l��1�2$-�^*�����Ɯ�9�a�Y����D�4�Ũ�����j/`qAz�����׻爐�"j:TJ1����SəͲ��wB��sY�V�b qJ�OZG"�xe6���q �+$ ���mz��Xq9�܈-���}h2�vˍP����RQV%���������+l�;�n���wM�� �5�����cZ�V�ZT���YT.��*E>Kwk����ü~E]ª�xt�[oR�։�V�����&����!�c�?�z� F{�(���Wɓ��������T-�x>��t��[�zڳv�] ��D���R7g�Q1[�f��ǿ�Wn��X��ϓ����/EۏU��[M��(�X]�<;bĖ#�`E�<p�^�/�V�z�|8�官p� �|�S��W���8�\ �'R�̗H[�HQ3�\��\�6��0_h�}0����H�*a͘�>tP��dr����7 d�_�`��H5�{���k� x*}+���5��L�� I�Ip��`�W�ߴ��K�B�+�5�a�I�}�AwMe��>C��i�^T��M�7x�Å$������A�D���\=�#��u������κ� �2[���M�Pc��b��'�S���Pu/#BÙ�:7|h`���"�*R{:��F�NM�(M�ߴ�P�Y���ܪ��X�0���k���v=?�V(���x�@ ��ɿ��W�F%����gg�����|B��=`������*.�ģ2HhO�b��oK&s����,���&�0�R���� =�rKb��}!F�򫘅H�ӻBf�����n7��$D����J�\s���?'BD�a+�����Ҵ斬��oX82���? ���+��es\>�"v/�T����VH��B����cؐ� �7n�; �����%��(��y+O����G����ȧ/�Yib�6f�M[�+vH>�[����د��o�����'}N�ށF���->s����w{���X��(�l{W�|�KX#��Z5�+7K�#��,:V ��I0Z�e��=!]���W�i�������c���n��qA�ɱ(BvDܛ�S�Z�d� ^"|h��iB�.b<��g�ꢚU�]������a �+� �C`�A�k%�`��Z��1)�Z�l�%�2�<�y��0�WP����A<nBz�謟0" v��Z_��e2ۨn�{�_���[ �i��2�D� �(��L��)S��Ah_����J� �:��ұ�����|�B5şϽ����=��,O�W���ŠEԂ _vSRfDz�*�c�����3m��#�刖���*,fCx/�0q��ͥ�(��� :^U�iwA j�o*�]����♋�Ep@��A[Bb�00��b"prY�dPK��� �7*��������뺖���i�NؕP�����Yv�=$�"�9t���RD�MuЊL8�TV��4�<5�A����ι��4��J�n�7N��6 ��*2Pۂʵ!�lh(߹ʳk�=�Cg-QMD�XND[�Ҿ�q����H�1K)V!L�u�;��A~�!֎k|[��N�/�F�~����0W{��a�=$����8�zj���U�(�Y)��8DW����t���)���Z���C��c֍�>;=�,s>�����1��u��Y�F��D򱔿�HZ�,sïZ E%H_|⸇��c)� h5qsR#2G��1�?��K��.��樝�q\��������*�� W�`�18o ���+l������]+bj���/����& ��"T3�������V��tܢV������i�_�F�H<��Z�{���,��;�ou0�۷��T���.�ϝ+���{�5t��F���H$�s�7RG�UVL���k$¸��� p����I����*����*:ӦX���w��=$���5�)�z��j3�_A=IEmߖ�r��\��4����R�xh0��+;clǙ� L��k��VN��0�y-" 4����={/LP5bY\��� ��no�,D�|1�:����K�K$���;`�XMK��€|hR��S�*m�O{� ����+�÷�@�H�)�_�[��JU����|�ԋ��XҮ�ʋ ȯ�A��}�R�X��~N �E̱�� �.G�i�E���+���Æ*c��7�6L���t�c�)�."h:z&n� W�-�� =�n�Q� ��=���o���HLl�3��5~_��߈g����lQ[Vqٴ��U�6P���7�[J��KQ�$�v��n��U�If��v�(d^�8���e�F�������u��_T�st����m@ՋyzB>�kqI�*)�֟LK:� � �<���K?�����h�b0<��?H�_s�/��&�_4��=��� ��!�F���D��d��,5$?%�6O��g���@�����ie��z�m��n��k�&���%P�kB��y�\1j�,aQ��5�<-�ٵ�������Yz�jEz���伫/ki��(��}�8�C���X���$�0�-��3ey��r���qw��- �ӡ�yqN��|�H�&�$ʕ[8Hqfh��7��~�^���:Y;r�4C������e!$&�W��TN��L��7�����{E�y�pqG��N^ �A+Ҳ&����\,��������-z�Ay�mo�������V����Zy��P,m8���e2������ڵT%DRk�,,k܁h��2񐀶W�Ce�HQw�V��J9S[�h�堪u#n����携��!nS��gw�ޭ-�^c�6=_��"+>B{�0D>�x�w�y��3P[�:0Zr’~ ���\�c�����c['��� 8:R���r;>I�Q=������Z 旛~��{���7�âe�l�}��n?~�.A� ��&��b� (�:���W�z�G#"����h�؎u-�d�]�]t���<����"w��׭��}x�Dn� }�+�夁��N)��Q���w� ��:���vŦ% �,��!Z��j����p���U�e��#�DT�d�o��� �C;F )+-�R�� nj�J@�{4]�q]��'c���_Tz��'{֯��Z%R�v2ġc*[꠷��O|7����cs,š&����]��d� E�BJQǢ��v�~~���p[��ڒ0 �Z����@��^yǷ���B�$o�J� ��ێ�����(�O?������cP1x#^��B��s>�m��oJLr�af=��n�+��M��~�CW���E� %7��$#�6��uNF�'g (���q�8�bQ�zA���=;��2�g�vH��]�w�>��X7w%�?��zۑ��v����ۉ����6 �nlۑ�|V�h*DB���߁�NK:���Px��-{"�ǝC@p{P��0VU-��d�#TۣL[A�؎a����L���������_�%Om ��,�0#Hx?�j��-xs������?cV��[9�`'���»Q P�k��2�܃EN ����gw� ���"}�[����)V�c��:�f����wE���-�a�O.�����*w1��[ Q�z{�&�� �Ul_��h�$��Dڢ�c`�I";x��1@���;�C���@�����$�D�ם{���� �s��lpfї������ �����F�{i(��29o����Ż�n0��e�^ p���.���-[TdI Y� %� O6�[H������&�߭Y��!�)[��T.�$��_��m��ŵ�G(��<K'�ލ�}�t��w���ѥ*�E��{U 3��?6- E� &\~q���*���!OïE0鲼G<@*�9����g�4�}\�_�W�)�3GYLo](��@����*J��� (�E����Ekx������bԵ������2UN��] l����p�ғUj���."���C����<-�6���Q�{4$�M���]���Q��f�� Y=�[�h]s�&�Sn��w��Vi�:q� ��I�䃪���g�j=_����bW� ~/���FP��$�vPp�����D>�ʎ �Bı��Ǒ_#�q$/��"1�[��=��^�F���*�����T�K���5OӑSs �=���(��=�B�R�\r!�L���@ff�Fx���_��=k�lEXFoƴw$�1�xCڟdm�=�X�j�ge9H.<�no `��0L%��NߗA�&�F�{!�q[���|K�o��3��TM�C�(��I�L�.ˮ��b�t�~k�Að8p�N�m��I��ݣ��:���=���I���.�)�Ũч�]��ޖm��V��o��ȍ8�ȕ�P��1�`��ҬJ/����3hsJ����yV ��� E��K��Uڢ��������ۯ�o�V�����<�A�1D�wA������`S����M�#�9Ұ?�9���F쩜�ѧ/�ȎzU��g{i�XQ��HV��"���]��J���1s�Esvk��J��R�b����*��n\��)�Ս�u�hɬ�S p��O�?H�*]h�{��uCjRC}>Ns���ɢ �@�m�uV�����}��9�s+ͥQ�፦_?�-uj%Kc'���ʒ�^#�U,\�G�C�#F�0���豫�V���?#����^Z}e5��$��Z2�W�)O2A��[��=�x��w&�?�m�l��X�~Ƚ��.@-k�2�x��a�˼���Piǿ���3;��W���C� �5{@�l�;�^��p��--8u+/�_O��E���z�A�����u���!��!���X�so;���3�ѝ�� �!�ۜyE��L���<�fG���Ϊ����-��U�UX*Wx�Ĥ. x�CF�d������Ȯ����UMYt�S�E.��&N��O1P,N �<�����-=�)�)u ��[a�fKe�GJ��c��Ig<T�V���.��us���-��T�����r ��ݼe����U���8S�再�N��,��`@�P�[���& �vܮ��I�o�N'�[&����h����h�.�bH�&K�Z xX�^���W�e�@S��>K�a͝kZp\O��c���MT���Ì�ͷ&f�q��>�,�ٯ��� �X��Ȃ�T��2 VB��eQ_<�.rC@*#}@��Ɨ�y]��~�ry[>;��;C��n������z�M��R�q��gv��?���=t��Uy�P'*��v��N8չ1��\�k%�b�b���W��>7^��͢(3v��6Ce��0D]�E����u��\6:��'�䂒D�B��l`�\�yX)9�����u���/�<��*���?���.{0kW*����g�rV���}c��_p�����^��C��ʹӰR�)��E�� ��/ ۽M�C�2�sn�l�%���A%h!�q&���ө�\� ���q�P�h��"�}T[�K���<�@���  �0B��x[~%S����B�!� �<V����G\������-�G����Şo���a�i��?#·���Y�T��B$�6�_�4�E���U+�U.gKU �t�i��R��kO�h�&sYn=�Ȓ������ �iT]��;�.��e����8����~�m��+Qa:Hc&� q�~X_I�'I�K}��ݥؑ7^^�-�}��E5)� ��ݞ��wc�OꞵT�̉�"�ϱ��_���]ÂE��F�ci�ٰ�� ��Q�����a����8�_�;���>a�} �a!; H���1Yd�b�%� :z�6�����&ֵ?qΫ�h4W]Y��Ozr���u��u�,d�]�;�T�H�'o���y݊e%\Ij�'��m˺d�m�c�sj4h��c���G�k���2"']Q�b����@� ��F�C��o��qa��H�Dd�_>�\�ۨ����X����.�j6�wXUK��oz�.ѭ��S�pL��<� ��zpc��eԣP�m+r��w�G�țE C�!h��DDQ����Y ü<����YC��U8J���c�Y�9Ⱥ���CKm��� ,�*ź���؟6l�$��4���H��� J?���$Oȓ�' ����ΐT�7��G�xBugs���|�|i�1���+��*#B~�y��v'}�QP*o)͠��U����N[$7��8�TI������H�0W)H�s��5=tU6���f�sGoFL�h��\�A<��{���[�Z�b�1r~au��}d(}<&���@DZ�kk���y����� ���K����e�1 �XUվ���$ν��N�4 ����8��Y�E_���q��ujY"�i�c������ѳ������7c��3�6� � ����莦�uF�������]J~j����m��i���ʝs��wڱK��Yʛ�1G��|���RY�˞}ӛ�D����F�Jr��F�O!�;�G�O|4�8~��dr��B_8œ��ǎIҜ:A9+8u����PnDL�}H�eiv!���u��5���%I�P5���N�3WC�^��v�� 4�@Hr�}ܰ��.#��D��>�kr�E��>]�|4�I�&�C� Ǥ5��`m��Q�+��ɦ�^���?�t�-�H���7?�H�~�~oΓ��H�9S���g~q�r����1٭� ׿�-�+����g�Gl���ܒ^�ɉ��� j]Pp�.Id��T�z�:$�W�WnV�S���W ��X+������ ^�cG�e5 z��l�6v���l$Z�t�ϫ�Q,��~3V��>�ަl�_��[t֕���C ���z�Iy�]��� �����u�ڶ/X�W �]���oaNG �h�(���%Z$�jw���c?�v���8�!�GC%?Ru�_ �E08p�B�b/ğl2 C��ԯ��o4 N�{4����m��KJ��F�H~�@B���ެR�aL&��>:#��\�48���5�� ����q/�9�n�B��Uv�0�Hvg����̟.�:۳�ڟU5%"�����]��|m����t�=H{t|�{ �R� '��"3˪��D`k6"��Ǡ�

Extracted

Family

redline

Botnet

REC

C2

185.215.113.107:61144

Targets

    • Target

      setup_x86_x64_install.exe

    • Size

      4.0MB

    • MD5

      73491325fde5366b31c09da701d07dd6

    • SHA1

      a4e1ada57e590c2df30fc26fad5f3ca57ad922b1

    • SHA256

      56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11

    • SHA512

      28b5008c542e9c486529934f74774d6d2de4b98531483b24c3c7cf82bf2214b959a1feb0085014026dd278d2a18ac6ae8a0e5a7ebb36be28abf6dccbf2d38e88

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

      suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

    • suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

      suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

    • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

      suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

      suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

      suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity

      suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity

    • suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2

      suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • XMRig Miner Payload

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

Score
N/A

behavioral1

redlinesmokeloadersocelarsjanesamutsaspackv2backdoordiscoveryevasioninfostealerspywarestealersuricatatrojan
Score
10/10

behavioral2

gluptebametasploitredlinesocelarsvidarxmrig706utsaspackv2backdoorbootkitdiscoverydropperevasioninfostealerloaderminerpersistencespywarestealersuricatatrojan
Score
10/10

behavioral3

redlinesmokeloadersocelarsvidar706janesamaspackv2backdoorevasioninfostealerspywarestealersuricatathemidatrojan
Score
10/10

behavioral4

redlinesocelarsvidarjanesamaspackv2discoveryevasioninfostealerpersistencespywarestealersuricatatrojan
Score
10/10

behavioral5

oskiredlineryuksmokeloadersocelarsvidarzloader706janesamrecutsaspackv2backdoorbotnetdiscoveryevasioninfostealerpersistenceransomwarespywarestealersuricatatrojan
Score
10/10

behavioral6

redlinesmokeloadersocelarsvidar706janesamaspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatatrojan
Score
10/10

behavioral7

redlinesmokeloadersocelarsvidar706janesamrecutsaspackv2backdoorbootkitdiscoveryevasioninfostealerpersistencespywarestealersuricatatrojan
Score
10/10

behavioral8

oskiredlineryuksmokeloadersocelarsvidar706janesamaspackv2backdoorbootkitdiscoveryevasioninfostealerpersistenceransomwarespywarestealersuricatatrojan
Score
10/10