Overview

overview

10

Static

static

75b52e3106...a5.exe

windows7_x64

10

75b52e3106...a5.exe

windows7_x64

10

75b52e3106...a5.exe

windows7_x64

10

75b52e3106...a5.exe

windows11_x64

10

75b52e3106...a5.exe

windows10_x64

10

75b52e3106...a5.exe

windows10_x64

10

75b52e3106...a5.exe

windows10_x64

10

Resubmissions

05-11-2021 06:32

211105-hawghsagd4 10

05-11-2021 06:20

211105-g3tyqafhan 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    75b52e3106f8fed4498d1b3610f28069e0a068dd455d43b565860faf03b3bda5

  • Size

    342KB

  • Sample

    211105-hawghsagd4

  • MD5

    32471f45ab82afca2523f848c39bda10

  • SHA1

    f63dd9cbfe36beed4c9227205f9fc330f4573338

  • SHA256

    75b52e3106f8fed4498d1b3610f28069e0a068dd455d43b565860faf03b3bda5

  • SHA512

    d1cecf935d37e52d79cda1f53ca8ab55e4b7729b6d83630ae41cfdc6bbe43d2524907eacc3fc1df289f24846b72b8b1a5b8c8f209fdca6deca278923b4ebe639

Score
10/10
djvuicedidraccoonredlinesmokeloadertofseevidarxmrig1011cb6d1b7211b77f96ff654c9904c9c8522f8a677234353463465177068dec62c1db2959619dca43e02fa46ad7bd6064008f84893fac8025c5bfbe688da7bcaf1820b04eadcf8c71fed0cf0dfbee3479ea60d7e24ca157301clovesuperstar3055572094backdoorbankerdiscoveryevasioninfostealerminerpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\_readme.txt

Family

djvu

Ransom Note
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-dFmA3YqXzs Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: manager@mailtemp.ch Reserve e-mail address to contact us: helprestoremanager@airmail.cc Your personal ID: 0346uSifkeUF7tMILPhG9Pked0JbTh6yy2R8gRVPJkhiHtW6kq
Emails

manager@mailtemp.ch

helprestoremanager@airmail.cc
URLs

https://we.tl/t-dFmA3YqXzs

Extracted

Family

smokeloader

Version

2020

C2

http://honawey70.top/

http://wijibui00.top/

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Extracted

Family

redline

C2

91.219.63.223:10118

Extracted

Family

redline

Botnet

SuperStar

C2

185.215.113.29:36224

Extracted

Family

icedid

Campaign

3055572094

C2

actuallyobligat.ink

Extracted

Family

redline

Botnet

LOVE

C2

91.242.229.222:21475

Extracted

Family

redline

Botnet

23435346346

C2

93.115.20.139:28978

Extracted

Family

redline

Botnet

101

C2

185.92.73.142:52097

Extracted

Family

raccoon

Botnet

cf8c71fed0cf0dfbee3479ea60d7e24ca157301c

Attributes
  • url4cnc

    http://teleliver.top/hoverpattern31

    http://livetelive.top/hoverpattern31

    http://teleger.top/hoverpattern31

    http://telestrong.top/hoverpattern31

    http://tgrampro.top/hoverpattern31

    http://teleghost.top/hoverpattern31

    http://teleroom.top/hoverpattern31

    http://telemir.top/hoverpattern31

    http://teletelo.top/hoverpattern31

    https://t.me/hoverpattern31

rc4.plain
rc4.plain

Extracted

Family

raccoon

Botnet

1cb6d1b7211b77f96ff654c9904c9c8522f8a677

Attributes
  • url4cnc

    http://teleliver.top/hiioBlacklight1

    http://livetelive.top/hiioBlacklight1

    http://teleger.top/hiioBlacklight1

    http://telestrong.top/hiioBlacklight1

    http://tgrampro.top/hiioBlacklight1

    http://teleghost.top/hiioBlacklight1

    http://teleroom.top/hiioBlacklight1

    http://telemir.top/hiioBlacklight1

    http://teletelo.top/hiioBlacklight1

    https://t.me/hiioBlacklight1

rc4.plain
rc4.plain

Extracted

Family

raccoon

Botnet

8f84893fac8025c5bfbe688da7bcaf1820b04ead

Attributes
  • url4cnc

    http://teleliver.top/agrybirdsgamerept

    http://livetelive.top/agrybirdsgamerept

    http://teleger.top/agrybirdsgamerept

    http://telestrong.top/agrybirdsgamerept

    http://tgrampro.top/agrybirdsgamerept

    http://teleghost.top/agrybirdsgamerept

    http://teleroom.top/agrybirdsgamerept

    http://telemir.top/agrybirdsgamerept

    http://teletelo.top/agrybirdsgamerept

rc4.plain
rc4.plain

Extracted

Family

raccoon

Botnet

8dec62c1db2959619dca43e02fa46ad7bd606400

Attributes
  • url4cnc

    http://telegin.top/capibar

    http://ttmirror.top/capibar

    http://teletele.top/capibar

    http://telegalive.top/capibar

    http://toptelete.top/capibar

    http://telegraf.top/capibar

    https://t.me/capibar

rc4.plain
rc4.plain

Extracted

Family

djvu

C2

http://pqkl.org/lancer/get.php

Attributes
  • extension

    .irfk

  • offline_id

    7HKlLI6NrOQGMaTs5PqjvV1UcZ3VOcIeyFiH3Wt1

  • payload_url

    http://kotob.top/dl/build2.exe

    http://pqkl.org/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-dFmA3YqXzs Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: manager@mailtemp.ch Reserve e-mail address to contact us: helprestoremanager@airmail.cc Your personal ID: 0346uSifke

rsa_pubkey.plain

Extracted

Family

vidar

Version

47.9

Botnet

706

C2

https://mas.to/@kirpich

Attributes
  • profile_id

    706

Extracted

Family

vidar

Version

47.9

Botnet

517

C2

https://mas.to/@kirpich

Attributes
  • profile_id

    517

Targets

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

3
T1060

New Service

1
T1050

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

New Service

1
T1050

Scheduled Task

1
T1053

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

5
T1112

Virtualization/Sandbox Evasion

1
T1497

File Permissions Modification

1
T1222

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

7
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

7
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks

static1

Score
N/A

behavioral1

djvuicedidraccoonredlinesmokeloadertofseevidarxmrig1011cb6d1b7211b77f96ff654c9904c9c8522f8a677234353463465177068dec62c1db2959619dca43e02fa46ad7bd6064008f84893fac8025c5bfbe688da7bcaf1820b04eadcf8c71fed0cf0dfbee3479ea60d7e24ca157301clovesuperstar3055572094backdoorbankerdiscoveryevasioninfostealerminerpersistenceransomwarespywarestealertrojan
Score
10/10

behavioral2

djvuicedidraccoonredlinesmokeloadertofseevidarxmrig1011cb6d1b7211b77f96ff654c9904c9c8522f8a677234353463465177068dec62c1db2959619dca43e02fa46ad7bd6064008f84893fac8025c5bfbe688da7bcaf1820b04eadcf8c71fed0cf0dfbee3479ea60d7e24ca157301clovesuperstar3055572094backdoorbankerdiscoveryevasioninfostealerminerpersistenceransomwarespywarestealertrojan
Score
10/10

behavioral3

icedidraccoonredlinesmokeloadertofseexmrig1011cb6d1b7211b77f96ff654c9904c9c8522f8a677234353463468dec62c1db2959619dca43e02fa46ad7bd6064008f84893fac8025c5bfbe688da7bcaf1820b04eadcf8c71fed0cf0dfbee3479ea60d7e24ca157301clovesuperstar3055572094backdoorbankerdiscoveryevasioninfostealerminerpersistencespywarestealertrojan
Score
10/10

behavioral4

icedidraccoonredlinesmokeloadertofsee10123435346346superstar3055572094backdoorbankerdiscoveryevasioninfostealerspywarestealertrojan
Score
10/10

behavioral5

djvuicedidraccoonredlinesmokeloadertofseevidarxmrig234353463465177068dec62c1db2959619dca43e02fa46ad7bd606400cf8c71fed0cf0dfbee3479ea60d7e24ca157301clovesuperstar3055572094backdoorbankerdiscoveryevasioninfostealerminerpersistenceransomwarespywarestealertrojan
Score
10/10

behavioral6

djvuicedidraccoonredlinesmokeloadertofseevidarxmrig1011cb6d1b7211b77f96ff654c9904c9c8522f8a677234353463465177068dec62c1db2959619dca43e02fa46ad7bd6064008f84893fac8025c5bfbe688da7bcaf1820b04eadcf8c71fed0cf0dfbee3479ea60d7e24ca157301clovesuperstar3055572094backdoorbankerdiscoveryevasioninfostealerminerpersistenceransomwarespywarestealertrojan
Score
10/10

behavioral7

djvuicedidraccoonredlinesmokeloadertofseevidarxmrig1011cb6d1b7211b77f96ff654c9904c9c8522f8a677234353463465177068dec62c1db2959619dca43e02fa46ad7bd6064008f84893fac8025c5bfbe688da7bcaf1820b04eadcf8c71fed0cf0dfbee3479ea60d7e24ca157301clovesuperstar3055572094backdoorbankerdiscoveryevasioninfostealerminerpersistenceransomwarespywarestealertrojan
Score
10/10