Overview
overview
10Static
static
10PL/6523.exe
windows7-x64
10PL/6523.exe
windows10-2004-x64
10PL/Galaxy.exe
windows7-x64
8PL/Galaxy.exe
windows10-2004-x64
10PL/Service.exe
windows7-x64
10PL/Service.exe
windows10-2004-x64
10PL/Une1.exe
windows7-x64
8PL/Une1.exe
windows10-2004-x64
8PL/pb1115.exe
windows7-x64
8PL/pb1115.exe
windows10-2004-x64
8PL/setup.exe
windows7-x64
10PL/setup.exe
windows10-2004-x64
10PL/setup.exe
windows7-x64
8PL/setup.exe
windows10-2004-x64
8PL/setup331.exe
windows7-x64
7PL/setup331.exe
windows10-2004-x64
7General
-
Target
PL.zip
-
Size
13.7MB
-
Sample
221004-z1zqascghm
-
MD5
548bdfcb86652c14659e019e9f838f42
-
SHA1
c8a7719e5f574a0c18566216551ae6e7bdae33f3
-
SHA256
4c1fc6a16f378978da7c35f36525a4397a983255020fb709d0ad8cbe3f1e38e5
-
SHA512
cc9a2611d43be920d673764d89360adc530fef88b6ed773e9236241eb2f14cec751726680a07a88abeca852873252987114e14381c1645849141b55ba6bd28af
-
SSDEEP
196608:/C7YJFaPZRe9KwX9MqDO+SSwsvAlNSzo47accS3/xm0m2nXvmdO/yguT5fR6Dma7:lg/wWqDOo0SklSm0xmdOduT5fkia8JY
Behavioral task
behavioral1
Sample
PL/6523.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PL/6523.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
PL/Galaxy.exe
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
PL/Galaxy.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
PL/Service.exe
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
PL/Service.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral7
Sample
PL/Une1.exe
Resource
win7-20220901-en
Behavioral task
behavioral8
Sample
PL/Une1.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
PL/pb1115.exe
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
PL/pb1115.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
PL/setup.exe
Resource
win7-20220812-en
Behavioral task
behavioral12
Sample
PL/setup.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral13
Sample
PL/setup.exe
Resource
win7-20220812-en
Behavioral task
behavioral14
Sample
PL/setup.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
PL/setup331.exe
Resource
win7-20220812-en
Behavioral task
behavioral16
Sample
PL/setup331.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
privateloader
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
-
payload_url
https://vipsofts.xyz/files/mega.bmp
Extracted
djvu
http://winnlinne.com/lancer/get.php
-
extension
.adww
-
offline_id
z8lhl4oForVEc7gy9Ra8rSqjYMl3xiFRuIW4not1
-
payload_url
http://rgyui.top/dl/build2.exe
http://winnlinne.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-g28rVcqA58 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0573Jhyjd
Extracted
vidar
54.9
517
https://t.me/larsenup
https://ioc.exchange/@zebra54
-
profile_id
517
Extracted
vidar
54.9
1703
https://t.me/larsenup
https://ioc.exchange/@zebra54
-
profile_id
1703
Extracted
redline
Neo3
tyastazirowi.xyz:80
yaterirennin.xyz:80
-
auth_value
646532deba483490225021877e8b02a0
Extracted
nymaim
208.67.104.97
85.31.46.167
Extracted
redline
PremiumCloud#41
151.80.89.227:45878
-
auth_value
6011f107082889840844bd9a1730558b
Extracted
redline
1
79.110.62.196:35726
-
auth_value
4b711fa6f9a5187b40500266349c0baf
Extracted
redline
Buk2
tyastazirowi.xyz:80
yaterirennin.xyz:80
-
auth_value
813662de00b041e18fa868da733fca07
Targets
-
-
Target
PL/6523.exe
-
Size
264KB
-
MD5
b2949b2eb9db982c3782953de8a2573f
-
SHA1
34ff1afa580b8ca0c23d818f62aafe11e9e16fc2
-
SHA256
ef5b55fdd770f3c9cbd4a86cc0afe70e79d4d634bd7c88d6d48e07d5a6742dca
-
SHA512
368d9851bce5bd3aa35d41a2b64ad84f4ebe8ff7611fe4b09ca61db298ac8a5590dd11c8ca56786088c311ab7c5c83ac4da819b50cf449b50704c88b482e33d2
-
SSDEEP
6144:9+dLV/BxVCLYAXfIeyJuzbgwu70kmiHwVfU:9a5/BxsLYAXWunnsSiv
-
Detected Djvu ransomware
-
Detects Smokeloader packer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
PL/Galaxy.exe
-
Size
261KB
-
MD5
637b4e8a4fbef797b42d6979b652a3db
-
SHA1
3f7c391b86c27b6414c89135d7e04d913ae151c5
-
SHA256
27b752bc4139c9c12d1caff4bef199e7a25ee6caf06eb9897cf615f9cc9c233d
-
SHA512
3099e1dde974a395529651f163f6e4e32478657b4530fa1f3d4e39adbb045c5ca3e8e51b35ab524ec0c03cdbaca37eb8a41c3d5b0f3ab96a8461b42c4a60e38f
-
SSDEEP
1536:II47GyTGCwiSnmQUt0LB1Efs5gJpoBWBtjKM4le7Qc58wsa0rc3roPhQDbTp:IvGyYiSDnt1E05m9p
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
PL/Service.exe
-
Size
400KB
-
MD5
9519c85c644869f182927d93e8e25a33
-
SHA1
eadc9026e041f7013056f80e068ecf95940ea060
-
SHA256
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b
-
SHA512
dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23
-
SSDEEP
6144:NrkuBHTtY9Jgfq80nzm5tBD2AsG8x0Ca0Hv06A0md0OUGHLzmijOceK2HSw3pXqC:NrkIT/y8T5PVsSnXOc+HSQJKLw
-
Detects Smokeloader packer
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
PL/Une1.exe
-
Size
900KB
-
MD5
c340449d532642420d4bedc2e9f7ce7c
-
SHA1
6153df468674d2eb1680eb6bb0e1bdbc0d6856b7
-
SHA256
a233b76767157c012c4d1ec34726d87ea1efac01e49efd9fef394c7e84966103
-
SHA512
c9a085e30ed056c819b992bbe34d606d9fca0704362917ad226b64d233b4800be5fb9de35150f2cdd6bc0f3f1132ac77f558f00dd27ca8d474df4a056a7ff4d3
-
SSDEEP
12288:5S7lrM9H8y8ea2SONB3/FI3o+fQqZ/pXVrMkM0ke4jNHUJopuBXidpX1ScBl/2GE:eM9H9MMIh4qZRVgtjOoAYX1SgB74j/
Score8/10-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
PL/pb1115.exe
-
Size
3.5MB
-
MD5
04aeaa8f06b71a72b8905da20f679b10
-
SHA1
ebfa60215fcce5a369f1b340f1232125e37f7a68
-
SHA256
55c1cbe7368ef1eafbd435a2b570f362868bd2afda1ddbe59bcbb51b7fc63383
-
SHA512
5c393a8e6b3327ece1555aa73111f67e4858898efbbe38ac757a96d91da26a83f0b130e18b6955796e76bd4300475e8eeec63171c8ef407a09069874f48d5774
-
SSDEEP
98304:l1kvho0RcPjNWqCdGujwByZm94cGZ+qOUKsE:fkZtcPjNW/GowUE9W+DUK
Score8/10 -
-
-
Target
PL/setup.exe
-
Size
352KB
-
MD5
ad3374b444437df5f5102ab63a45d327
-
SHA1
65302eb15520d64565e64e9cc74fdd09fbad79ef
-
SHA256
b3936ea34f4e0235a1715706b7736a6bf0999441c8c37f1f75b4250e7b9b9992
-
SHA512
0e569bd15a25649b7293b539118f77ca9920e7a835acd24b75bf6f33c3de3f7e5ddcf9675a6f174af6292f39e88cb6f380f0d1165ed0f1419de41e4348ae2463
-
SSDEEP
6144:tK/VQLDETxJSm8oMKGreTfbmBdbNB6yqpx4T50G3YilTuzbgwuds7wVfE:wNQExJjFGreDbmBNfCWdjunnp
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
-
-
Target
PL/setup.exe_
-
Size
7.3MB
-
MD5
8b036a5a7406f7227ac65f44e1827fca
-
SHA1
3a8499ecca8be3f69cc7163b03f3f499bbe8276f
-
SHA256
85250ca9f679cdfebe009b7d66e409b330b35d6021e84e2ef7ceb0d64acdeff1
-
SHA512
91cecf5c22bd32fe5cead41884773933b49791e57e00a369818d716dea34433bb558e9feb5b2dfc37f2b4b3488c05dcc50ef1b0f267936c2945308f2e9f32b5a
-
SSDEEP
196608:91OeU0YzI5dCR00/4+cmJ/Dwami5rf0RejcO2h4I:3OxOCClgwa70Rej2h4I
Score8/10-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
PL/setup331.exe
-
Size
2.0MB
-
MD5
2486b7f5f41d592ec4781b54cd828f70
-
SHA1
604009984d2f335a969ab447a61beec8661a99fe
-
SHA256
aa0a01e35fe2110068e1934eb568f5d3a41abe4b73a64a045f9a9ab8e085114c
-
SHA512
116cee6490ae2b631b0457c0ae328f88df74bff3b8f2b47652366cf125d22fc910733859825ed181ae547a664c15e5358c95cdd6b874c43cc426303bfd841370
-
SSDEEP
49152:3rBfJXAEYCT6v3vX/1AkJxopk7lDiQCv3e6rNx:3rBfKEYd3v+Ioi7Rg5x
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
4Scheduled Task
3Modify Existing Service
1Defense Evasion
File Permissions Modification
1Modify Registry
6Disabling Security Tools
1Scripting
1Install Root Certificate
1