Malware sandboxing report by Hatching Triage

Target

b100408d321895b3b9ae98ed665e41a70b257c807e0c9900e65f10267a48334d

Size

277KB

Sample

211120-mlsxzscffj

Score

10^/10

MD5

92ee3bacc5bde327faa2756b4d412ca9

SHA1

aa9e74090723cfbd7dcf5f95721608ca3cfb10a6

SHA256

b100408d321895b3b9ae98ed665e41a70b257c807e0c9900e65f10267a48334d

SHA512

8a00b6e5cabe1a50050eec15245d78dd0b6b14056d3117d6399873fc67a506582c7ebbe45accfcbd35786e476fa4cacf02b2d240cacd79473f7fb518b313a8a5

Extracted

Family	smokeloader
Version	2020
C2	http://host-file-host6.com/ http://host-host-file8.com/ http://srtuiyhuali.at/ http://fufuiloirtu.com/ http://amogohuigotuli.at/ http://novohudosovu.com/ http://brutuilionust.com/ http://bubushkalioua.com/ http://dumuilistrati.at/ http://verboliatsiaeeees.com/ http://host-file-host6.com/ http://host-host-file8.com/ http://srtuiyhuali.at/ http://fufuiloirtu.com/ http://amogohuigotuli.at/ http://novohudosovu.com/ http://brutuilionust.com/ http://bubushkalioua.com/ http://dumuilistrati.at/ http://verboliatsiaeeees.com/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family	tofsee
C2	quadoil.ru lakeflex.ru quadoil.ru lakeflex.ru

Extracted

Family	raccoon
Version	1.8.3-hotfix
Botnet	ddf183af4241e3172885cf1b2c4c1fb4ee03d05a
Attributes	url4cnc http://91.219.236.27/capibar http://5.181.156.92/capibar http://91.219.236.207/capibar http://185.225.19.18/capibar http://91.219.237.227/capibar https://t.me/capibar
rc4.plain
rc4.plain

Extracted

Family	redline
C2	185.159.80.90:38637 185.159.80.90:38637

Extracted

Family	arkei
Botnet	Default
C2	http://file-file-host4.com/tratata.php http://file-file-host4.com/tratata.php

Extracted

Family	raccoon
Version	1.8.3-hotfix
Botnet	59885c564847bf29ddd9457b81c619998245ba90
Attributes	url4cnc http://91.219.236.27/opussenseus1 http://5.181.156.92/opussenseus1 http://91.219.236.207/opussenseus1 http://185.225.19.18/opussenseus1 http://91.219.237.227/opussenseus1 https://t.me/opussenseus1
rc4.plain
rc4.plain

Extracted

Family	redline
Botnet	Sleeze
C2	194.127.179.0:42417 194.127.179.0:42417

Extracted

Family	redline
Botnet	easymoneydontshiny
C2	45.153.186.153:56675 45.153.186.153:56675

Extracted

Family	warzonerat
C2	176.113.82.95:5200 176.113.82.95:5200

Extracted

Family	vidar
Version	48.6
Botnet	706
C2	https://mastodon.online/@valhalla https://koyu.space/@valhalla https://mastodon.online/@valhalla https://koyu.space/@valhalla
Attributes	profile_id 706

Target

b100408d321895b3b9ae98ed665e41a70b257c807e0c9900e65f10267a48334d

MD5

92ee3bacc5bde327faa2756b4d412ca9

Filesize

277KB

Score

10^/10

SHA1

aa9e74090723cfbd7dcf5f95721608ca3cfb10a6

SHA256

b100408d321895b3b9ae98ed665e41a70b257c807e0c9900e65f10267a48334d

SHA512

8a00b6e5cabe1a50050eec15245d78dd0b6b14056d3117d6399873fc67a506582c7ebbe45accfcbd35786e476fa4cacf02b2d240cacd79473f7fb518b313a8a5

Signatures

Arkei
Description

Arkei is an infostealer written in C++.
Tags

stealer arkei
Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
Raccoon
Description

Simple but powerful infostealer which was very active in 2019.
Tags

stealer raccoon
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Tofsee
Description

Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
Tags

trojan tofsee
Vidar
Description

Vidar is an infostealer based on Arkei stealer.
Tags

stealer vidar
WarzoneRat, AveMaria
Description

WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
Tags

rat infostealer warzonerat
Windows security bypass
Tags

evasion trojan

TTPs

Disabling Security ToolsModify Registry
suricata: ET MALWARE DCRAT Activity (GET)
Description

suricata: ET MALWARE DCRAT Activity (GET)
Tags

suricata
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
Description

suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
Tags

suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Description

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Tags

suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Description

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Tags

suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Description

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Tags

suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags

suricata
xmrig
Description

XMRig is a high performance, open source, cross platform CPU/GPU miner.
Tags

miner xmrig
Arkei Stealer Payload
Tags

stealer
Vidar Stealer
Tags

stealer
Warzone RAT Payload
Tags

rat
XMRig Miner Payload
Tags

miner
Creates new service(s)
Tags

persistence

TTPs

New Service
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
Sets DLL path for service in the registry
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Sets service image path in registry
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Accesses 2FA software files, possible credential harvesting
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Accesses Microsoft Outlook profiles
Tags

collection

TTPs

Email Collection
Accesses cryptocurrency files/wallets, possible credential harvesting
Tags

spyware

TTPs

Data from Local SystemCredentials in Files
Adds Run key to start application
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Checks installed software on the system
Description

Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags

discovery

TTPs

Query Registry
Modifies WinLogon
Tags

persistence

TTPs

Winlogon Helper DLLModify Registry
Drops file in System32 directory
Suspicious use of SetThreadContext

Related Tasks

behavioral1

Collection

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

static1

Score

N/A

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Tags

Signatures

Arkei

Description

Tags

Process spawned unexpected child process

Description

Raccoon

Description

Tags

RedLine

Description

Tags

RedLine Payload

SmokeLoader

Description

Tags

Tofsee

Description

Tags

Vidar

Description

Tags

WarzoneRat, AveMaria

Description

Tags

Windows security bypass

Tags

TTPs

suricata: ET MALWARE DCRAT Activity (GET)

Description

Tags

suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

Description

Tags

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

Description

Tags

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

Description

Tags

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

Description

Tags

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

Description

Tags

xmrig

Description

Tags

Arkei Stealer Payload

Tags

Vidar Stealer

Tags

Warzone RAT Payload

Tags

XMRig Miner Payload

Tags

Creates new service(s)

Tags

TTPs

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

Tags

TTPs

Sets DLL path for service in the registry

Tags

TTPs

Sets service image path in registry