Overview

overview

10

Static

static

7

L22_File.zip

windows7-x64

1

L22_File.zip

windows10-2004-x64

1

Install.exe

windows7-x64

10

Install.exe

windows10-2004-x64

10

fonts/Arggotsc.ttf

windows7-x64

3

fonts/Arggotsc.ttf

windows10-2004-x64

7

fonts/Army Thin.ttf

windows7-x64

3

fonts/Army Thin.ttf

windows10-2004-x64

7

fonts/BELLB.ttf

windows7-x64

3

fonts/BELLB.ttf

windows10-2004-x64

7

fonts/BOD_BI.ttf

windows7-x64

3

fonts/BOD_BI.ttf

windows10-2004-x64

7

fonts/BOD_I.ttf

windows7-x64

3

fonts/BOD_I.ttf

windows10-2004-x64

7

fonts/CALISTBI.ttf

windows7-x64

3

fonts/CALISTBI.ttf

windows10-2004-x64

7

fonts/Caba...ar.ttf

windows7-x64

3

fonts/Caba...ar.ttf

windows10-2004-x64

7

fonts/black.ttf

windows7-x64

3

fonts/black.ttf

windows10-2004-x64

7

fonts/browa.ttf

windows7-x64

3

fonts/browa.ttf

windows10-2004-x64

7

fonts/browauz.ttf

windows7-x64

3

fonts/browauz.ttf

windows10-2004-x64

7

fonts/deat...eg.ttf

windows7-x64

3

fonts/deat...eg.ttf

windows10-2004-x64

7

langs/Belarusian.ini

windows7-x64

1

langs/Belarusian.ini

windows10-2004-x64

1

langs/Croatian.ini

windows7-x64

1

langs/Croatian.ini

windows10-2004-x64

1

langs/Danish.ini

windows7-x64

1

langs/Danish.ini

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    L22_File.zip

  • Size

    6.4MB

  • Sample

    220905-m6sgysadf3

  • MD5

    72a9f4e777d2f5046a47a5d580986444

  • SHA1

    3d64114624dc2f1c96485cb7c193ea95fab4f731

  • SHA256

    ec4bf6cfc55df437a044d2f779cfd3619ddc96d4c7c5cb6621f38e9e30ec1041

  • SHA512

    23eddd86be0fed3f86de09378c55f85b0e47f967432edb079abb242fb046693c8d58734a32784e65729ca538e5492dddc18c498c7986b88da4302bb9420395ec

  • SSDEEP

    196608:Tjfhn41BNL8oYEzjTy1vt2Dv4WoeUnpxQS+i+:vZn41B95j2vt2sci+

Score
10/10
djvuprivateloaderraccoonredlinesmokeloaderytstealer3108_ruzki@fuschlockad82482251879b6e89002f532531462aandriii_ffmettop1nam6backdoordiscoveryevasioninfostealerloadermainminerransomwarespywarestealerthemidatrojanupxvmprotect

Malware Config

Extracted

Family

privateloader

C2

http://163.123.143.4/proxies.txt

http://107.182.129.251/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

163.123.143.12

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php
Attributes
  • payload_url

    https://vipsofts.xyz/files/mega.bmp

Extracted

Family

djvu

C2

http://acacaca.org/test3/get.php

Attributes
  • extension

    .oovb

  • offline_id

    6GXhR4uyHH9NXT2qot14T0HeNSviNKH0Q6PGVNt1

  • payload_url

    http://rgyui.top/dl/build2.exe

    http://acacaca.org/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-6g0MALAb7E Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0552Jhyjd

rsa_pubkey.plain

Extracted

Family

redline

Botnet

nam6

C2

103.89.90.61:34589

Attributes
  • auth_value

    5a3b5b1f2e8673a71b501e4a670a3f3a

Extracted

Family

raccoon

Botnet

ad82482251879b6e89002f532531462a

C2

http://89.185.85.53/

rc4.plain

Extracted

Family

redline

Botnet

@fuschlock

C2

5.182.36.101:31305

Attributes
  • auth_value

    75217e9ad4340e68bc1f7002a503fe3c

Extracted

Family

redline

Botnet

Andriii_ff

C2

109.107.181.244:41535

Attributes
  • auth_value

    0318e100e6da39f286482d897715196b

Extracted

Family

redline

Botnet

3108_RUZKI

C2

213.219.247.199:9452

Attributes
  • auth_value

    f71fed1cd094e4e1eb7ad1c53e542bca

Extracted

Family

redline

Botnet

mettop1

C2

xoralessh.xyz:80

Attributes
  • auth_value

    a8206072062ec5262484a012d246646b

Targets

    • Target

      L22_File.zip

    • Size

      6.4MB

    • MD5

      72a9f4e777d2f5046a47a5d580986444

    • SHA1

      3d64114624dc2f1c96485cb7c193ea95fab4f731

    • SHA256

      ec4bf6cfc55df437a044d2f779cfd3619ddc96d4c7c5cb6621f38e9e30ec1041

    • SHA512

      23eddd86be0fed3f86de09378c55f85b0e47f967432edb079abb242fb046693c8d58734a32784e65729ca538e5492dddc18c498c7986b88da4302bb9420395ec

    • SSDEEP

      196608:Tjfhn41BNL8oYEzjTy1vt2Dv4WoeUnpxQS+i+:vZn41B95j2vt2sci+

    Score
    1/10
    behavioral1behavioral2

    • Target

      Install.exe

    • Size

      435.0MB

    • MD5

      2a27acc2f6b26b15d6d839d43a6b6bc0

    • SHA1

      661dca9bd343226ae54da0e21f12ef1e181b1776

    • SHA256

      006fd40f696d274a44535fcf35d6130445842b148115db48c5b859a8519cdc77

    • SHA512

      ebf8bfdf7529429a400ad39d473da0e43752c6cd16dffaadd067e38b3e0c9991664217d15931a73f7f78a0160cdbd4f5710699d2f293c1638ae8d1ed5f7940ee

    • SSDEEP

      98304:Ak/AHdxT8BEU8MkJwe65adTX4a2tYsUxKr76hwrrKqdSlwrWL:Ak/i8jkJjLd8a2UxIzGwyL

    Score
    10/10
    djvuprivateloaderraccoonredlinesmokeloaderytstealer3108_ruzki@fuschlockad82482251879b6e89002f532531462aandriii_ffnam6backdoorevasioninfostealerloadermainransomwarespywarestealerthemidatrojanupxvmprotectmettop1discoveryminer

    • Detected Djvu ransomware

    • Detects Smokeloader packer

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • YTStealer

      YTStealer is a malware designed to steal YouTube authentication cookies.

      stealerytstealer

    • YTStealer payload

    • Detectes Phoenix Miner Payload

      miner

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Uses the VBS compiler for execution

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

    • Target

      fonts/Arggotsc.ttf

    • Size

      88KB

    • MD5

      1a1ec864b6c0730c8be73b99a092bf46

    • SHA1

      b621b1ef3365eeeb562073b7affd2177d63342a4

    • SHA256

      85d7a5ef7867ab572048c9a4f422526f249da11f3236e8763a737d66df08e096

    • SHA512

      8ac4b1b54c92ce4b7dd1c3419243f13cf5c1e7537b768db3306787223904083d562809fcb18ac26707f67518e05558bd9d89fab46a3500fbef3aaa5f9cb38617

    • SSDEEP

      1536:yRpVPVxnzULhyM1toY7I+Q2+QZMDxRJyG7Syl/6JsOgTpqRkX5/qb5UB:yjVPV1zUVyYRQ2hZmRJyG7Syl/6J1gTZ

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral5behavioral6

    • Target

      fonts/Army Thin.ttf

    • Size

      88KB

    • MD5

      9c0996fba26512ad5120010e385e208d

    • SHA1

      37a752173b71a3a3e27a7c6ac825b69db622fba4

    • SHA256

      b00dd75d282e11a2067bb8341c9c2b4a1c2ae5db3029e584d92a4549fb784d48

    • SHA512

      c9fca09824a7192afb128c1b9cfcb1bf0c7e39ad1a269ddb4b271a65f7cb0b4d0d8a155f5485e32dc8c036fee9bfe29f11e97399632132c47514adf893574ed7

    • SSDEEP

      1536:R2o690qRKBuTRKBoxIddKOyjgUq867OrUsw+gpG5I/:j690qYBuTYBoxIddKOyjgUI7OrU4gpGC

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral7behavioral8

    • Target

      fonts/BELLB.TTF

    • Size

      80KB

    • MD5

      f37324d3575c7132e330af3c8f08da17

    • SHA1

      1e14164f2bf6d6972744642d0a6c8afce4d6daa4

    • SHA256

      dcc8d42eebbab6822f736a7b99e1c9d6ee6861b247a19049bb33e5955d991dde

    • SHA512

      80e2daad5319c8a732bec4eb5b7b62fd88979638df98e104688dd9747f0f4089f5a68e61509ce0c7a7590e1c73ad4564a41e97b7a8dd16d12947daa48935f743

    • SSDEEP

      1536:EIIZKRcnuonqV3nVbISbjFameCNLs6EzeJFE1bXzyjVNfpS0vH:qn9nW3VbXTesWyYFXzyjlS0f

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral9behavioral10

    • Target

      fonts/BOD_BI.TTF

    • Size

      83KB

    • MD5

      5bb67e55de4ee82aff5585b7bc7df099

    • SHA1

      30c29ebba4511f7ffb96bc056bfb6531229011f4

    • SHA256

      9729e2ae73b15871db606a18a48b8674ce2bae35d76a511d3510c4a9db2385ef

    • SHA512

      51e91ff81bf05e2cd05d0caaf81f8ce6742d7ef9b8f7857daad2bbad085f419d6773c1bd664f040bf0028f51139046bb23589c1c66c3c4065dfd34d246c64c84

    • SSDEEP

      1536:j0mROXFT8UwUDH49fe7/jtYMXVT4FBMDbsJ4/RG2luywo60qdlnHy721Mslt6l2G:wnXp8UwUDY9fC0gTqy4DnSK1MsN9uELO

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral11behavioral12

    • Target

      fonts/BOD_I.TTF

    • Size

      87KB

    • MD5

      cec8a6834241575dcafba6d7504d64b8

    • SHA1

      3d412b305c3d93474c9fe02f60a049a9e87aeaab

    • SHA256

      960458b4c0851b8b9f1d047fe50f7fa01ddfbecaec692521d262660882e9596a

    • SHA512

      9a3e79f5a04e6f0794099788c07330b97c4ab31e95df745cea9d5e8cbc7dba2a01a04dc4cbc7b93fcd76a7d1240f073f256ec7d5a9ce08d62312b01d4fd10e78

    • SSDEEP

      1536:4AxM2frzSwDp3Qe0hmIyz9TJyCh1qaoDR9nbZ1v6jZCSpxiOvHdlGDw2taRkvwGv:4ARzSwN3QTld9iUGRDGweskvwNWV/wEt

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral13behavioral14

    • Target

      fonts/CALISTBI.TTF

    • Size

      82KB

    • MD5

      b8178488b4decb255bd3094b320600ac

    • SHA1

      315bf5a35ef284a71fd90f304767c8d90d6883cd

    • SHA256

      9b9e45f016b013d92c3caf1985db22f85e39c8b1f208636f9ac21f9c135239ce

    • SHA512

      3e98e8484ba5ac6c1475af24ae9ae55045511a46baf250ca36d4bb2b64e74b67e9b58a289572ee2609662685ab7218cf8fee200400a417a310bd7b82f47af1e6

    • SSDEEP

      1536:fAsN4DofckwriM3kM+cGEGjmU+xXXXozKbR5ITHpfLR8eXHVBGgIuBoQPeV9pfrr:fT0oYiMURcGEF7x3EKfiZRrfGgIsPsD/

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral15behavioral16

    • Target

      fonts/Cabana-Regular.ttf

    • Size

      88KB

    • MD5

      153c7063d63f0b1aeda64c70d5a3b447

    • SHA1

      ebcf5312bed9fc7a3da8526c770998b6fa1e06a1

    • SHA256

      4b6737e1f2e28fb2cf39eea2eba98baf66f7de0776bca0a893b55e5b783b1649

    • SHA512

      17ce2c6057a2dc232c1a8febe0462434753fff500f889ca8847e9973e503b30949bb2ff725a2a0189d2742e9fcc8b65581b8c4b389447a3edfe97ae21f243cfa

    • SSDEEP

      1536:qSiX1ccXNRpK52m2DwLbltfXfbu3wLbltf8fNHK2P9cENm:J6BBInmP9Fm

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral17behavioral18

    • Target

      fonts/black.ttf

    • Size

      84KB

    • MD5

      5046ede33c7ccea0481c46e344d7eef4

    • SHA1

      570694d9531f8d3366b721f361749a6f6b8be94f

    • SHA256

      3ff9aa61c36a1ba3b7b46e7e73eda89695ab5f3f6263afe2594dcb91d50b9a64

    • SHA512

      4b6509a81ee99cbdcaf3fdce013dc7bd95c957b33e5a599aac58032a0a451cc4802cec13fafad491a3324c8e4f14e4dbbb42aed85fec0cb27c50b30695878a66

    • SSDEEP

      1536:dzAncHAR/NYyTPrII+WwohDPhLw1YZgYyru3TLB0c0l0jpJ9Z3:dISyhNwohDPI8guLB0T0jX

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral19behavioral20

    • Target

      fonts/browa.ttf

    • Size

      87KB

    • MD5

      bd62018c47c6141847cd00dcf20a215e

    • SHA1

      7a0c700fa81a8b5d405076f55e1c89f54a578309

    • SHA256

      20ba365275e4972f1a68588c821cd1ec88656349633d4598a1dec93498d5638e

    • SHA512

      eff01b4800af12a3b182a0cb958a4e86e4f82d09d86d237fe1efef729b8795470a6a4d0191e3e4c63a2a5d9e2938d30e7c38b08069be21c82256bc9d23d68764

    • SSDEEP

      1536:uQsHpEYQ1ikaMYsrhp7XLKvp45uD6kaeuFklGIIYh4riRO+nYHae2U:wEYoiVMlhZbw4gukaqGFYhEMnU

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral21behavioral22

    • Target

      fonts/browauz.ttf

    • Size

      87KB

    • MD5

      cd3ee79a96eb48acedc65a5f00c3f1c2

    • SHA1

      33e0b6205417de835594f04006882660e77057d6

    • SHA256

      58dd269b448b3abb62fc0764b4f1b48b0ce339052dd3db8d881e5db3e77dac8b

    • SHA512

      c6e6b2368275c57c324580849a19cb0fbfb94dbae697566c513d624e2bdc01946bd04b01214e99cdef439e8ab28273579914ee64665978f2fa4a4bb0e8294d2e

    • SSDEEP

      1536:p69JtJbJTMiJVKKaJcJhAgzaB36Xega5A6FVxucJYSRDlQefqR+sNvs2+sARy9Rp:MjTFJ5jl+36XeP5A6CSAein0HsAYDEAb

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral23behavioral24

    • Target

      fonts/deathrattlebb_reg.ttf

    • Size

      82KB

    • MD5

      8ae15895cd813a33942b7b17c0fcc2fb

    • SHA1

      d4489524c533fa198eaa6ba23c39049100481087

    • SHA256

      5ca9bb7216ccf7e07a6c79dce17815255bcbebe811e966f2763e7d93fc6426ae

    • SHA512

      347c62c3efd3c97da9800ff2e5b0a23350d0f11a555da956b8c1b0c0986c423443b92d256daed8f0a38f69caaa388e8896fafe7ca54e433cae85c1c1ef44926c

    • SSDEEP

      1536:uUzTV3HFhOStXfDEcdHUkAkbR5DJoCG5t27o:ucTVFXfQmU6VJu5t2U

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral25behavioral26

    • Target

      langs/Belarusian.ini

    • Size

      105KB

    • MD5

      e345897882019c990457b83651f9ad97

    • SHA1

      2ae5a3917a4a6b1312454b5cc9b4ddf670c667d5

    • SHA256

      75723086a2c083a3d625bdfad8ffb39cac6819bcd84241002ecdd19ec4f3122d

    • SHA512

      c20441612c64b7f2a9a46aa6cd68b950d2056de268bee2132e0d286498a42aebd8cb3cb4c42cd6e618df9b6cb38ca7e2f6e0b6af8fbed5d6ec95edf96e4035e6

    • SSDEEP

      768:wRmpwuzTeCmPMuQKh+k+xP2EEeg5L6PZYp9lJpFGyW1zCRwK9J2p9RiIa0oDgYpT:NzTeCmP7+xuXIa0HmoQz4Yh

    Score
    1/10
    behavioral27behavioral28

    • Target

      langs/Croatian.ini

    • Size

      105KB

    • MD5

      8477123868f12632d652c6da5df683c2

    • SHA1

      23dbeba17e366e1bb5e7d7be156a9be309c9555d

    • SHA256

      5bf2b70edb78073f3ce4fe6d809a3a25c982cb2840b8ebaf4367ebc42f16bd3e

    • SHA512

      b785f8d680f22211c01cfa59cdf86f1bfdeca0446c1c26fc2c144e3018773d22e4050c95cd513d60df9b226df31dc504b5059db168977b3949dbcc428a7ff30d

    • SSDEEP

      768:w0VnpiuM0pY1HIlw1VoIGRweBLUab7Fno8wBtA1yR4IY52t9RM8wE4c+Tyb3TRr2:VdpiuM0pY1olaEZLUYg4c+7wvO60ll

    Score
    1/10
    behavioral29behavioral30

    • Target

      langs/Danish.ini

    • Size

      107KB

    • MD5

      5f50b22de0efb245cd3b8f2fb50a6d3d

    • SHA1

      be369ffd0c47ff92b3aa5c259ab9f4d40807b687

    • SHA256

      59df77a75aca7c0a8574f6d4b5be5632908c4fea8634f4748e36ff6fee40e317

    • SHA512

      f3fec19409ea564bd68f4bd1253297ed8bcbe86554422a22891c61ee237f581f95f6976512e53bcabc5cafe3411343e660d3fb8f398f95f9c1efcec8eaa4367a

    • SSDEEP

      1536:gmGRkLzUJnbfeKzcqt5G+qX59CcZEY9dHbm/c4C1CgqfRG:gmGRbnbfNRt5G+qX59CcNdX47G

    Score
    1/10
    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

File Permissions Modification

1
T1222

Scripting

1
T1064

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

14
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

26
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks

static1

themida
Score
7/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

djvuprivateloaderraccoonredlinesmokeloaderytstealer3108_ruzki@fuschlockad82482251879b6e89002f532531462aandriii_ffnam6backdoorevasioninfostealerloadermainransomwarespywarestealerthemidatrojanupxvmprotect
Score
10/10

behavioral4

djvuprivateloaderraccoonredlinesmokeloaderytstealer@fuschlockad82482251879b6e89002f532531462aandriii_ffmettop1nam6backdoordiscoveryevasioninfostealerloaderminerransomwarespywarestealerthemidatrojanupxvmprotect
Score
10/10

behavioral5

Score
3/10

behavioral6

Score
7/10

behavioral7

Score
3/10

behavioral8

Score
7/10

behavioral9

Score
3/10

behavioral10

Score
7/10

behavioral11

Score
3/10

behavioral12

Score
7/10

behavioral13

Score
3/10

behavioral14

Score
7/10

behavioral15

Score
3/10

behavioral16

Score
7/10

behavioral17

Score
3/10

behavioral18

Score
7/10

behavioral19

Score
3/10

behavioral20

Score
7/10

behavioral21

Score
3/10

behavioral22

Score
7/10

behavioral23

Score
3/10

behavioral24

Score
7/10

behavioral25

Score
3/10

behavioral26

Score
7/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

Score
1/10