Overview

overview

10

Static

static

1

filecoder.dmg

macos_amd64

1

flawedammyy.exe

windows7_x64

10

flawedammyy.exe

windows10-2004_x64

10

qakbot.dll

windows7_x64

10

qakbot.dll

windows10-2004_x64

10

redline.exe

windows7_x64

10

redline.exe

windows10-2004_x64

10

seon.exe

windows7_x64

10

seon.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    showcase.zip

  • Size

    6.8MB

  • Sample

    220624-qw33gscfak

  • MD5

    0259f0150a31d2fcc9f009a961243b54

  • SHA1

    ddb27c245b32032ae4a1c9922d6c2312d709578c

  • SHA256

    96995eadf0555a4f7759c817a64f58810b64a423ab172ac809c373f381d5cd3e

  • SHA512

    0e1b5e353ebbe9481f20f9d8d7d04178b5c320acc0e2e052036e814566d52901cd1c83ad028b6629ecad3632b92c00918fe81b0a38390249542a0eb7db1931e9

Score
10/10
ammyyadminflawedammyyqakbotredlineseonkreatortr1619706851bankerevasioninfostealermacospersistenceransomwareratstealertrojan

Malware Config

Extracted

Family

qakbot

Version

402.68

Botnet

tr

Campaign

1619706851

C2

24.117.107.120:443

190.85.91.154:443

72.252.201.69:443

189.210.115.207:443

71.41.184.10:3389

81.97.154.100:443

50.29.166.232:995

140.82.49.12:443

75.137.47.174:443

71.74.12.34:443

73.25.124.140:2222

149.28.99.97:2222

45.77.115.208:2222

45.32.211.207:995

207.246.116.237:443

149.28.99.97:443

207.246.77.75:443

149.28.98.196:995

207.246.116.237:2222

45.77.115.208:8443
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Extracted

Family

redline

Botnet

KREATOR

C2

45.140.146.214:20498

Extracted

Path

C:\MSOCache\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
SEON RANSOMWARE ver 0.2 all your files has been encrypted There is only way to get your files back: contact with us and pay $1500 We accept Bitcoin and other cryptocurrencies Do not try to reinstall operation system on your computer Do not try to decrypt files with third party tools, this can lead to data loss You can decrypt 1 file for free Our contact emails: seonunlock@protonmail.com seonunlock@naver.com
Emails

seonunlock@protonmail.com

seonunlock@naver.com

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\readme.hta

Ransom Note
All your documents, photos, databases and other important files have been encrypted and you can't decrypt it yourself. No one but us can return your files. Free decryption utility does not exist. Each file is encrypted with its unique key, cryptography based on elliptic curves, key recovery is impossible. Focus on the problem, follow your instructions and everything will be fine. DON'T PANIC! YOU CAN RETURN ALL YOUR FILES! FREE decrypting as guarantee You can test decryption 1 any file for free (with help our special software " SEON Decryptor "). What to do? First you should write me and i'll send you a special software " SEON Decryptor " (this software needed to decrypt encrypted files). To start the process of decrypting ALL files, you need buy key to the " SEON Decryptor ". The price is $1500 in any cryptocurrency . Contacts E-Mail: seonunlock@protonmail.com E-Mail: seonunlock@naver.com Attention! Decryption keys are individual, the keys of other users will not work for you Do not try to decrypt files with third party tools, this can lead to data loss Do not try to reinstall operation system on your computer
Emails

seonunlock@protonmail.com

seonunlock@naver.com

Targets

    • Target

      filecoder.dmg

    • Size

      2.5MB

    • MD5

      5557a06822358ea7814891631f7df8ce

    • SHA1

      f6e215ed5a1623de05c6f63033aa4f6d1a5696d6

    • SHA256

      f8dd1edd285ba0ee23250d7925dd7c230aaf3845ceedb6bcfe2913815c8775db

    • SHA512

      a592d44e8942dd223792baf0180bb4d06d0d9e0e2740a64c86c89435cefc3a704acc86ab0caee207eb549f7e8eaee777b66178bd4ac7f7c331d981b7e40a0d5b

    Score
    1/10
    behavioral1

    • Target

      flawedammyy

    • Size

      3.6MB

    • MD5

      743a6891999db5d7179091aba5f98fdb

    • SHA1

      eeca4b8f88fcae9db6f54304270699d459fb5722

    • SHA256

      fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f

    • SHA512

      9edef033663c828536190332ec87ac0096ffddae934d17c51b255a55ecb05774211a0edb1915c19384641befa291cfdfd2e3f878bf3b827f8b203ec1bee9dd96

    Score
    10/10
    ammyyadminflawedammyyevasionpersistencerattrojan

    • Ammyy Admin

      Remote admin tool with various capabilities.

      ratammyyadmin

    • AmmyyAdmin Payload

    • FlawedAmmyy RAT

      Remote-access trojan based on leaked code for the Ammyy remote admin software.

      trojanflawedammyy

    • Creates new service(s)

      persistence

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral2behavioral3

    • Target

      qakbot

    • Size

      959KB

    • MD5

      2dc87224ef9349f4b281f11fb43ed3f4

    • SHA1

      e19c8174793560817c522e3f206f6434ebf4b342

    • SHA256

      31c42d854a77c7673a3438df6501c3a09ee530f6f4f23cc7bea891cec7bc096b

    • SHA512

      1d492db541796480d4f4c987f4ab7abd49ba6caf6da8bed419893d658ce5325e3cd672d9fef7a58986f2262ef18775ad1e435358a1b797cf271cea99474f0874

    Score
    10/10
    qakbottr1619706851bankerstealertrojan
    behavioral4behavioral5

    • Target

      redline

    • Size

      569KB

    • MD5

      4842156a83bbc8f5b1b46b0e2a597ab4

    • SHA1

      bdda0f367bf93fa75e2bf4b632daab8b615c9c69

    • SHA256

      24dc9485b3fcea21dc81118d045d6bd13ca40f04dcc905662b70f4ed5754f003

    • SHA512

      f0fe9c63fc8fd1333297b76f7f0ed414535ffb4f8ab96906c8207840bf63688d8b6e0de8053e7882eeb616ddf83c8021d5940adc9fcba4e8fd1e342c67343f73

    Score
    10/10
    redlinekreatorinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Suspicious use of SetThreadContext

    behavioral6behavioral7

    • Target

      seon

    • Size

      62KB

    • MD5

      7d3573bee1a9acd192c50bc72a65ef7a

    • SHA1

      8ff77e69046c8cecd4407c536219e6fc1a747af7

    • SHA256

      221ab2fabe92b623834e7214d05dbef0cdc2b4399d34721de63e7c32ab5820ea

    • SHA512

      dcf3998861c2c1818d05ba526134edddee58bea51d4065ec5d156dfac2d24a63d65df057a1319e0886bdf37a394f82fb4435c0292c3e1f135646623ad3aaf347

    Score
    10/10
    seonransomwaretrojan

    • Seon

      The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.

      trojanransomwareseon

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral8behavioral9

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

New Service

1
T1050

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

6
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks