General

  • Target

    75cf1ee3a011100880c7bffcc3fc04dbd1435592dcc408b3195652f3224fa651

  • Size

    403KB

  • Sample

    220705-mrdegsgcel

  • MD5

    c3216502ee1ed5064e9ee5f724be2fc6

  • SHA1

    8f73a2ecc06922205a10abfbdd18e3cb1a87c49a

  • SHA256

    75cf1ee3a011100880c7bffcc3fc04dbd1435592dcc408b3195652f3224fa651

  • SHA512

    b6a3f7ad671e9907612799baf6265a7ab180fe98724a424a9d85c7f1bbd9ed18e6f9e2eabcd02d05266384cb04e7c395abd354550dd1857db14370267cced449

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Extracted

Family

raccoon

Botnet

4bdabb0995ee4b48db30078de2c5c206

C2

http://45.159.251.144/

rc4.plain
rc4.plain

Extracted

Family

vidar

Version

53.1

Botnet

1519

C2

https://t.me/tg_dailyrunnings

https://mastodon.online/@olegf9844g

Attributes
  • profile_id

    1519

Extracted

Family

redline

C2

193.233.193.49:11906

Attributes
  • auth_value

    ad5cd49e075db8527ecb265d0bf18710

Targets

    • Target

      75cf1ee3a011100880c7bffcc3fc04dbd1435592dcc408b3195652f3224fa651

    • Size

      403KB

    • MD5

      c3216502ee1ed5064e9ee5f724be2fc6

    • SHA1

      8f73a2ecc06922205a10abfbdd18e3cb1a87c49a

    • SHA256

      75cf1ee3a011100880c7bffcc3fc04dbd1435592dcc408b3195652f3224fa651

    • SHA512

      b6a3f7ad671e9907612799baf6265a7ab180fe98724a424a9d85c7f1bbd9ed18e6f9e2eabcd02d05266384cb04e7c395abd354550dd1857db14370267cced449

    • Colibri Loader

      A loader sold as MaaS first seen in August 2021.

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE Generic gate .php GET with minimal headers

      suricata: ET MALWARE Generic gate .php GET with minimal headers

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

      suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    • suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

      suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

    • suricata: ET MALWARE Win32/Colibri Loader Activity

      suricata: ET MALWARE Win32/Colibri Loader Activity

    • suricata: ET MALWARE Win32/Colibri Loader Activity M2

      suricata: ET MALWARE Win32/Colibri Loader Activity M2

    • suricata: ET MALWARE Win32/Colibri Loader Activity M3

      suricata: ET MALWARE Win32/Colibri Loader Activity M3

    • Vidar Stealer

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

3
T1005

Command and Control

Web Service

1
T1102

Tasks