Overview

overview

10

Static

static

b0de3b3eb7...a9.exe

windows7_x64

1

b0de3b3eb7...a9.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5824492879904768.zip

  • Size

    170KB

  • Sample

    220307-wpvenaadep

  • MD5

    cad87a095910a87a0dfbef6b75b2266d

  • SHA1

    18ea6cf536e2c7b080dcecda814cd93a18b3be23

  • SHA256

    39c18be9542c5a330c19ed08c1cc5cb8922d872f602ae13fb4a42d4cc6784883

  • SHA512

    032bff118a2700a61a740b6ca15f477c5b11ed908f35cd0f2ff4f68c908377b14ce70f309ee8ec4f5a068866473dff61ec7aac18691df48a2281461fc5453796

Score
10/10
onlyloggerraccoonredlinesocelarsvidar600$570547732dfb73df035666996b327b1732a45ccce937ebat222ruzkiruzki (check bio)evasioninfostealerloaderspywarestealersuricatatrojanupx

Malware Config

Extracted

Family

redline

Botnet

ebat222

C2

86.107.197.196:63065

Attributes
  • auth_value

    ecf32695315360a0175d49dc2111348d

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/asdhjk/

Extracted

Family

redline

Botnet

ruzki

C2

91.240.118.93:32076

Attributes
  • auth_value

    2cd038d80ba390a568e2a7578eb682e2

Extracted

Family

redline

Botnet

600$5

C2

193.38.235.192:43770

Attributes
  • auth_value

    dd54f25665dc6af5439959d34a36bf6b

Extracted

Family

vidar

Version

50.4

Botnet

937

C2

https://mastodon.online/@samsa11

https://koyu.space/@samsa2l
Attributes
  • profile_id

    937

Extracted

Family

raccoon

Botnet

70547732dfb73df035666996b327b1732a45ccce

Attributes
  • url4cnc

    http://185.163.204.119/sonicodic

    http://206.189.100.203/sonicodic

    http://194.180.191.234/sonicodic

    http://185.163.204.216/sonicodic

    http://139.162.157.205/sonicodic

    http://185.163.47.176/sonicodic

    https://t.me/sonicodic

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

ruzki (check bio)

C2

103.133.111.182:44839

Attributes
  • auth_value

    767fa45398d3ac4a23de20d0480c2b03

Targets

    • Target

      b0de3b3eb79e5291dcd933e0e8231c90208e2e11e894500fb7df6487ba259ba9

    • Size

      229KB

    • MD5

      42c371e393e888b8ff2e0c2f24193ee9

    • SHA1

      7b04c28fd946374f76f6940ab7ce62ea5aadb85c

    • SHA256

      b0de3b3eb79e5291dcd933e0e8231c90208e2e11e894500fb7df6487ba259ba9

    • SHA512

      441f8a8f5aab639ce88b4f9c913a9a90647ef91dbcdd73362625d0733468f4752f7359cb72d2496a2eb43b19cb411c33d17c9422c04c19c20ee089df4ae8de8e

    Score
    10/10
    onlyloggerraccoonredlinesocelarsvidar600$570547732dfb73df035666996b327b1732a45ccce937ebat222ruzkiruzki (check bio)evasioninfostealerloaderspywarestealersuricatatrojanupx

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

      loaderonlylogger

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

      suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

      suricata

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2

      suricata

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

      suricata

    • suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

      suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

      suricata

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata

    • OnlyLogger Payload

    • Vidar Stealer

      stealer

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks