Resubmissions

06-11-2021 17:27

211106-v1eynsegh5 10

06-11-2021 17:14

211106-vr22vaegg2 10

06-11-2021 16:59

211106-vhd9escbfk 10

General

  • Target

    0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f

  • Size

    201KB

  • Sample

    211106-v1eynsegh5

  • MD5

    2f026a4e714a11325ce22490c0558e53

  • SHA1

    89d742acc48ec9a94b2670925cfd31934b022a51

  • SHA256

    0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f

  • SHA512

    512f3d8f193116f67994c34ff8a95b71f032cb2a04be7efb910ebe1460c01e77e2619172f1522ea2de146858a86b0c12982b009ccde20ff46611dc7f1dadee2f

Malware Config

Extracted

Path

C:\_readme.txt

Family

djvu

Ransom Note
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-dFmA3YqXzs Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0346uSifkebOv2SYyMt1QQk2YtWoA73mCSYVUdqKt6wU7yASwQ
URLs

https://we.tl/t-dFmA3YqXzs

Extracted

Family

smokeloader

Version

2020

C2

http://hefahei60.top/

http://pipevai40.top/

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Extracted

Family

redline

Botnet

new

C2

93.115.20.139:28978

Extracted

Family

redline

C2

104.168.237.55:44505

Extracted

Family

redline

Botnet

SuperStar

C2

185.215.113.29:36224

Extracted

Family

raccoon

Botnet

8dec62c1db2959619dca43e02fa46ad7bd606400

Attributes
  • url4cnc

    http://telegin.top/capibar

    http://ttmirror.top/capibar

    http://teletele.top/capibar

    http://telegalive.top/capibar

    http://toptelete.top/capibar

    http://telegraf.top/capibar

    https://t.me/capibar

rc4.plain
rc4.plain

Extracted

Family

raccoon

Version

1.8.3

Botnet

a741159db87f9df2b687764994c63c4c859ea476

Attributes
  • url4cnc

    http://178.23.190.57/hiioBlacklight1

    http://91.219.236.162/hiioBlacklight1

    http://185.163.47.176/hiioBlacklight1

    http://193.38.54.238/hiioBlacklight1

    http://74.119.192.122/hiioBlacklight1

    http://91.219.236.240/hiioBlacklight1

    https://t.me/hiioBlacklight1

rc4.plain
rc4.plain

Extracted

Family

raccoon

Version

1.8.3

Botnet

243f5e3056753d9f9706258dce4f79e57c3a9c44

Attributes
  • url4cnc

    http://178.23.190.57/agrybirdsgamerept

    http://91.219.236.162/agrybirdsgamerept

    http://185.163.47.176/agrybirdsgamerept

    http://193.38.54.238/agrybirdsgamerept

    http://74.119.192.122/agrybirdsgamerept

    http://91.219.236.240/agrybirdsgamerept

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

zolosad

C2

65.108.55.203:56717

Extracted

Family

redline

Botnet

mix world

C2

95.216.43.58:40566

Extracted

Family

djvu

C2

http://pqkl.org/lancer/get.php

Attributes
  • extension

    .irfk

  • offline_id

    7HKlLI6NrOQGMaTs5PqjvV1UcZ3VOcIeyFiH3Wt1

  • payload_url

    http://kotob.top/dl/build2.exe

    http://pqkl.org/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-dFmA3YqXzs Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0346uSifke

rsa_pubkey.plain

Extracted

Family

vidar

Version

47.9

Botnet

706

C2

https://mas.to/@kirpich

Attributes
  • profile_id

    706

Targets

    • Target

      0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f

    • Size

      201KB

    • MD5

      2f026a4e714a11325ce22490c0558e53

    • SHA1

      89d742acc48ec9a94b2670925cfd31934b022a51

    • SHA256

      0f7361229bd8aa3f5a812eaa812bb2289d97b9f7d82b103d1c90dc333c0be10f

    • SHA512

      512f3d8f193116f67994c34ff8a95b71f032cb2a04be7efb910ebe1460c01e77e2619172f1522ea2de146858a86b0c12982b009ccde20ff46611dc7f1dadee2f

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Vidar Stealer

    • XMRig Miner Payload

    • Creates new service(s)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Modifies Windows Firewall

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Sets service image path in registry

    • Tries to connect to .bazar domain

      Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Registry Run Keys / Startup Folder

3
T1060

Modify Existing Service

1
T1031

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

6
T1112

File Permissions Modification

1
T1222

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

4
T1082

Remote System Discovery

1
T1018

Collection

Data from Local System

3
T1005

Command and Control

Web Service

1
T1102

Tasks