General

  • Target

    9e8ba95bed5615d34a687d76d53ea6c1a4409b977f06478c95ed6af174d89004

  • Size

    273KB

  • Sample

    211204-v87cwsbdcr

  • MD5

    38f9a81be1276b23e05238b43e0bffff

  • SHA1

    e52e5c1c7aa8dc6e8b3a75553815cffe588f8010

  • SHA256

    9e8ba95bed5615d34a687d76d53ea6c1a4409b977f06478c95ed6af174d89004

  • SHA512

    dcc08ff8a03dddc70ef7e640a710a4ef3b342a9aa2c75c299b5327f806b04014eda30448c9fae5a295025fffdba9eb320ebbe78d9ebb93775a035a3cda13b0ee

Malware Config

Extracted

Path

C:\read-me.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���48 5D A8 78 01 48 B2 52 E5 19 BA BB 18 46 FD 59 59 0A D6 C3 6F 9D 9C 05 58 1B 20 E9 A5 F2 99 B0 8C 63 C4 5C 67 67 47 49 3F 5F 9C 2D 3D 82 8B 6E DA D0 75 EA D0 52 C0 BD 08 FD AD 01 FC 14 70 4A EF D0 6C 5E 1E FA 11 23 0D D5 36 D3 78 6F 64 F8 30 BB 41 1F 4C 10 CF 3E 5E DC B6 31 23 E2 78 86 24 15 16 C6 EE C0 00 F4 B9 A1 7C 1B D1 B0 6A 24 8F 50 41 69 2E 0F 00 77 5D 89 2B B0 F2 1E BF D8 FA 6E 68 19 55 18 B8 E6 53 3F 39 98 08 4C 17 BA 3F C3 CB D3 A2 A4 91 78 C9 E6 D5 E6 83 30 33 03 87 D3 88 9C 61 62 09 DA C2 DD C0 17 BD F4 43 13 64 19 11 6F AD 9A 68 A5 C5 9C 52 F0 0C 50 98 64 E6 CD 6C BA 02 10 80 A6 23 41 C9 0A D7 1A 67 99 AA 79 D0 47 EC D0 65 35 B2 96 A8 4C D6 8B A5 4B 27 48 9B 5E E6 49 63 11 97 4E 23 5C 7A 5A 93 A7 22 C7 CE BF 9E 9A EB 10 9A AA 13 33 BF 4C EC A2
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\Boot\bg-BG\Read_Me.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101UMNFWDKQ 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101UMNFWDKQ

https://yip.su/2QstD5

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

http://planilhasvba.com.br/wp-admin/js/k/index.php

http://rpk32ubon.ac.th/backup/k/index.php

http://4urhappiness.com/app/k/index.php

http://swedenkhabar.com/wp-admin/js/k/index.php

http://cio.lankapanel.net/wp-admin/js/k/index.php

http://fcmsites.com.br/canal/wp-admin/js/k/index.php

http://lacoibipitanga.com.br/maxart/k/index.php

http://lacoibipitanga.com.br/cgi-bin/k/index.php

http://video.nalahotel.com/k/index.php

http://diving-phocea.com/wp-admin/k/index.php

rc4.i32
rc4.i32
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

8b6023dd139bdc34aab99c286fae23d1442b4956

Attributes
  • url4cnc

    http://91.219.236.27/h_electricryptors2

    http://5.181.156.92/h_electricryptors2

    http://91.219.236.207/h_electricryptors2

    http://185.225.19.18/h_electricryptors2

    http://91.219.237.227/h_electricryptors2

    https://t.me/h_electricryptors2

rc4.plain
rc4.plain

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

b620be4c85b4051a92040003edbc322be4eb082d

Attributes
  • url4cnc

    http://91.219.236.207/capibar

    http://185.225.19.18/capibar

    http://91.219.237.227/capibar

    https://t.me/capibar

rc4.plain
rc4.plain

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

b2ef6df07cefd70742a1d2de874b0494a6c0af23

Attributes
  • url4cnc

    http://94.158.245.137/lesterri2

    http://91.219.236.27/lesterri2

    http://94.158.245.167/lesterri2

    http://185.163.204.216/lesterri2

    http://185.225.19.238/lesterri2

    http://185.163.204.218/lesterri2

    https://t.me/lesterri2

rc4.plain
rc4.plain

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

a1fcef6b211f7efaa652483b438c193569359f50

Attributes
  • url4cnc

    http://94.158.245.137/duglassa1

    http://91.219.236.27/duglassa1

    http://94.158.245.167/duglassa1

    http://185.163.204.216/duglassa1

    http://185.225.19.238/duglassa1

    http://185.163.204.218/duglassa1

    https://t.me/duglassa1

rc4.plain
rc4.plain

Targets

    • Target

      9e8ba95bed5615d34a687d76d53ea6c1a4409b977f06478c95ed6af174d89004

    • Size

      273KB

    • MD5

      38f9a81be1276b23e05238b43e0bffff

    • SHA1

      e52e5c1c7aa8dc6e8b3a75553815cffe588f8010

    • SHA256

      9e8ba95bed5615d34a687d76d53ea6c1a4409b977f06478c95ed6af174d89004

    • SHA512

      dcc08ff8a03dddc70ef7e640a710a4ef3b342a9aa2c75c299b5327f806b04014eda30448c9fae5a295025fffdba9eb320ebbe78d9ebb93775a035a3cda13b0ee

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • suricata: ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)

      suricata: ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

      suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Hidden Files and Directories

2
T1158

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

6
T1082

Peripheral Device Discovery

2
T1120

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks