Overview

overview

10

Static

static

097910dc61...d0.exe

windows7_x64

10

097910dc61...d0.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    097910dc615bd581069c0ec67fa513d0

  • Size

    193KB

  • Sample

    211008-g7rddsdfaq

  • MD5

    097910dc615bd581069c0ec67fa513d0

  • SHA1

    00597735a09afbe12ad29ea00ede40733c67801c

  • SHA256

    25b2ae77c2dc71ca729c153cce1615b77a396ff4ba598928c788eec57f1777fe

  • SHA512

    cdf2464377db2fc6c2b2c665ac903e74cfde99a3e6cc6acd7d0d2ad6d417d442b27760b79d14693e3ba27d0a1b8a3d0355f48521d9847ab30c38e8541de92752

Score
10/10
raccoonredlinesmokeloadertofseevidarxmrig103110332ea41939378a473cbe7002fd507389778c0f10e77778d179b9e611eee525425544ee8c6d77360ab7cd9helobackdoorcollectiondiscoveryevasioninfostealerminerpersistenceransomwarespywarestealersuricatathemidatrojan

Malware Config

Extracted

Path

C:\read-me.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���14 96 F9 1A 0F 19 71 F5 64 61 B0 0F AA 29 CB B2 AD 7D C5 47 EC 02 E0 BC 7F E4 6C 7A 90 F9 81 4F 0C B3 46 8F 91 96 1D 5C 59 2A F6 68 D3 5E 67 B5 7E 15 9D 83 7C 8D 7A E0 AD CD EF 2A 11 0F 64 CD 33 D7 7F 33 E6 D9 92 88 8D 40 52 98 37 6E A2 A3 B7 7D 4A CA 45 62 B5 5D 49 07 72 54 43 0C B1 D6 26 E3 19 AC E9 F1 E3 51 D8 DA FC 4E 5F 50 6A C9 43 7D CA 54 1C E7 48 94 B0 1F 79 7D 0D E2 CF 2C 31 10 55 8E C5 4C 53 40 1A 3E D3 19 05 F1 31 6A 1F 82 B2 42 C7 71 81 55 E4 BB E2 68 39 F5 9B 81 2E 84 1D E7 29 EC 15 D2 1F 42 0E 61 D8 2A 2F E9 8A B0 82 82 54 91 7F D2 72 FA 71 91 88 49 E6 40 77 CB 50 E5 6D BC FD F2 A1 F6 A5 22 2C 23 09 8E 94 D4 3E 17 A0 53 4C 07 B1 B4 58 8A 4F F0 5A 6A E6 CB 60 85 35 2A 5F 55 42 F6 FE A6 4E 46 3D 0D C2 03 7F BA A6 E4 F1 14 43 C0 BF 6F B5 53 34 01
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

\??\M:\Boot\cs-CZ\Read_Me.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101OJDJYYYO 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101OJDJYYYO

https://yip.su/2QstD5

Extracted

Family

smokeloader

Version

2020

C2

http://fiskahlilian16.top/

http://paishancho17.top/

http://ydiannetter18.top/

http://azarehanelle19.top/

http://quericeriant20.top/

http://planilhasvba.com.br/wp-admin/js/k/index.php

http://rpk32ubon.ac.th/backup/k/index.php

http://4urhappiness.com/app/k/index.php

http://swedenkhabar.com/wp-admin/js/k/index.php

http://cio.lankapanel.net/wp-admin/js/k/index.php

http://fcmsites.com.br/canal/wp-admin/js/k/index.php

http://lacoibipitanga.com.br/maxart/k/index.php

http://lacoibipitanga.com.br/cgi-bin/k/index.php

http://video.nalahotel.com/k/index.php

http://diving-phocea.com/wp-admin/k/index.php

http://phocea-sudan.com/cgi-bin/k/index.php

http://rpk32ubon.ac.th/wp-admin/js/k/index.php

https://www.twinrealty.com/vworker/k/index.php
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

vidar

Version

41.2

Botnet

1031

C2

https://mas.to/@serg4325

Attributes
  • profile_id

    1031

Extracted

Family

redline

Botnet

helo

C2

144.202.13.247:46573

Extracted

Family

raccoon

Version

1.8.2

Botnet

8d179b9e611eee525425544ee8c6d77360ab7cd9

Attributes
  • url4cnc

    http://teletop.top/agrybirdsgamerept

    http://teleta.top/agrybirdsgamerept

    https://t.me/agrybirdsgamerept

rc4.plain
rc4.plain

Extracted

Path

C:\read-me.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���63 1D B4 00 9A 83 17 CE 5F 0E 63 C7 CF E3 CC 5D 65 BE E1 FA A4 CD 9E C3 D1 1C 31 45 EB 60 28 8C 91 7C 62 96 8A 61 E4 11 36 01 B7 80 66 4E 13 53 61 BE 08 61 BE 85 91 CF 53 9E 95 70 16 BE 6F 27 F1 42 59 20 11 EE C0 48 A1 CC 19 41 49 E8 08 E1 97 C2 75 4A 81 DF B4 19 E9 20 36 5D D1 64 D8 6C 08 9F F0 16 1D 3A EC 2E CF FD 81 BF 29 B7 74 FF 06 5A 3D 14 88 2C F2 1C AC 6A CC 99 4A E5 4F 8D 6D D3 D3 78 DB 65 6D 54 0D 07 F0 4B 72 6B AA 0F C0 D1 8D 92 4A 3D C0 1E B9 E3 3F 72 95 24 95 57 C2 A8 AE C4 16 0E 08 38 72 59 3F AD 61 1A FA ED B0 7F 23 F3 4B 77 8B 9B 5F B1 7A A2 ED AD 4A 6B 8F D9 41 21 8B E0 0A 70 91 69 0F 9B EC F6 69 89 C9 DE 23 32 5F 7A C5 90 BA 80 67 B7 CA 75 B9 54 F8 29 34 E3 8F DF A0 0A F0 3B 58 32 EE 25 CC 1C 5C AF 2B F0 29 30 E7 4F 72 33 FF C2 F3 92 C3 4C
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Family

redline

Botnet

777

C2

93.115.20.139:28978

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Extracted

Family

raccoon

Version

1.8.2

Botnet

2ea41939378a473cbe7002fd507389778c0f10e7

Attributes
  • url4cnc

    http://teletop.top/stevuitreen

    http://teleta.top/stevuitreen

    https://t.me/stevuitreen

rc4.plain
rc4.plain

Extracted

Family

vidar

Version

41.2

Botnet

1033

C2

https://mas.to/@serg4325

Attributes
  • profile_id

    1033

Targets

    • Target

      097910dc615bd581069c0ec67fa513d0

    • Size

      193KB

    • MD5

      097910dc615bd581069c0ec67fa513d0

    • SHA1

      00597735a09afbe12ad29ea00ede40733c67801c

    • SHA256

      25b2ae77c2dc71ca729c153cce1615b77a396ff4ba598928c788eec57f1777fe

    • SHA512

      cdf2464377db2fc6c2b2c665ac903e74cfde99a3e6cc6acd7d0d2ad6d417d442b27760b79d14693e3ba27d0a1b8a3d0355f48521d9847ab30c38e8541de92752

    Score
    10/10
    raccoonredlinesmokeloadervidar10318d179b9e611eee525425544ee8c6d77360ab7cd9helobackdoorcollectiondiscoveryevasioninfostealerpersistenceransomwarespywarestealersuricatatrojantofseexmrig10332ea41939378a473cbe7002fd507389778c0f10e7777minerthemida

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Turns off Windows Defender SpyNet reporting

      evasion

    • UAC bypass

      evasiontrojan

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Windows security bypass

      evasiontrojan

    • suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

      suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

      suricata

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata

    • suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

      suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

      suricata

    • suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

      suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

      suricata

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Core1 .NET packer

      Detects packer/loader used by .NET malware.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Nirsoft

    • Vidar Stealer

      stealer

    • XMRig Miner Payload

      miner

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Windows security modification

      evasiontrojan

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2
T1031

New Service

1
T1050

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

New Service

1
T1050

Defense Evasion

Modify Registry

8
T1112

Disabling Security Tools

5
T1089

Bypass User Account Control

1
T1088

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

6
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks