Fri051e1e7444.exe

General
Target

Fri051e1e7444.exe

Size

403KB

Sample

211022-v8trsscggr

Score
10 /10
MD5

b4c503088928eef0e973a269f66a0dd2

SHA1

eb7f418b03aa9f21275de0393fcbf0d03b9719d5

SHA256

2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2

SHA512

c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

Malware Config

Extracted

Path C:\_readme.txt
Family djvu
Ransom Note
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-pk3SGFlmek Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: manager@mailtemp.ch Reserve e-mail address to contact us: supporthelp@airmail.cc Your personal ID: 0341gSd743dw5bW9VHoXUsivc5FZ0yEV7QenO6CpYtFwFaxwujj
Emails

manager@mailtemp.ch

supporthelp@airmail.cc

URLs

https://we.tl/t-pk3SGFlmek

Extracted

Family vidar
Version 41.5
Botnet 903
C2

https://mas.to/@xeroxxx

Attributes
profile_id
903

Extracted

Family smokeloader
Version 2020
C2

http://gejajoo7.top/

http://sysaheu9.top/

rc4.i32
rc4.i32

Extracted

Family vidar
Version 41.5
Botnet 937
C2

https://mas.to/@xeroxxx

Attributes
profile_id
937

Extracted

Family redline
C2

205.185.119.191:60857

Extracted

Family vidar
Version 41.5
Botnet 921
C2

https://mas.to/@xeroxxx

Attributes
profile_id
921

Extracted

Family raccoon
Botnet 7c9b4504a63ed23664e38808e65948379b790395
Attributes
url4cnc
http://telegka.top/capibar
http://telegin.top/capibar
https://t.me/capibar
rc4.plain
rc4.plain

Extracted

Family vidar
Version 41.5
Botnet 933
C2

https://mas.to/@xeroxxx

Attributes
profile_id
933

Extracted

Family djvu
C2

http://rlrz.org/lancer

Targets
Target

Fri051e1e7444.exe

MD5

b4c503088928eef0e973a269f66a0dd2

Filesize

403KB

Score
10/10
SHA1

eb7f418b03aa9f21275de0393fcbf0d03b9719d5

SHA256

2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2

SHA512

c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

Tags

Signatures

  • Djvu Ransomware

    Description

    Ransomware which is a variant of the STOP family.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify RegistryModify Existing ServiceDisabling Security Tools
  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security ToolsModify Registry
  • Zloader, Terdot, DELoader, ZeusSphinx

    Description

    Zloader is a malware strain that was initially discovered back in August 2015.

    Tags

  • suricata: ET MALWARE DCRAT Activity (GET)

    Description

    suricata: ET MALWARE DCRAT Activity (GET)

    Tags

  • suricata: ET MALWARE GCleaner Downloader Activity M5

    Description

    suricata: ET MALWARE GCleaner Downloader Activity M5

    Tags

  • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    Description

    suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    Tags

  • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    Description

    suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    Tags

  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    Description

    suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Description

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

    Description

    suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

    Tags

  • suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

    Description

    suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

    Tags

  • suricata: ET MALWARE Win32/Kelihos.F exe Download 2

    Description

    suricata: ET MALWARE Win32/Kelihos.F exe Download 2

    Tags

  • xmrig

    Description

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    Tags

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Vidar Stealer

    Tags

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Identifies Wine through registry keys

    Description

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Loads dropped DLL

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses Microsoft Outlook accounts

    Tags

    TTPs

    Email Collection
  • Accesses Microsoft Outlook profiles

    Tags

    TTPs

    Email Collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks