Overview

overview

10

Static

static

Fri051e1e7444.exe

windows7_x64

10

Fri051e1e7444.exe

windows7_x64

10

Fri051e1e7444.exe

windows7_x64

10

Fri051e1e7444.exe

windows11_x64

10

Fri051e1e7444.exe

windows10_x64

10

Fri051e1e7444.exe

windows10_x64

10

Fri051e1e7444.exe

windows10_x64

10

Resubmissions

23-10-2021 15:52

211023-tbkbesdcfm 10

22-10-2021 17:40

211022-v8trsscggr 10

22-10-2021 15:55

211022-tc9ygacgan 10

22-10-2021 14:38

211022-rz1bfabgb8 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Fri051e1e7444.exe

  • Size

    403KB

  • Sample

    211022-rz1bfabgb8

  • MD5

    b4c503088928eef0e973a269f66a0dd2

  • SHA1

    eb7f418b03aa9f21275de0393fcbf0d03b9719d5

  • SHA256

    2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2

  • SHA512

    c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

Score
10/10
djvuicedidnetsupportraccoonredlinesmokeloadersocelarsvidarxmrigzloader7c9b4504a63ed23664e38808e65948379b790395874dee7d322070fc6dc34b3b6cd43904077db44d916921933937james2221875681804backdoorbankerbotnetdiscoveryevasioninfostealerminerpersistenceransomwareratspywarestealerthemidatrojan

Malware Config

Extracted

Family

raccoon

rc4.plain

Extracted

Family

smokeloader

Version

2020

C2

http://gejajoo7.top/

http://sysaheu9.top/

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

icedid

Campaign

1875681804

C2

enticationmetho.ink

Extracted

Family

vidar

Version

41.5

Botnet

916

C2

https://mas.to/@xeroxxx

Attributes
  • profile_id

    916

Extracted

Family

vidar

Version

41.5

Botnet

937

C2

https://mas.to/@xeroxxx

Attributes
  • profile_id

    937

Extracted

Family

raccoon

Version

1.8.1

Botnet

874dee7d322070fc6dc34b3b6cd43904077db44d

Attributes
  • url4cnc

    https://telete.in/isuzoShadowhunter

rc4.plain
rc4.plain

Extracted

Family

redline

C2

205.185.119.191:60857

Extracted

Family

raccoon

Botnet

7c9b4504a63ed23664e38808e65948379b790395

Attributes
  • url4cnc

    http://telegka.top/capibar

    http://telegin.top/capibar

    https://t.me/capibar

rc4.plain
rc4.plain

Extracted

Family

vidar

Version

41.5

Botnet

921

C2

https://mas.to/@xeroxxx

Attributes
  • profile_id

    921

Extracted

Family

redline

Botnet

james222

C2

135.181.129.119:4805

Extracted

Family

icedid

Campaign

1875681804

Extracted

Family

djvu

C2

http://rlrz.org/lancer

Extracted

Family

vidar

Version

41.5

Botnet

933

C2

https://mas.to/@xeroxxx

Attributes
  • profile_id

    933

Targets

    • Target

      Fri051e1e7444.exe

    • Size

      403KB

    • MD5

      b4c503088928eef0e973a269f66a0dd2

    • SHA1

      eb7f418b03aa9f21275de0393fcbf0d03b9719d5

    • SHA256

      2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2

    • SHA512

      c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

    Score
    10/10
    evasionspywarestealertrojanicedidraccoonredlinesmokeloadersocelarsvidarxmrig1875681804backdoorbankerdiscoveryinfostealerminerpersistencethemidadjvunetsupport7c9b4504a63ed23664e38808e65948379b790395874dee7d322070fc6dc34b3b6cd43904077db44d916921937james222ransomwarerat933zloaderbotnet

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies system executable filetype association

      persistence

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Registers COM server for autorun

      persistence

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

      trojanbotnetzloader

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Sets service image path in registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3behavioral4behavioral5behavioral6behavioral7

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

BITS Jobs

1
T1197

Change Default File Association

1
T1042

Modify Existing Service

2
T1031

Registry Run Keys / Startup Folder

3
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

BITS Jobs

1
T1197

Disabling Security Tools

1
T1089

File and Directory Permissions Modification

1
T1222

Install Root Certificate

1
T1130

Modify Registry

6
T1112

Virtualization/Sandbox Evasion

1
T1497

Web Service

1
T1102

Credential Access

Credentials in Files

3
T1081

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

8
T1012

Remote System Discovery

1
T1018

Security Software Discovery

1
T1063

Software Discovery

1
T1518

System Information Discovery

8
T1082

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

3
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

Score
N/A

behavioral1

evasionspywarestealertrojan
Score
10/10

behavioral2

evasionspywarestealertrojan
Score
10/10

behavioral3

evasionspywarestealertrojan
Score
10/10

behavioral4

icedidraccoonredlinesmokeloadersocelarsvidarxmrig1875681804backdoorbankerdiscoveryevasioninfostealerminerpersistencespywarestealerthemidatrojan
Score
10/10

behavioral5

djvuicedidnetsupportraccoonredlinesmokeloadersocelarsvidarxmrig7c9b4504a63ed23664e38808e65948379b790395874dee7d322070fc6dc34b3b6cd43904077db44d916921937james2221875681804backdoorbankerdiscoveryevasioninfostealerminerpersistenceransomwareratspywarestealerthemidatrojan
Score
10/10

behavioral6

djvuicedidraccoonredlinesmokeloadersocelarsvidarxmrig7c9b4504a63ed23664e38808e65948379b790395874dee7d322070fc6dc34b3b6cd43904077db44d9169219339371875681804backdoorbankerdiscoveryevasioninfostealerminerpersistenceransomwarespywarestealerthemidatrojan
Score
10/10

behavioral7

djvuicedidraccoonredlinesmokeloadersocelarsvidarxmrigzloader7c9b4504a63ed23664e38808e65948379b790395874dee7d322070fc6dc34b3b6cd43904077db44d916921937james2221875681804backdoorbankerbotnetdiscoveryevasioninfostealerminerpersistenceransomwarespywarestealerthemidatrojan
Score
10/10