Overview

overview

10

Static

static

10

PL/6523.exe

windows7-x64

10

PL/6523.exe

windows10-2004-x64

10

PL/Galaxy.exe

windows7-x64

8

PL/Galaxy.exe

windows10-2004-x64

10

PL/Service.exe

windows7-x64

10

PL/Service.exe

windows10-2004-x64

10

PL/Une1.exe

windows7-x64

8

PL/Une1.exe

windows10-2004-x64

8

PL/pb1115.exe

windows7-x64

8

PL/pb1115.exe

windows10-2004-x64

8

PL/setup.exe

windows7-x64

10

PL/setup.exe

windows10-2004-x64

10

PL/setup.exe

windows7-x64

8

PL/setup.exe

windows10-2004-x64

8

PL/setup331.exe

windows7-x64

7

PL/setup331.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PL.zip

  • Size

    13.7MB

  • Sample

    221004-z1zqascghm

  • MD5

    548bdfcb86652c14659e019e9f838f42

  • SHA1

    c8a7719e5f574a0c18566216551ae6e7bdae33f3

  • SHA256

    4c1fc6a16f378978da7c35f36525a4397a983255020fb709d0ad8cbe3f1e38e5

  • SHA512

    cc9a2611d43be920d673764d89360adc530fef88b6ed773e9236241eb2f14cec751726680a07a88abeca852873252987114e14381c1645849141b55ba6bd28af

  • SSDEEP

    196608:/C7YJFaPZRe9KwX9MqDO+SSwsvAlNSzo47accS3/xm0m2nXvmdO/yguT5fR6Dma7:lg/wWqDOo0SklSm0xmdOduT5fkia8JY

Score
10/10
djvunymaimprivateloaderredlinesmokeloadervidar11703517buk2neo3premiumcloud#41backdoorcollectiondiscoveryevasioninfostealerloadermainpersistenceransomwarespywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

privateloader

C2

http://163.123.143.4/proxies.txt

http://107.182.129.251/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

163.123.143.12

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php
Attributes
  • payload_url

    https://vipsofts.xyz/files/mega.bmp

Extracted

Family

djvu

C2

http://winnlinne.com/lancer/get.php

Attributes
  • extension

    .adww

  • offline_id

    z8lhl4oForVEc7gy9Ra8rSqjYMl3xiFRuIW4not1

  • payload_url

    http://rgyui.top/dl/build2.exe

    http://winnlinne.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-g28rVcqA58 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0573Jhyjd

rsa_pubkey.plain

Extracted

Family

vidar

Version

54.9

Botnet

517

C2

https://t.me/larsenup

https://ioc.exchange/@zebra54
Attributes
  • profile_id

    517

Extracted

Family

vidar

Version

54.9

Botnet

1703

C2

https://t.me/larsenup

https://ioc.exchange/@zebra54
Attributes
  • profile_id

    1703

Extracted

Family

redline

Botnet

Neo3

C2

tyastazirowi.xyz:80

yaterirennin.xyz:80
Attributes
  • auth_value

    646532deba483490225021877e8b02a0

Extracted

Family

nymaim

C2

208.67.104.97

85.31.46.167

Extracted

Family

redline

Botnet

PremiumCloud#41

C2

151.80.89.227:45878

Attributes
  • auth_value

    6011f107082889840844bd9a1730558b

Extracted

Family

redline

Botnet

1

C2

79.110.62.196:35726

Attributes
  • auth_value

    4b711fa6f9a5187b40500266349c0baf

Extracted

Family

redline

Botnet

Buk2

C2

tyastazirowi.xyz:80

yaterirennin.xyz:80
Attributes
  • auth_value

    813662de00b041e18fa868da733fca07

Targets

    • Target

      PL/6523.exe

    • Size

      264KB

    • MD5

      b2949b2eb9db982c3782953de8a2573f

    • SHA1

      34ff1afa580b8ca0c23d818f62aafe11e9e16fc2

    • SHA256

      ef5b55fdd770f3c9cbd4a86cc0afe70e79d4d634bd7c88d6d48e07d5a6742dca

    • SHA512

      368d9851bce5bd3aa35d41a2b64ad84f4ebe8ff7611fe4b09ca61db298ac8a5590dd11c8ca56786088c311ab7c5c83ac4da819b50cf449b50704c88b482e33d2

    • SSDEEP

      6144:9+dLV/BxVCLYAXfIeyJuzbgwu70kmiHwVfU:9a5/BxsLYAXWunnsSiv

    Score
    10/10
    smokeloaderbackdoortrojandjvuvidar1703517collectiondiscoverypersistenceransomwarespywarestealer

    • Detected Djvu ransomware

    • Detects Smokeloader packer

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      PL/Galaxy.exe

    • Size

      261KB

    • MD5

      637b4e8a4fbef797b42d6979b652a3db

    • SHA1

      3f7c391b86c27b6414c89135d7e04d913ae151c5

    • SHA256

      27b752bc4139c9c12d1caff4bef199e7a25ee6caf06eb9897cf615f9cc9c233d

    • SHA512

      3099e1dde974a395529651f163f6e4e32478657b4530fa1f3d4e39adbb045c5ca3e8e51b35ab524ec0c03cdbaca37eb8a41c3d5b0f3ab96a8461b42c4a60e38f

    • SSDEEP

      1536:II47GyTGCwiSnmQUt0LB1Efs5gJpoBWBtjKM4le7Qc58wsa0rc3roPhQDbTp:IvGyYiSDnt1E05m9p

    Score
    10/10
    persistenceredlineneo3infostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      PL/Service.exe

    • Size

      400KB

    • MD5

      9519c85c644869f182927d93e8e25a33

    • SHA1

      eadc9026e041f7013056f80e068ecf95940ea060

    • SHA256

      f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b

    • SHA512

      dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23

    • SSDEEP

      6144:NrkuBHTtY9Jgfq80nzm5tBD2AsG8x0Ca0Hv06A0md0OUGHLzmijOceK2HSw3pXqC:NrkIT/y8T5PVsSnXOc+HSQJKLw

    Score
    10/10
    privateloaderevasionloadermainpersistencespywarestealertrojanupxvmprotectnymaimredlinesmokeloader1buk2premiumcloud#41backdoordiscoveryinfostealer

    • Detects Smokeloader packer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NyMaim

      NyMaim is a malware with various capabilities written in C++ and first seen in 2013.

      trojannymaim

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      PL/Une1.exe

    • Size

      900KB

    • MD5

      c340449d532642420d4bedc2e9f7ce7c

    • SHA1

      6153df468674d2eb1680eb6bb0e1bdbc0d6856b7

    • SHA256

      a233b76767157c012c4d1ec34726d87ea1efac01e49efd9fef394c7e84966103

    • SHA512

      c9a085e30ed056c819b992bbe34d606d9fca0704362917ad226b64d233b4800be5fb9de35150f2cdd6bc0f3f1132ac77f558f00dd27ca8d474df4a056a7ff4d3

    • SSDEEP

      12288:5S7lrM9H8y8ea2SONB3/FI3o+fQqZ/pXVrMkM0ke4jNHUJopuBXidpX1ScBl/2GE:eM9H9MMIh4qZRVgtjOoAYX1SgB74j/

    Score
    8/10
    persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      PL/pb1115.exe

    • Size

      3.5MB

    • MD5

      04aeaa8f06b71a72b8905da20f679b10

    • SHA1

      ebfa60215fcce5a369f1b340f1232125e37f7a68

    • SHA256

      55c1cbe7368ef1eafbd435a2b570f362868bd2afda1ddbe59bcbb51b7fc63383

    • SHA512

      5c393a8e6b3327ece1555aa73111f67e4858898efbbe38ac757a96d91da26a83f0b130e18b6955796e76bd4300475e8eeec63171c8ef407a09069874f48d5774

    • SSDEEP

      98304:l1kvho0RcPjNWqCdGujwByZm94cGZ+qOUKsE:fkZtcPjNW/GowUE9W+DUK

    Score
    8/10
    vmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect
    behavioral9behavioral10

    • Target

      PL/setup.exe

    • Size

      352KB

    • MD5

      ad3374b444437df5f5102ab63a45d327

    • SHA1

      65302eb15520d64565e64e9cc74fdd09fbad79ef

    • SHA256

      b3936ea34f4e0235a1715706b7736a6bf0999441c8c37f1f75b4250e7b9b9992

    • SHA512

      0e569bd15a25649b7293b539118f77ca9920e7a835acd24b75bf6f33c3de3f7e5ddcf9675a6f174af6292f39e88cb6f380f0d1165ed0f1419de41e4348ae2463

    • SSDEEP

      6144:tK/VQLDETxJSm8oMKGreTfbmBdbNB6yqpx4T50G3YilTuzbgwuds7wVfE:wNQExJjFGreDbmBNfCWdjunnp

    Score
    10/10
    nymaimtrojan

    • NyMaim

      NyMaim is a malware with various capabilities written in C++ and first seen in 2013.

      trojannymaim

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral11behavioral12

    • Target

      PL/setup.exe_

    • Size

      7.3MB

    • MD5

      8b036a5a7406f7227ac65f44e1827fca

    • SHA1

      3a8499ecca8be3f69cc7163b03f3f499bbe8276f

    • SHA256

      85250ca9f679cdfebe009b7d66e409b330b35d6021e84e2ef7ceb0d64acdeff1

    • SHA512

      91cecf5c22bd32fe5cead41884773933b49791e57e00a369818d716dea34433bb558e9feb5b2dfc37f2b4b3488c05dcc50ef1b0f267936c2945308f2e9f32b5a

    • SSDEEP

      196608:91OeU0YzI5dCR00/4+cmJ/Dwami5rf0RejcO2h4I:3OxOCClgwa70Rej2h4I

    Score
    8/10

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral13behavioral14

    • Target

      PL/setup331.exe

    • Size

      2.0MB

    • MD5

      2486b7f5f41d592ec4781b54cd828f70

    • SHA1

      604009984d2f335a969ab447a61beec8661a99fe

    • SHA256

      aa0a01e35fe2110068e1934eb568f5d3a41abe4b73a64a045f9a9ab8e085114c

    • SHA512

      116cee6490ae2b631b0457c0ae328f88df74bff3b8f2b47652366cf125d22fc910733859825ed181ae547a664c15e5358c95cdd6b874c43cc426303bfd841370

    • SSDEEP

      49152:3rBfJXAEYCT6v3vX/1AkJxopk7lDiQCv3e6rNx:3rBfKEYd3v+Ioi7Rg5x

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral15behavioral16

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

3
T1053

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

4
T1060

Scheduled Task

3
T1053

Modify Existing Service

1
T1031

Privilege Escalation

Scheduled Task

3
T1053

Defense Evasion

File Permissions Modification

1
T1222

Modify Registry

6
T1112

Disabling Security Tools

1
T1089

Scripting

1
T1064

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

5
T1081

Discovery

Query Registry

15
T1012

System Information Discovery

19
T1082

Peripheral Device Discovery

2
T1120

Process Discovery

2
T1057

Remote System Discovery

2
T1018

Lateral Movement

Collection

Data from Local System

5
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

3
T1102

Impact

Tasks

static1

loadervmprotectprivateloader
Score
10/10

behavioral1

smokeloaderbackdoortrojan
Score
10/10

behavioral2

djvusmokeloadervidar1703517backdoorcollectiondiscoverypersistenceransomwarespywarestealertrojan
Score
10/10

behavioral3

persistence
Score
8/10

behavioral4

redlineneo3infostealerpersistence
Score
10/10

behavioral5

privateloaderevasionloadermainpersistencespywarestealertrojanupxvmprotect
Score
10/10

behavioral6

nymaimprivateloaderredlinesmokeloader1buk2premiumcloud#41backdoordiscoveryevasioninfostealerloadermainpersistencespywarestealertrojanupxvmprotect
Score
10/10

behavioral7

persistence
Score
8/10

behavioral8

persistence
Score
8/10

behavioral9

vmprotect
Score
8/10

behavioral10

vmprotect
Score
8/10

behavioral11

nymaimtrojan
Score
10/10

behavioral12

nymaimtrojan
Score
10/10

behavioral13

Score
8/10

behavioral14

Score
8/10

behavioral15

Score
7/10

behavioral16

Score
7/10