Malware sandboxing report by Hatching Triage

Target

2a0ecd6047ac3e929413c9dc65fd9550.exe

Size

278KB

Sample

211120-lyc7macfcp

Score

10^/10

MD5

2a0ecd6047ac3e929413c9dc65fd9550

SHA1

cab43b6a7d163a16b052bde9ad9392fa7fe1809e

SHA256

77a56e7215c37931be8cb84232306667ec719336e2ae38fb75ed30bc39c303b9

SHA512

03ea28406bc08b13d283bbe8510d52ef8ddf5d5773038805c77b24d52fd61d745cd21739fb9780559845a47b9746f8a19b4c1a19d6a470f93dfabcc85c681f96

Extracted

Family	smokeloader
Version	2020
C2	http://host-file-host6.com/ http://host-host-file8.com/ http://srtuiyhuali.at/ http://fufuiloirtu.com/ http://amogohuigotuli.at/ http://novohudosovu.com/ http://brutuilionust.com/ http://bubushkalioua.com/ http://dumuilistrati.at/ http://verboliatsiaeeees.com/ http://host-file-host6.com/ http://host-host-file8.com/ http://srtuiyhuali.at/ http://fufuiloirtu.com/ http://amogohuigotuli.at/ http://novohudosovu.com/ http://brutuilionust.com/ http://bubushkalioua.com/ http://dumuilistrati.at/ http://verboliatsiaeeees.com/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family	tofsee
C2	quadoil.ru lakeflex.ru quadoil.ru lakeflex.ru

Extracted

Family	redline
C2	185.159.80.90:38637 185.159.80.90:38637

Extracted

Family	raccoon
Version	1.8.3-hotfix
Botnet	ddf183af4241e3172885cf1b2c4c1fb4ee03d05a
Attributes	url4cnc http://91.219.236.27/capibar http://5.181.156.92/capibar http://91.219.236.207/capibar http://185.225.19.18/capibar http://91.219.237.227/capibar https://t.me/capibar
rc4.plain
rc4.plain

Extracted

Family	arkei
Botnet	Default
C2	http://file-file-host4.com/tratata.php http://file-file-host4.com/tratata.php

Extracted

Family	raccoon
Version	1.8.3-hotfix
Botnet	59885c564847bf29ddd9457b81c619998245ba90
Attributes	url4cnc http://91.219.236.27/opussenseus1 http://5.181.156.92/opussenseus1 http://91.219.236.207/opussenseus1 http://185.225.19.18/opussenseus1 http://91.219.237.227/opussenseus1 https://t.me/opussenseus1
rc4.plain
rc4.plain

Extracted

Family	redline
Botnet	easymoneydontshiny
C2	45.153.186.153:56675 45.153.186.153:56675

Extracted

Family	vidar
Version	48.6
Botnet	706
C2	https://mastodon.online/@valhalla https://koyu.space/@valhalla https://mastodon.online/@valhalla https://koyu.space/@valhalla
Attributes	profile_id 706

Target

2a0ecd6047ac3e929413c9dc65fd9550.exe

MD5

2a0ecd6047ac3e929413c9dc65fd9550

Filesize

278KB

Score

10^/10

SHA1

cab43b6a7d163a16b052bde9ad9392fa7fe1809e

SHA256

77a56e7215c37931be8cb84232306667ec719336e2ae38fb75ed30bc39c303b9

SHA512

03ea28406bc08b13d283bbe8510d52ef8ddf5d5773038805c77b24d52fd61d745cd21739fb9780559845a47b9746f8a19b4c1a19d6a470f93dfabcc85c681f96

Signatures

Arkei
Description

Arkei is an infostealer written in C++.
Tags

stealer arkei
Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
Raccoon
Description

Simple but powerful infostealer which was very active in 2019.
Tags

stealer raccoon
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Tofsee
Description

Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
Tags

trojan tofsee
Vidar
Description

Vidar is an infostealer based on Arkei stealer.
Tags

stealer vidar
Windows security bypass
Tags

evasion trojan

TTPs

Disabling Security ToolsModify Registry
suricata: ET MALWARE DCRAT Activity (GET)
Description

suricata: ET MALWARE DCRAT Activity (GET)
Tags

suricata
suricata: ET MALWARE Possible Dridex Download URI Struct with no referer
Description

suricata: ET MALWARE Possible Dridex Download URI Struct with no referer
Tags

suricata
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
Description

suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
Tags

suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Description

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Tags

suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Description

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Tags

suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Description

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Tags

suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags

suricata
xmrig
Description

XMRig is a high performance, open source, cross platform CPU/GPU miner.
Tags

miner xmrig
Arkei Stealer Payload
Tags

stealer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion
Vidar Stealer
Tags

stealer
XMRig Miner Payload
Tags

miner
Creates new service(s)
Tags

persistence

TTPs

New Service
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
Sets service image path in registry
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Checks BIOS information in registry
Description

BIOS information is often read in order to detect sandboxing environments.
TTPs

Query RegistrySystem Information Discovery
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Themida packer
Description

Detects Themida, an advanced Windows software protection system.
Tags

themida
Accesses 2FA software files, possible credential harvesting
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Accesses Microsoft Outlook profiles
Tags

collection

TTPs

Email Collection
Accesses cryptocurrency files/wallets, possible credential harvesting
Tags

spyware

TTPs

Data from Local SystemCredentials in Files
Adds Run key to start application
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Checks installed software on the system
Description

Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags

discovery

TTPs

Query Registry
Checks whether UAC is enabled
Tags

evasion trojan

TTPs

System Information Discovery
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

Related Tasks

behavioral1 behavioral2

Collection

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

static1

Score

N/A

behavioral1

raccoon redline smokeloader tofsee ddf183af4241e3172885cf1b2c4c1fb4ee03d05a backdoor discovery evasion infostealer persistence spyware stealer trojan

Score

10^/10

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Tags

Signatures

Arkei

Description

Tags

Process spawned unexpected child process

Description

Raccoon

Description

Tags

RedLine

Description

Tags

RedLine Payload

SmokeLoader

Description

Tags

Tofsee

Description

Tags

Vidar

Description

Tags

Windows security bypass

Tags

TTPs

suricata: ET MALWARE DCRAT Activity (GET)

Description

Tags

suricata: ET MALWARE Possible Dridex Download URI Struct with no referer

Description

Tags

suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

Description

Tags

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

Description

Tags

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

Description

Tags

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

Description

Tags

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

Description

Tags

xmrig

Description

Tags

Arkei Stealer Payload

Tags

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Tags

TTPs

Vidar Stealer

Tags

XMRig Miner Payload

Tags

Creates new service(s)

Tags

TTPs

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

Tags

TTPs

Sets service image path in registry

Tags

TTPs

Checks BIOS information in registry

Description