General
-
Target
14f0c35e4f923341fa10da9189b9eab3cdb32fa1db2ed2c9d4207a7f15d702b0
-
Size
287KB
-
Sample
220113-vp5pysbgfl
-
MD5
57b8ba0b33941cd764cc9633201b238d
-
SHA1
629b2d65f2450fc6532a6d11178d8b885452ec36
-
SHA256
14f0c35e4f923341fa10da9189b9eab3cdb32fa1db2ed2c9d4207a7f15d702b0
-
SHA512
9ff8aa6767d0ede0d4007727277d0bdea3dce12fad0c80876aed999a8c1bec0ff9d1c053264e685d97d33f5c06b009863053aba5ebc691440eac12c800b745ef
Static task
static1
Behavioral task
behavioral1
Sample
14f0c35e4f923341fa10da9189b9eab3cdb32fa1db2ed2c9d4207a7f15d702b0.exe
Resource
win10-en-20211208
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
Extracted
arkei
Default
http://file-file-host4.com/tratata.php
Extracted
tofsee
patmushta.info
parubey.info
Extracted
djvu
http://tzgl.org/lancer/get.php
-
extension
.zaqi
-
offline_id
uDLux1czyPsWNYYagNMKwIiTFQR7Ucyf00Na8st1
-
payload_url
http://kotob.top/dl/build2.exe
http://tzgl.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-vrpzF37NH7 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: manager@mailtemp.ch Reserve e-mail address to contact us: helprestoremanager@airmail.cc Your personal ID: 0372UIhfSd
Extracted
vidar
49.6
565
https://noc.social/@banda5ker
https://mastodon.social/@banda6ker
-
profile_id
565
Extracted
amadey
3.01
185.215.113.35/d2VxjasuwS/index.php
Extracted
vidar
49.5
517
https://qoto.org/@banda4ker
https://c.im/@banda3ker
-
profile_id
517
Targets
-
-
Target
14f0c35e4f923341fa10da9189b9eab3cdb32fa1db2ed2c9d4207a7f15d702b0
-
Size
287KB
-
MD5
57b8ba0b33941cd764cc9633201b238d
-
SHA1
629b2d65f2450fc6532a6d11178d8b885452ec36
-
SHA256
14f0c35e4f923341fa10da9189b9eab3cdb32fa1db2ed2c9d4207a7f15d702b0
-
SHA512
9ff8aa6767d0ede0d4007727277d0bdea3dce12fad0c80876aed999a8c1bec0ff9d1c053264e685d97d33f5c06b009863053aba5ebc691440eac12c800b745ef
-
Detected Djvu ransomware
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Arkei Stealer Payload
-
Vidar Stealer
-
XMRig Miner Payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Deletes itself
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
New Service
1Modify Existing Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Disabling Security Tools
1Modify Registry
4File Permissions Modification
1Install Root Certificate
1