Fri051e1e7444.exe

General
Target

Fri051e1e7444.exe

Size

403KB

Sample

211022-tpmzgacgbr

Score
10 /10
MD5

b4c503088928eef0e973a269f66a0dd2

SHA1

eb7f418b03aa9f21275de0393fcbf0d03b9719d5

SHA256

2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2

SHA512

c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

Malware Config

Extracted

Family redline
C2

205.185.119.191:60857

Extracted

Family vidar
Version 41.5
Botnet 921
C2

https://mas.to/@xeroxxx

Attributes
profile_id
921

Extracted

Family smokeloader
Version 2020
C2

http://gejajoo7.top/

http://sysaheu9.top/

rc4.i32
rc4.i32

Extracted

Family redline
Botnet james222
C2

135.181.129.119:4805

Extracted

Family vidar
Version 41.5
Botnet 937
C2

https://mas.to/@xeroxxx

Attributes
profile_id
937

Extracted

Family vidar
Version 41.5
Botnet 903
C2

https://mas.to/@xeroxxx

Attributes
profile_id
903

Extracted

Family raccoon
Botnet 7c9b4504a63ed23664e38808e65948379b790395
Attributes
url4cnc
http://telegka.top/capibar
http://telegin.top/capibar
https://t.me/capibar
rc4.plain
rc4.plain

Extracted

Family vidar
Version 41.5
Botnet 933
C2

https://mas.to/@xeroxxx

Attributes
profile_id
933
Targets
Target

Fri051e1e7444.exe

MD5

b4c503088928eef0e973a269f66a0dd2

Filesize

403KB

Score
10/10
SHA1

eb7f418b03aa9f21275de0393fcbf0d03b9719d5

SHA256

2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2

SHA512

c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

Tags

Signatures

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify RegistryModify Existing ServiceDisabling Security Tools
  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • suricata: ET MALWARE GCleaner Downloader Activity M5

    Description

    suricata: ET MALWARE GCleaner Downloader Activity M5

    Tags

  • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    Description

    suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    Tags

  • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    Description

    suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    Tags

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    Description

    suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Description

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    Description

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    Tags

  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    Description

    suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    Tags

  • suricata: ET MALWARE Win32/Kelihos.F exe Download 2

    Description

    suricata: ET MALWARE Win32/Kelihos.F exe Download 2

    Tags

  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    Description

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    Tags

  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    Description

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    Tags

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Vidar Stealer

    Tags

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Identifies Wine through registry keys

    Description

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation