anchordns | cc1ad41d82d19736724af8e5e0b4d26f3cb903ac185878510886948afbcb75ea

Sharing

Copy URL

Twitter E-mail

General

Target

cc1ad41d82d19736724af8e5e0b4d26f3cb903ac185878510886948afbcb75ea
Size

338KB
Sample

211105-qs9qvsbha4
MD5

6b93dd63fcb946bc0b06c2890bff8a2f
SHA1

342b4dafea65405ef8a3744f85591e81cf683564
SHA256

cc1ad41d82d19736724af8e5e0b4d26f3cb903ac185878510886948afbcb75ea
SHA512

07ef315b9bd38a626ee096466bc1b14a0d3bd761bdfc765dec14e945edf59129e38e57e71da09f682929583047ba5e5e5471a4142b9d0f13222c248d86cb69f4

Malware Config

Extracted

Family

smokeloader

Version

2020

http://hefahei60.top/

http://pipevai40.top/

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/

rc4.i32

Extracted

Family

tofsee

quadoil.ru

lakeflex.ru

Extracted

Family

redline

Botnet

SuperStar

185.215.113.29:36224

Extracted

Family

redline

Botnet

23435346346

93.115.20.139:28978

Extracted

Family

redline

Botnet

LOVE

91.242.229.222:21475

Extracted

Family

redline

Botnet

101

185.92.73.142:52097

Extracted

Family

raccoon

Botnet

1cb6d1b7211b77f96ff654c9904c9c8522f8a677

Attributes

url4cnc
http://teleliver.top/hiioBlacklight1

http://livetelive.top/hiioBlacklight1

http://teleger.top/hiioBlacklight1

http://telestrong.top/hiioBlacklight1

http://tgrampro.top/hiioBlacklight1

http://teleghost.top/hiioBlacklight1

http://teleroom.top/hiioBlacklight1

http://telemir.top/hiioBlacklight1

http://teletelo.top/hiioBlacklight1

https://t.me/hiioBlacklight1

rc4.plain

Extracted

Family

raccoon

Botnet

8f84893fac8025c5bfbe688da7bcaf1820b04ead

Attributes

url4cnc
http://teleliver.top/agrybirdsgamerept

http://livetelive.top/agrybirdsgamerept

http://teleger.top/agrybirdsgamerept

http://telestrong.top/agrybirdsgamerept

http://tgrampro.top/agrybirdsgamerept

http://teleghost.top/agrybirdsgamerept

http://teleroom.top/agrybirdsgamerept

http://telemir.top/agrybirdsgamerept

http://teletelo.top/agrybirdsgamerept

rc4.plain

Extracted

Family

raccoon

Botnet

8dec62c1db2959619dca43e02fa46ad7bd606400

Attributes

url4cnc
http://telegin.top/capibar

http://ttmirror.top/capibar

http://teletele.top/capibar

http://telegalive.top/capibar

http://toptelete.top/capibar

http://telegraf.top/capibar

https://t.me/capibar

rc4.plain

Extracted

Family

vidar

Version

47.9

Botnet

1055

https://mas.to/@kirpich

Attributes

profile_id
1055

Extracted

Family

djvu

http://pqkl.org/lancer/get.php

Attributes

extension
.irfk
offline_id
7HKlLI6NrOQGMaTs5PqjvV1UcZ3VOcIeyFiH3Wt1
payload_url
http://kotob.top/dl/build2.exe

http://pqkl.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-dFmA3YqXzs Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0346uSifke

rsa_pubkey.plain

Extracted

Family

vidar

Version

47.9

Botnet

706

https://mas.to/@kirpich

Attributes

profile_id
706

Extracted

Family

vidar

Version

47.9

Botnet

517

https://mas.to/@kirpich

Attributes

profile_id
517

Targets

- Target
  
  cc1ad41d82d19736724af8e5e0b4d26f3cb903ac185878510886948afbcb75ea
- Size
  
  338KB
- MD5
  
  6b93dd63fcb946bc0b06c2890bff8a2f
- SHA1
  
  342b4dafea65405ef8a3744f85591e81cf683564
- SHA256
  
  cc1ad41d82d19736724af8e5e0b4d26f3cb903ac185878510886948afbcb75ea
- SHA512
  
  07ef315b9bd38a626ee096466bc1b14a0d3bd761bdfc765dec14e945edf59129e38e57e71da09f682929583047ba5e5e5471a4142b9d0f13222c248d86cb69f4
Score

10^/10

anchordns arkei bazarloader djvu raccoon redline smokeloader tofsee vidar xmrig 101 1055 1cb6d1b7211b77f96ff654c9904c9c8522f8a677 23435346346 517 706 8dec62c1db2959619dca43e02fa46ad7bd606400 8f84893fac8025c5bfbe688da7bcaf1820b04ead love superstar backdoor discovery dropper evasion infostealer loader miner persistence ransomware spyware stealer themida trojan
- AnchorDNS Backdoor
  A backdoor which communicates with C2 through DNS, attributed to the creators of Trickbot and Bazar.
  backdoor anchordns
- Arkei
  Arkei is an infostealer written in C++.
  stealer arkei
- Bazar Loader
  Detected loader normally used to deploy BazarBackdoor malware.
  loader dropper bazarloader
- Detected AnchorDNS Backdoor
  Sample triggered yara rules associated with the AnchorDNS malware family.
  backdoor
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Arkei Stealer Payload
  stealer
- Bazar/Team9 Loader payload
- Core1 .NET packer
  Detects packer/loader used by .NET malware.
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Vidar Stealer
  stealer
- XMRig Miner Payload
  miner
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1