Overview

overview

10

Static

static

10

appconsole.exe

windows7_x64

10

appconsole.exe

windows10-2004_x64

10

azorult.exe

windows7_x64

10

azorult.exe

windows10-2004_x64

10

clipper.exe

windows7_x64

1

clipper.exe

windows10-2004_x64

1

jester_stealer.exe

windows7_x64

10

jester_stealer.exe

windows10-2004_x64

10

lokibot.exe

windows7_x64

10

lokibot.exe

windows10-2004_x64

10

pony.exe

windows7_x64

10

pony.exe

windows10-2004_x64

10

raccoon.exe

windows7_x64

10

raccoon.exe

windows10-2004_x64

10

redline.exe

windows7_x64

10

redline.exe

windows10-2004_x64

10

tesla.exe

windows7_x64

10

tesla.exe

windows10-2004_x64

10

vidar.xll

windows7_x64

7

vidar.xll

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    samples.zip

  • Size

    2.6MB

  • Sample

    220428-je2prsfdfq

  • MD5

    6b33fc7cc7e24b1fd6d79a32c1d5f00f

  • SHA1

    4871a227931611944bfee752c98cf266e9b7b547

  • SHA256

    5e4ad329433655e942706e02361b10c21caed15d46cf924a7ebe153932f105ae

  • SHA512

    4644d2551a406da17f8708580422167e1ea69ebb48bdeda35545cfdf186b70906618a1a93853de72b8a1fceff79ed9215f1078fe01a2f541fbb0256e77499ce7

Score
10/10
agentteslaazorultjesterlokibotponyraccoonredlinestormkitty@solitarruf0dbf04a98246f76fda91e716237165f98a51abemonika_galagercollectiondiscoveryinfostealerkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

jester

Botnet

monika_galager

C2

http://jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd.onion/report/monika_galager

https://api.anonfiles.com/upload?token=d26d620842507144
Mutex

c6b4a73b-035e-4027-8c9d-f30fcd7f128e

Attributes
  • license_key

    2389157FE6BD3ADCBC3E0EAEF2136325

Extracted

Family

lokibot

C2

https://firenzelavori.lt/loki/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

pony

C2

http://test.sanbux.ru/gate.php

http://test.sanbux.ru/path/gate.php

Extracted

Family

redline

Botnet

@Solitarru

C2

45.133.217.148:65255

Extracted

Family

azorult

C2

http://139.59.36.90/index.php

Extracted

Family

raccoon

Version

1.8.1

Botnet

f0dbf04a98246f76fda91e716237165f98a51abe

Attributes
  • url4cnc

    https://telete.in/iopioldpsergdg

rc4.plain
rc4.plain

Extracted

Family

agenttesla

Credentials

Extracted

Language
xlm4.0
Source

Targets

    • Target

      appconsole

    • Size

      80KB

    • MD5

      bbf6a17cc8d96f635840ae1d63223659

    • SHA1

      b5675c4a47431bc9690e724228e1093f0a3a74f1

    • SHA256

      cbcf13e1e93966e2d5d20a8e53ddd243546d5d531a0c50e840df505640e0c603

    • SHA512

      e4e3a0054795d4cd9ace0c38644d119f302d0bf62cfc74a8e4765252c1443aab9ca4cc5de4eda64f47f6417c7fe3367a2f7010f286d90ee3c9fb23eb688bc228

    Score
    10/10
    stormkittystealerspyware

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      azorult

    • Size

      801KB

    • MD5

      3b383cec6e449a3a89b384425389cd12

    • SHA1

      a4273c99be23d20e15182a3e9899bc764ab6f205

    • SHA256

      fa7607fe08f0cc262ff4500613d08fdfabe6a0b072cf7d9fcc886a204164fac1

    • SHA512

      d695fdcfa87fad7c22d4147022882288cac8c541c6de0f059ad1874922eed778e08cfd41c354bea607749b12e6911df6dc946512840f99a043f096e946c4b33f

    Score
    10/10
    azorultinfostealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      clipper

    • Size

      91KB

    • MD5

      eec41c39511ee00773a1e8114ac34e70

    • SHA1

      eec241911205fd30ce5a06570d86d4713eccd98d

    • SHA256

      8549581cde22cf897f93d348b2135b46941f68819521d304374202c47d14073f

    • SHA512

      1d85e1d3e3b7cdbb62fce22ba16040e77e99a60df6fbb1dee412ff30a7c54bbee4f71704615c189bb1f64ca90203b5b7153be1187a8cc78716dae78227507897

    Score
    1/10
    behavioral5behavioral6

    • Target

      jester_stealer

    • Size

      226KB

    • MD5

      a09c37144ca538b0bc4499bf59c691f1

    • SHA1

      eb997ac06e1cf56add73e5e4eed3c10a297d4bd5

    • SHA256

      45d58041f3aacdf2d3536c39e1db81e23e30c6372ca2bd3be8b2675d472b5d44

    • SHA512

      b449997aa327b281ceade8f11a14bdf1e197fb86e7dffbcfcb3d59c09532108c317f437320b267818e2919c06da21d31db4b6dca745470f7a1ed4f37455afebf

    Score
    10/10
    jestermonika_galagercollectionspywarestealer

    • Jester

      Jester is an information stealer malware written in C#.

      stealerjester

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral7behavioral8

    • Target

      lokibot

    • Size

      104KB

    • MD5

      1917f888cacd48b9a8d4832449e8d34f

    • SHA1

      d732e6a78ea44b77943c1e74e19c9ea92d0b7a28

    • SHA256

      3deeb55fefe05f51c41b1724780e5de1e33a432e01f455e3ab5d2af5ca655464

    • SHA512

      901b095813605c89945e1b5354fef210b0a68d94a79156b5d405116c5f00a15571046a0e9d65830cdaea8a3deda657a6d4ac6744ecef30cca6b26033d8b61b55

    Score
    10/10
    lokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection
    behavioral9behavioral10

    • Target

      pony

    • Size

      356KB

    • MD5

      6303b080a150be26a260e9a349296b28

    • SHA1

      692887c65908872c96f19ec81c28f221d5b87267

    • SHA256

      8f696db90b2556c709e3dfd34fa977ca160939bb2cd2feb0d3718b33baa6cb0a

    • SHA512

      c04baedd9a00166ae6a56b16afc3693a25be491393ecabf5f9958c83b53d7d78256dba56c6b7345d466be20f3f073f1b06b241359a3ce0f9865eab537c4f04c1

    Score
    10/10
    ponycollectiondiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral11behavioral12

    • Target

      raccoon

    • Size

      506KB

    • MD5

      f34cac12ad52c250c2381327d5f5939b

    • SHA1

      c56cbb5d8ba97932d49146183ecc31045c80b068

    • SHA256

      54eb27e976cab1b8ef3173149bf1ed638562fd5aecd90d61ad9632ace9b8abf2

    • SHA512

      1fdd063be68392a8f4e49a700778d1655684a45496d372b50ca58e3808ff2526bf16c8db88b78f4ba5b9b56745751ab504d186e651febeefeb8c326c1225705b

    Score
    10/10
    raccoonf0dbf04a98246f76fda91e716237165f98a51abestealer

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon
    behavioral13behavioral14

    • Target

      redline

    • Size

      128KB

    • MD5

      db7dd90469851c7a23a2c988a7a14183

    • SHA1

      becc32c125c861284d9aae17136439b15b571fc4

    • SHA256

      f27735f17f24531842cf9d0bf7478181d8a2bd640db8f984ec0a9431904ba4ce

    • SHA512

      d595a338e095182210297d76662f859b3972b1ca9ee4d1297b624a6d9ce5ab4f9557139c22f64d9dbb26f05003b37c327740935a0da0a390489b1d3a7332bd72

    Score
    10/10
    redline@solitarruinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    behavioral15behavioral16

    • Target

      tesla

    • Size

      1.0MB

    • MD5

      bafa9bd077c451f845e0ecca1010607d

    • SHA1

      e3c6c99c6680a3ef5a25e511b97dfa1d6b91b5bc

    • SHA256

      ef19393cf49f6fc5899b0fd1b29530e49f35776341b03ef6b0b0a5e0cfce3418

    • SHA512

      f443d5775a34c40983451b8143cfdf82a5fc049e889f5d3885be69818dbc9a20fe1a69cc06eaa24bceb7761fddd95ff39be75fa08d78231a96bf5bdc6bcf730f

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      vidar.xll.bin

    • Size

      880KB

    • MD5

      4ebc548df517cae4c7e3122e9c75ede6

    • SHA1

      6e19e1e6f3a7b96cf562c2f6768f92580652d427

    • SHA256

      6c67e1ccf77b872b1f3cf257a257d75c4995dc079945080f578b51357ccdbe55

    • SHA512

      359be199470a83ad32db555840c5b33a6b69db96cc188d83d550639fe9fe75464529819fdf0cded9d489cb7ba03802667ac373d3ad2a3f7e4069b023c8508290

    Score
    10/10

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

MITRE ATT&CK Enterprise v6

Tasks

static1

monika_galager@solitarrustormkittyjesterlokibotponyredline
Score
10/10

behavioral1

stormkittystealer
Score
10/10

behavioral2

stormkittyspywarestealer
Score
10/10

behavioral3

azorultinfostealertrojan
Score
10/10

behavioral4

azorultinfostealertrojan
Score
10/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

jestermonika_galagercollectionspywarestealer
Score
10/10

behavioral8

jestermonika_galagercollectionspywarestealer
Score
10/10

behavioral9

lokibotcollectionspywarestealertrojan
Score
10/10

behavioral10

lokibotcollectionspywarestealertrojan
Score
10/10

behavioral11

ponycollectiondiscoveryratspywarestealer
Score
10/10

behavioral12

ponycollectiondiscoveryratspywarestealer
Score
10/10

behavioral13

raccoonf0dbf04a98246f76fda91e716237165f98a51abestealer
Score
10/10

behavioral14

raccoonf0dbf04a98246f76fda91e716237165f98a51abestealer
Score
10/10

behavioral15

redline@solitarruinfostealer
Score
10/10

behavioral16

redline@solitarruinfostealer
Score
10/10

behavioral17

agentteslacollectionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral18

agentteslacollectionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral19

Score
7/10

behavioral20

Score
10/10