Overview

overview

10

Static

static

7fcd73b1f7...56.exe

windows7_x64

10

7fcd73b1f7...56.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7fcd73b1f787ef886832a7af7170bc56

  • Size

    134KB

  • Sample

    210926-wkqwnsfbh6

  • MD5

    7fcd73b1f787ef886832a7af7170bc56

  • SHA1

    984e27643a7e6fe46d7944073ce57fd52cc278e9

  • SHA256

    2be70f815e1bea93dfa56396f69f0c38e4d2732a254a29e5307426958e296133

  • SHA512

    6a9c4ba3e20c3397eadd8d6468a09baa0ab5b192988fa3b54832b291f91dc6e9250990d1dc736397226c25c633d842a62160398dd695ff695a54fdbe74f77719

Score
10/10
djvuredlinesmokeloadervidarpaladinbackdoordiscoveryevasioninfostealerpersistenceransomwarespywarestealerthemidatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://govsurplusstore.com/upload/

http://best-forsale.com/upload/

http://chmxnautoparts.com/upload/

http://kwazone.com/upload/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

paladin

C2

94.26.228.204:32917

Targets

    • Target

      7fcd73b1f787ef886832a7af7170bc56

    • Size

      134KB

    • MD5

      7fcd73b1f787ef886832a7af7170bc56

    • SHA1

      984e27643a7e6fe46d7944073ce57fd52cc278e9

    • SHA256

      2be70f815e1bea93dfa56396f69f0c38e4d2732a254a29e5307426958e296133

    • SHA512

      6a9c4ba3e20c3397eadd8d6468a09baa0ab5b192988fa3b54832b291f91dc6e9250990d1dc736397226c25c633d842a62160398dd695ff695a54fdbe74f77719

    Score
    10/10
    djvuredlinesmokeloadervidarpaladinbackdoordiscoveryevasioninfostealerpersistenceransomwarespywarestealerthemidatrojan

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • Modifies security service

      evasion

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks