Overview

overview

10

Static

static

ts.zip

windows7-x64

1

ts.zip

windows10-2004-x64

1

Install.exe

windows7-x64

10

Install.exe

windows10-2004-x64

10

advapi32res.dll

windows7-x64

1

advapi32res.dll

windows10-2004-x64

1

fonts/Alakob.ttf

windows7-x64

3

fonts/Alakob.ttf

windows10-2004-x64

7

fonts/Alas...ts.ttf

windows7-x64

3

fonts/Alas...ts.ttf

windows10-2004-x64

7

fonts/Arggotsc.ttf

windows7-x64

3

fonts/Arggotsc.ttf

windows10-2004-x64

7

fonts/Army...ed.ttf

windows7-x64

3

fonts/Army...ed.ttf

windows10-2004-x64

7

fonts/Army Thin.ttf

windows7-x64

3

fonts/Army Thin.ttf

windows10-2004-x64

7

fonts/BELL.ttf

windows7-x64

3

fonts/BELL.ttf

windows10-2004-x64

7

fonts/BELLB.ttf

windows7-x64

3

fonts/BELLB.ttf

windows10-2004-x64

7

fonts/BELLI.ttf

windows7-x64

3

fonts/BELLI.ttf

windows10-2004-x64

7

fonts/BOD_BI.ttf

windows7-x64

3

fonts/BOD_BI.ttf

windows10-2004-x64

7

fonts/BOD_BLAI.ttf

windows7-x64

3

fonts/BOD_BLAI.ttf

windows10-2004-x64

7

fonts/BOD_I.ttf

windows7-x64

3

fonts/BOD_I.ttf

windows10-2004-x64

7

fonts/CALISTB.ttf

windows7-x64

3

fonts/CALISTB.ttf

windows10-2004-x64

7

fonts/CALISTBI.ttf

windows7-x64

3

fonts/CALISTBI.ttf

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ts.exe

  • Size

    7.0MB

  • Sample

    220914-veqs2sahc2

  • MD5

    bf3260619b1692d02130c12cf3ed79ab

  • SHA1

    c57c977254bf63052704f5acc2fd2c67eedd3ffb

  • SHA256

    c7fa25f2c9d0c1edb55b3a214b69da8f1ae8515cdb2b15412133a6fcb643f0f6

  • SHA512

    b5367c0e402209cbd43a0da40e2f82de6190bfbe146f05928a644cfe9812b8ffed0cd7dbf600b88bd5648e625d1122db0448b1f551a3408f7051ed77f68d9ca7

  • SSDEEP

    98304:tNoOrhfhzTC7lQRSAWiF4ZkNfUB5lZ2hnLvxbHElMEo4fqU1DGD9GMqbncXwTv:TjfhnWSREdk2LGdElMxrU1DsTIMwTv

Score
10/10
nymaimprivateloaderredline3108_ruzki5@fate1337lzt@forceddd_lztnam6.2ruzki14zalupa123discoveryevasioninfostealerloaderspywarestealertrojanvmprotect

Malware Config

Extracted

Family

privateloader

C2

http://163.123.143.4/proxies.txt

http://107.182.129.251/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

163.123.143.12
Attributes
  • payload_url

    https://vipsofts.xyz/files/mega.bmp

Extracted

Family

redline

Botnet

5

C2

79.110.62.196:26277

Attributes
  • auth_value

    febe6965b41d2583ad2bb6b5aa23cfd5

Extracted

Family

redline

Botnet

nam6.2

C2

103.89.90.61:34589

Attributes
  • auth_value

    4040fe7c77de89cf1a6f4cebd515c54c

Extracted

Family

redline

Botnet

ruzki14

C2

176.113.115.146:9582

Attributes
  • auth_value

    688c6d70531c05d3fba22723e72366f6

Extracted

Family

redline

Botnet

@forceddd_lzt

C2

5.182.36.101:31305

Attributes
  • auth_value

    91ffc3d776bc56b5c410d1adf5648512

Extracted

Family

nymaim

C2

208.67.104.97

85.31.46.167

Extracted

Family

redline

Botnet

3108_RUZKI

C2

213.219.247.199:9452

Attributes
  • auth_value

    f71fed1cd094e4e1eb7ad1c53e542bca

Extracted

Family

redline

Botnet

@Fate1337LZT

C2

185.106.92.226:40788

Attributes
  • auth_value

    d5b0c3e4b1aa22b78b0ce7bd07c3acd7

Extracted

Family

redline

Botnet

Zalupa123

C2

185.241.54.113:31049

Attributes
  • auth_value

    6cfaf38d32211695743702fddac6cc88

Extracted

Family

redline

C2

81.161.229.143:27938

Attributes
  • auth_value

    6687e352a0604d495c3851d248ebf06f

Targets

    • Target

      ts.exe

    • Size

      7.0MB

    • MD5

      bf3260619b1692d02130c12cf3ed79ab

    • SHA1

      c57c977254bf63052704f5acc2fd2c67eedd3ffb

    • SHA256

      c7fa25f2c9d0c1edb55b3a214b69da8f1ae8515cdb2b15412133a6fcb643f0f6

    • SHA512

      b5367c0e402209cbd43a0da40e2f82de6190bfbe146f05928a644cfe9812b8ffed0cd7dbf600b88bd5648e625d1122db0448b1f551a3408f7051ed77f68d9ca7

    • SSDEEP

      98304:tNoOrhfhzTC7lQRSAWiF4ZkNfUB5lZ2hnLvxbHElMEo4fqU1DGD9GMqbncXwTv:TjfhnWSREdk2LGdElMxrU1DsTIMwTv

    Score
    1/10
    behavioral1behavioral2

    • Target

      Install.exe

    • Size

      715.3MB

    • MD5

      71c8dbd53f77777dcc663c9bce5fe588

    • SHA1

      66008a2ceac550c246645ff2d33734014645a8bb

    • SHA256

      fc7b3fd579e40a691cddecc9eb413996d30ddbd8d78a9e483d015f09510fde1c

    • SHA512

      ae972a7c810e59f3a566938f1a67c46c373ccd895ed6cd96fa87fba79ca60392bbf65913029ed9b671e4cbea8dfc47f4817a67734b60840fee03c816f5d62aef

    • SSDEEP

      98304:gUgVBq1XrkDRvTH++2LDyli5l1H6lGGu6xuojjObjGsM5vCFKTyw:gUaBkQV+3LDyW6lGZrojj8nsaKT5

    Score
    10/10
    privateloaderdiscoveryloaderspywarestealernymaimredline3108_ruzki5@fate1337lzt@forceddd_lztnam6.2ruzki14zalupa123evasioninfostealertrojanvmprotect

    • NyMaim

      NyMaim is a malware with various capabilities written in C++ and first seen in 2013.

      trojannymaim

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      advapi32res.dll

    • Size

      2KB

    • MD5

      5f0cba32090f0a295ff21949d1d81dc3

    • SHA1

      505fb000950d469ac57f208948061850732f933f

    • SHA256

      b82b072342b08e2fb5fe97cb28a9c02289ad6ce501510f7e61eea0fd56297ee0

    • SHA512

      8980043af0ee746bd3e2b684580e9edd3b1c6525c22add8ac54270abfed740897eb6392661727b30bba125feec1dbd046d11748293c7dd1054795410c9a29403

    Score
    1/10
    behavioral5behavioral6

    • Target

      fonts/Alakob.ttf

    • Size

      80KB

    • MD5

      5444bc745e7ed4c48fca3ec966348d83

    • SHA1

      c207c04ac3c911bc9ab41527fb7f9bde38c34302

    • SHA256

      2fbe2974774c313fada28762fa25641f7f58966632844496854f7386b9fb4fc3

    • SHA512

      97fe730bf4e296347f44f35d8fb4327f9b65514bbf10ebb2ca34e334568f64e55245c0c84c2aa70c1db1cc5cf2232cba59048177e2b6f72a462ca3bd09c73199

    • SSDEEP

      1536:PVpNLCyksGGnbex1Y73PYspairXb1Mrw3:PRLGvuj1b

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral7behavioral8

    • Target

      fonts/AlaskanNights.ttf

    • Size

      86KB

    • MD5

      6023142ebf3036a781a79c411aaa0131

    • SHA1

      a37c1f9d5d252f9b16fab911a13332229d735a8b

    • SHA256

      5be4c4b438cb72291ce80ee536dbca19226a1801e7a8906cfc20d1e499f64da8

    • SHA512

      e3f68ec5335de1eb058e26c023522a4747469572439c7c8b3b0cde84cd8d7a11385703ac40a5149eb626701af731522f67579841da30650078bc2edc24672f95

    • SSDEEP

      1536:d5ydfOTA+yFfcMS/l9QY0CKrK9ngh6+QsTvDgGagGoJ0JjFmQ:d5gfAA+qfcMhY0CCcK6dOMG1GD

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral9behavioral10

    • Target

      fonts/Arggotsc.ttf

    • Size

      88KB

    • MD5

      1a1ec864b6c0730c8be73b99a092bf46

    • SHA1

      b621b1ef3365eeeb562073b7affd2177d63342a4

    • SHA256

      85d7a5ef7867ab572048c9a4f422526f249da11f3236e8763a737d66df08e096

    • SHA512

      8ac4b1b54c92ce4b7dd1c3419243f13cf5c1e7537b768db3306787223904083d562809fcb18ac26707f67518e05558bd9d89fab46a3500fbef3aaa5f9cb38617

    • SSDEEP

      1536:yRpVPVxnzULhyM1toY7I+Q2+QZMDxRJyG7Syl/6JsOgTpqRkX5/qb5UB:yjVPV1zUVyYRQ2hZmRJyG7Syl/6J1gTZ

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral11behavioral12

    • Target

      fonts/Army Condensed.ttf

    • Size

      88KB

    • MD5

      4fc2a69c1a58a479ea501641463dd19f

    • SHA1

      080a97a955cbff3ee9d88e9dea0fda58a9aba354

    • SHA256

      68a898d8fc09b12bccb1606df2f48f184af82299f29767f6c3df24f29a2194b3

    • SHA512

      ecea227664e8a301822099277b70b9b6264bbd381cf11aa62dfc261bd5b22d2c6d38245a5797a065ae877e88f8f8a8e5265131bcf5faab96fc6d746b3b253e4c

    • SSDEEP

      1536:W8AwW6ZnpojFGojMHgacRAaDug2FmoaatdxrnUxwa:W8e6ZnejFTjMHgacRAaDug2FmoaaTxr6

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral13behavioral14

    • Target

      fonts/Army Thin.ttf

    • Size

      88KB

    • MD5

      9c0996fba26512ad5120010e385e208d

    • SHA1

      37a752173b71a3a3e27a7c6ac825b69db622fba4

    • SHA256

      b00dd75d282e11a2067bb8341c9c2b4a1c2ae5db3029e584d92a4549fb784d48

    • SHA512

      c9fca09824a7192afb128c1b9cfcb1bf0c7e39ad1a269ddb4b271a65f7cb0b4d0d8a155f5485e32dc8c036fee9bfe29f11e97399632132c47514adf893574ed7

    • SSDEEP

      1536:R2o690qRKBuTRKBoxIddKOyjgUq867OrUsw+gpG5I/:j690qYBuTYBoxIddKOyjgUI7OrU4gpGC

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral15behavioral16

    • Target

      fonts/BELL.TTF

    • Size

      82KB

    • MD5

      1c4ab54d66597df75ca60fdce4f7d5a1

    • SHA1

      39fc668abe9b5e8d4434645f4c5ada1f738918ec

    • SHA256

      986a5b8bb70238e3c896e3113ef581df26204131f72d59fc12d2deef7ef89e4c

    • SHA512

      70338679f8968b780e032adb22091ad4be837e6fa55aeef22f01b0c49712bd5b1f218c0406459bc2dde9210dec8d607987eb921cc2e46bd42f6cd36c69d6e91a

    • SSDEEP

      1536:tL///OJG0BlR+xVunsAYRzVvtkA43C8qbgrQPJpS0D6K:tTOJG0BlTnsAYRzV4Sx0rQPJpS0H

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral17behavioral18

    • Target

      fonts/BELLB.TTF

    • Size

      80KB

    • MD5

      f37324d3575c7132e330af3c8f08da17

    • SHA1

      1e14164f2bf6d6972744642d0a6c8afce4d6daa4

    • SHA256

      dcc8d42eebbab6822f736a7b99e1c9d6ee6861b247a19049bb33e5955d991dde

    • SHA512

      80e2daad5319c8a732bec4eb5b7b62fd88979638df98e104688dd9747f0f4089f5a68e61509ce0c7a7590e1c73ad4564a41e97b7a8dd16d12947daa48935f743

    • SSDEEP

      1536:EIIZKRcnuonqV3nVbISbjFameCNLs6EzeJFE1bXzyjVNfpS0vH:qn9nW3VbXTesWyYFXzyjlS0f

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral19behavioral20

    • Target

      fonts/BELLI.TTF

    • Size

      80KB

    • MD5

      ba1290cbcb6aaa574890480e1c6aaae8

    • SHA1

      ebf24824518b4acd20e83f7b92d6544b9e14c43e

    • SHA256

      17b6e7689e333fea42b19d817427cecf95b86a340bb0af5babba3ab25e6a1b40

    • SHA512

      2660f026b7bf8c5901ece717775b56209ff23fb2662395944b102c70a2b3af8cb6147d48dd110435a3f3ab317110ce03bcd9c937119f5fd9b28425f7a0970268

    • SSDEEP

      1536:5aKaWffRTcCt7D5WNOfWzz1as3HYGuMzDMPcYEcRSbS0q:hfFc0n5WNgWzpawhuM/9YEiSbS0q

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral21behavioral22

    • Target

      fonts/BOD_BI.TTF

    • Size

      83KB

    • MD5

      5bb67e55de4ee82aff5585b7bc7df099

    • SHA1

      30c29ebba4511f7ffb96bc056bfb6531229011f4

    • SHA256

      9729e2ae73b15871db606a18a48b8674ce2bae35d76a511d3510c4a9db2385ef

    • SHA512

      51e91ff81bf05e2cd05d0caaf81f8ce6742d7ef9b8f7857daad2bbad085f419d6773c1bd664f040bf0028f51139046bb23589c1c66c3c4065dfd34d246c64c84

    • SSDEEP

      1536:j0mROXFT8UwUDH49fe7/jtYMXVT4FBMDbsJ4/RG2luywo60qdlnHy721Mslt6l2G:wnXp8UwUDY9fC0gTqy4DnSK1MsN9uELO

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral23behavioral24

    • Target

      fonts/BOD_BLAI.TTF

    • Size

      81KB

    • MD5

      88223fea14008bf33f1bd87cedf7abb2

    • SHA1

      470db15feb2f73f379ea47eccee748e011f4d36c

    • SHA256

      29854f6597ca7b46db601c7a2eb28c13e31ee0541c7a5a499581fdee8da1b1d5

    • SHA512

      5297d0ef901282ac1af31aa32abac416938e1a825a7f0e6258cdf43c075ec579f874f79303904f09428101151ca475e7e9f1c038c44468d278393806d7335119

    • SSDEEP

      1536:KlawylA41hhpjLRFJDG1ZkydlzGJ6j+qCNEcoUgKK7:aawylAIHw1ZkyDG6jIoUC7

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral25behavioral26

    • Target

      fonts/BOD_I.TTF

    • Size

      87KB

    • MD5

      cec8a6834241575dcafba6d7504d64b8

    • SHA1

      3d412b305c3d93474c9fe02f60a049a9e87aeaab

    • SHA256

      960458b4c0851b8b9f1d047fe50f7fa01ddfbecaec692521d262660882e9596a

    • SHA512

      9a3e79f5a04e6f0794099788c07330b97c4ab31e95df745cea9d5e8cbc7dba2a01a04dc4cbc7b93fcd76a7d1240f073f256ec7d5a9ce08d62312b01d4fd10e78

    • SSDEEP

      1536:4AxM2frzSwDp3Qe0hmIyz9TJyCh1qaoDR9nbZ1v6jZCSpxiOvHdlGDw2taRkvwGv:4ARzSwN3QTld9iUGRDGweskvwNWV/wEt

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral27behavioral28

    • Target

      fonts/CALISTB.TTF

    • Size

      83KB

    • MD5

      d267423924483ddc3dbb9e4e94199d59

    • SHA1

      08bedc20a8afa111d9fa609e723142b336a69940

    • SHA256

      1b3949401e310a5967a4c108bb9be49e28e69f73095ad088f783035e8f22d28f

    • SHA512

      998f246a21daa1fd8afe678d1f088a1fd0c14d9b779631c70fd7f0a670ce72a1fa1fccfb3d910b519522092ed2d272a6b1b0d56980f5d4ab284ce362b98bdee0

    • SSDEEP

      1536:NN4whnJ2yG51+b9Qfxr25cdoHxQdt52qcYSC/MZyfrX:37nJ2PsbOfQamR252qZSxyfrX

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral29behavioral30

    • Target

      fonts/CALISTBI.TTF

    • Size

      82KB

    • MD5

      b8178488b4decb255bd3094b320600ac

    • SHA1

      315bf5a35ef284a71fd90f304767c8d90d6883cd

    • SHA256

      9b9e45f016b013d92c3caf1985db22f85e39c8b1f208636f9ac21f9c135239ce

    • SHA512

      3e98e8484ba5ac6c1475af24ae9ae55045511a46baf250ca36d4bb2b64e74b67e9b58a289572ee2609662685ab7218cf8fee200400a417a310bd7b82f47af1e6

    • SSDEEP

      1536:fAsN4DofckwriM3kM+cGEGjmU+xXXXozKbR5ITHpfLR8eXHVBGgIuBoQPeV9pfrr:fT0oYiMURcGEF7x3EKfiZRrfGgIsPsD/

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

18
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

31
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks

static1

Score
N/A

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

privateloaderdiscoveryloaderspywarestealer
Score
10/10

behavioral4

nymaimprivateloaderredline3108_ruzki5@fate1337lzt@forceddd_lztnam6.2ruzki14zalupa123discoveryevasioninfostealerloaderspywarestealertrojanvmprotect
Score
10/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
3/10

behavioral8

Score
7/10

behavioral9

Score
3/10

behavioral10

Score
7/10

behavioral11

Score
3/10

behavioral12

Score
7/10

behavioral13

Score
3/10

behavioral14

Score
7/10

behavioral15

Score
3/10

behavioral16

Score
7/10

behavioral17

Score
3/10

behavioral18

Score
7/10

behavioral19

Score
3/10

behavioral20

Score
7/10

behavioral21

Score
3/10

behavioral22

Score
7/10

behavioral23

Score
3/10

behavioral24

Score
7/10

behavioral25

Score
3/10

behavioral26

Score
7/10

behavioral27

Score
3/10

behavioral28

Score
7/10

behavioral29

Score
3/10

behavioral30

Score
7/10

behavioral31

Score
3/10

behavioral32

Score
7/10