5824492879904768.zip

General
Target

5824492879904768.zip

Size

170KB

Sample

220307-wpvenaadep

Score
10 /10
MD5

cad87a095910a87a0dfbef6b75b2266d

SHA1

18ea6cf536e2c7b080dcecda814cd93a18b3be23

SHA256

39c18be9542c5a330c19ed08c1cc5cb8922d872f602ae13fb4a42d4cc6784883

SHA512

032bff118a2700a61a740b6ca15f477c5b11ed908f35cd0f2ff4f68c908377b14ce70f309ee8ec4f5a068866473dff61ec7aac18691df48a2281461fc5453796

Malware Config

Extracted

Family redline
Botnet ebat222
C2

86.107.197.196:63065

Attributes
auth_value
ecf32695315360a0175d49dc2111348d

Extracted

Family socelars
C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/asdhjk/

Extracted

Family redline
Botnet ruzki
C2

91.240.118.93:32076

Attributes
auth_value
2cd038d80ba390a568e2a7578eb682e2

Extracted

Family redline
Botnet 600$5
C2

193.38.235.192:43770

Attributes
auth_value
dd54f25665dc6af5439959d34a36bf6b

Extracted

Family vidar
Version 50.4
Botnet 937
C2

https://mastodon.online/@samsa11

https://koyu.space/@samsa2l

Attributes
profile_id
937

Extracted

Family raccoon
Botnet 70547732dfb73df035666996b327b1732a45ccce
Attributes
url4cnc
http://185.163.204.119/sonicodic
http://206.189.100.203/sonicodic
http://194.180.191.234/sonicodic
http://185.163.204.216/sonicodic
http://139.162.157.205/sonicodic
http://185.163.47.176/sonicodic
https://t.me/sonicodic
rc4.plain
rc4.plain

Extracted

Family redline
Botnet ruzki (check bio)
C2

103.133.111.182:44839

Attributes
auth_value
767fa45398d3ac4a23de20d0480c2b03
Targets
Target

b0de3b3eb79e5291dcd933e0e8231c90208e2e11e894500fb7df6487ba259ba9

MD5

42c371e393e888b8ff2e0c2f24193ee9

Filesize

229KB

Score
10/10
SHA1

7b04c28fd946374f76f6940ab7ce62ea5aadb85c

SHA256

b0de3b3eb79e5291dcd933e0e8231c90208e2e11e894500fb7df6487ba259ba9

SHA512

441f8a8f5aab639ce88b4f9c913a9a90647ef91dbcdd73362625d0733468f4752f7359cb72d2496a2eb43b19cb411c33d17c9422c04c19c20ee089df4ae8de8e

Tags

Signatures

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify RegistryModify Existing ServiceDisabling Security Tools
  • OnlyLogger

    Description

    A tiny loader that uses IPLogger to get its payload.

    Tags

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

    Description

    suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

    Tags

  • suricata: ET MALWARE GCleaner Downloader Activity M5

    Description

    suricata: ET MALWARE GCleaner Downloader Activity M5

    Tags

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    Description

    suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    Tags

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2

    Description

    suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2

    Tags

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2

    Description

    suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Description

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    Description

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    Tags

  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

    Description

    suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

    Tags

  • suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

    Description

    suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

    Tags

  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    Description

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    Tags

  • OnlyLogger Payload

  • Vidar Stealer

    Tags

  • Downloads MZ/PE file

  • Executes dropped EXE

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation