Overview
overview
10Static
static
107zS850A099...ed.exe
windows7_x64
107zS850A099...ed.exe
windows10-2004_x64
107zS850A099...1a.exe
windows7_x64
107zS850A099...1a.exe
windows10-2004_x64
17zS850A099...b7.exe
windows7_x64
107zS850A099...b7.exe
windows10-2004_x64
107zS850A099...5e.exe
windows7_x64
107zS850A099...5e.exe
windows10-2004_x64
107zS850A099...a0.exe
windows7_x64
107zS850A099...a0.exe
windows10-2004_x64
107zS850A099...95.exe
windows7_x64
77zS850A099...95.exe
windows10-2004_x64
77zS850A099...cb.exe
windows7_x64
107zS850A099...cb.exe
windows10-2004_x64
17zS850A099...58.exe
windows7_x64
77zS850A099...58.exe
windows10-2004_x64
17zS850A099...7f.exe
windows7_x64
77zS850A099...7f.exe
windows10-2004_x64
17zS850A099...32.exe
windows7_x64
77zS850A099...32.exe
windows10-2004_x64
77zS850A099...c3.exe
windows7_x64
87zS850A099...c3.exe
windows10-2004_x64
87zS850A099...e9.exe
windows7_x64
67zS850A099...e9.exe
windows10-2004_x64
67zS850A099...8c.exe
windows7_x64
87zS850A099...8c.exe
windows10-2004_x64
17zS850A099...8c.exe
windows7_x64
107zS850A099...8c.exe
windows10-2004_x64
107zS850A099...ll.exe
windows7_x64
107zS850A099...ll.exe
windows10-2004_x64
1General
-
Target
7zS850A099E.zip
-
Size
6.4MB
-
Sample
220119-j26l8sgcbj
-
MD5
3d48b7e12b7b19fc0a0dc993f61b1479
-
SHA1
a6bc19d6b6d3d8a9993aa6f96ee9743cbe898354
-
SHA256
3a16c941223ae24e33b62e925575669a52f7993765aadf075a8bea5decd8a836
-
SHA512
4d1e3560a00dd81e3dad217d26a43d3ddaa3ed2becb63cf10985fb9f8d193a6b5f5aa05eeb11865f0714ce97aea56ca4e787fe5a4f1544be9b964fe44c9328a9
Behavioral task
behavioral1
Sample
7zS850A099E/61e74fd2175cb_Tue23956aa60ed.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7zS850A099E/61e74fd2175cb_Tue23956aa60ed.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral3
Sample
7zS850A099E/61e74fd3252fe_Tue23df2ad021a.exe
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
7zS850A099E/61e74fd3252fe_Tue23df2ad021a.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral5
Sample
7zS850A099E/61e74fd41f841_Tue2365aa82b7.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
7zS850A099E/61e74fd41f841_Tue2365aa82b7.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral7
Sample
7zS850A099E/61e74fd53f766_Tue23ec97445e.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
7zS850A099E/61e74fd53f766_Tue23ec97445e.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral9
Sample
7zS850A099E/61e74fd78769f_Tue234b6c24d9a0.exe
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
7zS850A099E/61e74fd78769f_Tue234b6c24d9a0.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral11
Sample
7zS850A099E/61e74fd8ef830_Tue23593425095.exe
Resource
win7-en-20211208
Behavioral task
behavioral12
Sample
7zS850A099E/61e74fd8ef830_Tue23593425095.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral13
Sample
7zS850A099E/61e74fda51500_Tue23260baecb.exe
Resource
win7-en-20211208
Behavioral task
behavioral14
Sample
7zS850A099E/61e74fda51500_Tue23260baecb.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral15
Sample
7zS850A099E/61e7501ab629f_Tue23c4645058.exe
Resource
win7-en-20211208
Behavioral task
behavioral16
Sample
7zS850A099E/61e7501ab629f_Tue23c4645058.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral17
Sample
7zS850A099E/61e7501b7eabe_Tue2344597f.exe
Resource
win7-en-20211208
Behavioral task
behavioral18
Sample
7zS850A099E/61e7501b7eabe_Tue2344597f.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral19
Sample
7zS850A099E/61e7501c830d6_Tue23bdf4712a32.exe
Resource
win7-en-20211208
Behavioral task
behavioral20
Sample
7zS850A099E/61e7501c830d6_Tue23bdf4712a32.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral21
Sample
7zS850A099E/61e7501db65f3_Tue23c7b395c3.exe
Resource
win7-en-20211208
Behavioral task
behavioral22
Sample
7zS850A099E/61e7501db65f3_Tue23c7b395c3.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral23
Sample
7zS850A099E/61e7502b8389b_Tue233252e9.exe
Resource
win7-en-20211208
Behavioral task
behavioral24
Sample
7zS850A099E/61e7502b8389b_Tue233252e9.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral25
Sample
7zS850A099E/61e7502c4cff3_Tue232cba58c.exe
Resource
win7-en-20211208
Behavioral task
behavioral26
Sample
7zS850A099E/61e7502c4cff3_Tue232cba58c.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral27
Sample
7zS850A099E/61e7502f007f3_Tue23d6fecf8c.exe
Resource
win7-en-20211208
Behavioral task
behavioral28
Sample
7zS850A099E/61e7502f007f3_Tue23d6fecf8c.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral29
Sample
7zS850A099E/setup_install.exe
Resource
win7-en-20211208
Behavioral task
behavioral30
Sample
7zS850A099E/setup_install.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
socelars
http://www.kvubgc.com/
http://www.nvdmzf.com/
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://nahbleiben.at/upload/
http://noblecreativeaz.com/upload/
http://tvqaq.cn/upload/
http://recmaster.ru/upload/
http://sovels.ru/upload/
Extracted
vidar
49.6
937
https://noc.social/@banda5ker
https://mastodon.social/@banda6ker
-
profile_id
937
Extracted
djvu
http://tzgl.org/fhsgtsspen6/get.php
-
extension
.vfgj
-
offline_id
WogvSfoAvBR96w6Ci56Ga0byuMMEjbGykQPsIXt1
-
payload_url
http://kotob.top/dl/build2.exe
http://tzgl.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-Xk9HCEGEfF Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: helprestoremanager@airmail.cc Your personal ID: 0373UIhfSd
Extracted
vidar
49.6
517
https://noc.social/@banda5ker
https://mastodon.social/@banda6ker
-
profile_id
517
Targets
-
-
Target
7zS850A099E/61e74fd2175cb_Tue23956aa60ed.exe
-
Size
312KB
-
MD5
e5a07be6c167ccf605ba9e6a0608e141
-
SHA1
d50547756f224ebaf38efc1b2e5134b6caa272ba
-
SHA256
449fb91c32af2d722f418ab4ee0747d0b7457ba69496b2d8f894e6045d69e1e4
-
SHA512
b66a844121bd42707aab3200f5e2a01765bd00ea3b958e09baeca9cd6856005a17474e72a9635184046d92205be3baf6677951fd8eb42ccebe687efb8b30f13b
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE ClipBanker Variant Activity (POST)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
7zS850A099E/61e74fd3252fe_Tue23df2ad021a.exe
-
Size
381KB
-
MD5
996061fe21353bf63874579cc6c090cc
-
SHA1
eeaf5d66e0ff5e9ddad02653c5bf6af5275e47e9
-
SHA256
b9dad89b3de1d7f9a4b73a5d107c74f716a6e2e89d653c48ab47108b37ad699a
-
SHA512
042ea077acfc0dff8684a5eb304af15177c4e6f54c774471b8091669b1ab16833894ca7a52917f8a6bbeacbb6532db521cea61d70ac4c5c992cb4896083d6c93
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
7zS850A099E/61e74fd41f841_Tue2365aa82b7.exe
-
Size
267KB
-
MD5
9e967a473010b430f5bde8d23b0cb9a6
-
SHA1
eed882f8ff642d0da9e89371e3ce75c1be317ad2
-
SHA256
66b03cc7950fb0df8607d07c4bdd45c74d2da333dcdbd97c5192c8b36b5ce039
-
SHA512
8916a36c24da3ef89066e226179e32ac3714ad72965e42f14fd38c6387c61c82118e519633f3ba628f5d3d5a45d237bdca7d6325d22599b2948503b0f2866fb7
Score10/10-
Deletes itself
-
Suspicious use of SetThreadContext
-
-
-
Target
7zS850A099E/61e74fd53f766_Tue23ec97445e.exe
-
Size
160KB
-
MD5
8f70a0f45532261cb4df2800b141551d
-
SHA1
521bbc045dfb7bf9fca55058ed2fc03d86cf8d00
-
SHA256
aa2c0a9e34f9fa4cbf1780d757cc84f32a8bd005142012e91a6888167f80f4d5
-
SHA512
3ea19ee472f3c7f9b7452fb4769fc3cc7591acff0f155889d08dadbd1f6ae289eaa310e220279318ac1536f99ea88e43ff75836aee47f3b4fbe8aa477cb9d099
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
7zS850A099E/61e74fd78769f_Tue234b6c24d9a0.exe
-
Size
1.4MB
-
MD5
435a69af01a985b95e39fb2016300bb8
-
SHA1
fc4a01fa471de5fcb5199b4dbcba6763a9eedbee
-
SHA256
d5cdd4249fd1b0aae17942ddb359574b4b22ff14736e79960e704b574806a427
-
SHA512
ea21ff6f08535ed0365a98314c71f0ffb87f1e8a03cdc812bbaa36174acc2f820d6d46c13504d9313de831693a3220c622e2ae244ffbcfe9befcbc321422b528
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
-
-
Target
7zS850A099E/61e74fd8ef830_Tue23593425095.exe
-
Size
1.6MB
-
MD5
c4e681d218d1c9c4efe701b4c7554eb5
-
SHA1
c3b43d0fbc5ad442067546b9d40c16810bb379da
-
SHA256
825a970bd11d349ba089e70419036c01ebb8cfd06e4abbec6bf58e9c7566a5e6
-
SHA512
b8d4ee6093835b0ec398f8884097db0bf1026e581743151241fb1489b061ba463dacf35b9af17f49ddc9d22769e9ebd763d9bfdb7e4d99e47a4e256c493ba3b5
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
-
-
Target
7zS850A099E/61e74fda51500_Tue23260baecb.exe
-
Size
266KB
-
MD5
49edc32bbb405b39d7f2b7fe1b8df04f
-
SHA1
e6dd0214ee693e6b90ba1293c840327894772644
-
SHA256
5a14c836ca0af97881c91393b48232f81953b304acab8e42abf562cb02971f0a
-
SHA512
da0c36951c498d43d243fa28a153e90336ca49277f08c3a282914293958876c55ad72b26535575a344d4553fb30f5aa517d386e58960fa10358d56f9dbd3cc54
-
Detected Djvu ransomware
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Vidar Stealer
-
mimikatz is an open source tool to dump credentials on Windows
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
7zS850A099E/61e7501ab629f_Tue23c4645058.exe
-
Size
405KB
-
MD5
031f38d24ae18e9d3d3b878b9b1d8902
-
SHA1
b089e0f0d1809873b2d8d86e9c72f9136efa9983
-
SHA256
23facfbb54ebef4f301cd273be87ce89ae421f2cf2f79ebbc0e5338a54b4c356
-
SHA512
278dac8cbc45ad9e758da3f368e7f72e01b5e59d79c7176bfdf90a2bf1caf89f29c8852c66bff25c5ae8b4395724f54c8525e83881c1cd1f5b6ccd175852241d
Score7/10-
Deletes itself
-
-
-
Target
7zS850A099E/61e7501b7eabe_Tue2344597f.exe
-
Size
527KB
-
MD5
8e0bc14c20fd607593967f164bbf08b5
-
SHA1
f68dc21b6352302d36cb1953ac0065e30d1ca6b0
-
SHA256
af8fbb1b23a21d1be75abcbb8d7c8447ec0c3b309fcfb407a91576a06070dcfe
-
SHA512
71cb5f5cfc5bb858a3ec2b7cf94d1d0652b5b66c505c4016c9d86e19ba86352d5f8f332df11be163c4aa1d3d36fc892bcc5bd5f2fbd6a383cd4e36c9885c7639
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
7zS850A099E/61e7501c830d6_Tue23bdf4712a32.exe
-
Size
523KB
-
MD5
c7f26d8e0ac6d899d6febd75f81f9cc3
-
SHA1
113fe52d0562fa3b591dffd633f0d3d6db4feee8
-
SHA256
762433792d60c6c384fca690a8b3b5ef9e2390fd18ad0abdec248229bd5d89bc
-
SHA512
6848bff0d6e6302598faf274e35cb46c5b076937098a15558a199fded52d65a6486a4ae7cb9f756ea01c5fe4a685759bb6d1bf60fcf794528548830683aaee64
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
7zS850A099E/61e7501db65f3_Tue23c7b395c3.exe
-
Size
1.6MB
-
MD5
79400b1fd740d9cb7ec7c2c2e9a7d618
-
SHA1
8ab8d7dcd469853f61ca27b8afe2ab6e0f2a1bb3
-
SHA256
556d5c93b2ceb585711ccce22e39e3327f388b893d76a3a7974967fe99a6fa7f
-
SHA512
3ed024b02d7410d5ddc7bb772a2b3e8a5516a16d1cb5fac9f5d925da84b376b67117daf238fb53c7707e6bb86a0198534ad1e79b6ebed979b505b3faf9ae55ac
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
7zS850A099E/61e7502b8389b_Tue233252e9.exe
-
Size
362KB
-
MD5
bd97b9bdb9e842a76d084d9aae2157dc
-
SHA1
05855bb520005e4105f053d40c464cb8c7b2f2d0
-
SHA256
c739d1ae35aa6c63fb6f07b529bd25f77aad42260ed8a95a69487216fbb2b718
-
SHA512
3e5112f757f7e54399b14d4a00c695a1268f1cf4534db95fa3e7529c437add41b4cf5429747635c16d8fbe1c0123e4522a8b08867ede9de3b5c73b75987a2c32
Score6/10-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
7zS850A099E/61e7502c4cff3_Tue232cba58c.exe
-
Size
666KB
-
MD5
81d975ad4ca267db5d3c50ea5875a563
-
SHA1
be11fb5a16735249000a48279cd1bd7aa8b06d90
-
SHA256
c724232309617b23a487c1713f4c90680354928f1d5f67200cdbe15e1421e43a
-
SHA512
ab822f7a07bbc124ea000afcd27c7c9981ce82d032e80369ba65959c5f83f28e15bec33cd9d5b740b41511bb7c7b15133739ace59f46cc13489d66d9e8e16df3
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
7zS850A099E/61e7502f007f3_Tue23d6fecf8c.exe
-
Size
116KB
-
MD5
b8ecec542a07067a193637269973c2e8
-
SHA1
97178479fd0fc608d6c0fbf243a0bb136d7b0ecb
-
SHA256
fc6b5ec20b7f2c902e9413c71be5718eb58640d86189306fe4c592af70fe3b7e
-
SHA512
730d74a72c7af91b10f06ae98235792740bed2afc86eb8ddc15ecaf7c31ec757ac3803697644ac0f60c2e8e0fd875b94299763ac0fed74d392ac828b61689893
Score10/10-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
7zS850A099E/setup_install.exe
-
Size
2.1MB
-
MD5
981744adcc06328c94eeafac3985c3a2
-
SHA1
56ca31c1fc829df9621a6e5f6f3b618b52f83cd0
-
SHA256
c8e6f3389f92c34f03a775bc3203f02952ae6ffc86353cd53d614f60ded53641
-
SHA512
7411219660642d5cc1ac56a1dca8ebd8a285f31471e9a5d519a7f52c8a2378044f7780f7401b2c796d537fd2bdda60860fe3c78a5e47d7bb94834821585296ea
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Downloads MZ/PE file
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-