Overview

overview

10

Static

static

infected/F...98.exe

windows7-x64

8

infected/F...98.exe

windows10-2004-x64

8

infected/I...er.exe

windows7-x64

10

infected/I...er.exe

windows10-2004-x64

10

infected/R...ed.exe

windows7-x64

10

infected/R...ed.exe

windows10-2004-x64

10

infected/S...64.exe

windows7-x64

10

infected/S...64.exe

windows10-2004-x64

10

infected/b...kO.exe

windows7-x64

10

infected/b...kO.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    infected.zip

  • Size

    18.7MB

  • Sample

    230115-vqcesshe44

  • MD5

    108f04f34103c17df326ed15796773af

  • SHA1

    cfe188485d181f32a411bf74480d367776e79143

  • SHA256

    4c7081148a218b609dca62b2ce1106e4a2e075671b0fb64352056cd6e58e7873

  • SHA512

    5cfe0a93c161cb0b1ddb1fe4296b5bccca41d1d450988b21fe3c925128f2e24d4b781c849d442325d849f2ab31187f9b5749a475e072b2ceb7a70d2f09f879e1

  • SSDEEP

    393216:It2dL3J4poAWVA+3v0djDRlzlear0T5MmkoDHl7fAH//M75bv13O:IEdL3J2WgxlzQaroj1bl74H/Y5bv1e

Score
10/10
gcleanerpurecrypterraccoonredlinerhadamanthysvidar8148f25ed0aa267992c7856160c3951e20beb3a206cd939601b2a6d00ea009a6d7ebootkitdiscoverydownloaderevasioninfostealerloaderpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

gcleaner

C2

85.208.136.148

85.208.136.56

85.208.136.48

85.208.136.87

Extracted

Family

raccoon

Botnet

eb3a206cd939601b2a6d00ea009a6d7e

C2

http://88.119.175.57/

rc4.plain

Extracted

Family

purecrypter

C2

https://falcaoliderfm.com.br/wp-admin/images/css/cover/bo/Jvizg.dll

Extracted

Family

raccoon

Botnet

8f25ed0aa267992c7856160c3951e20b

C2

http://77.73.133.23/

rc4.plain

Extracted

Family

redline

C2

82.115.223.46:57672

Attributes
  • auth_value

    422677a3af554849aa4fba45f91db2d0

Extracted

Family

vidar

Version

1.8

Botnet

814

C2

https://t.me/year2023start

https://steamcommunity.com/profiles/76561199467421923
Attributes
  • profile_id

    814

Targets

    • Target

      infected/Furk Ultra_10298.exe

    • Size

      8.7MB

    • MD5

      98194b1fd3ceea50438976b40ea59d05

    • SHA1

      ed918fbb5765aa91e5c9d2c492ec00667478ac35

    • SHA256

      3e091df4051e6b0859c2142a0869a415e5968c20edb5e9a60fcd077f7b61be19

    • SHA512

      9587acb23ee51e4743c5399b78b64f2a0e87e2413cd56e220df8c08ebe0f352ac0ca83c1826f09718876a6248057e9cbac0f38ee725de83b4ca7de4f805f30bf

    • SSDEEP

      196608:wu6nOE62LOa8ewFCrqNeuUG59Fa9FVDNWXVkHo/ly:MOb2C6wFCrqNZ529PDNs2Ho/k

    Score
    8/10
    discovery

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

    • Target

      infected/Installer.exe

    • Size

      677.9MB

    • MD5

      3709aaf7e625bfd4dfef3ceba18ccc4a

    • SHA1

      17fcf830d2cf2c4a016fb438cae8bf065cc55b24

    • SHA256

      9440450e86e40c1116742e77b3e97ddb5c4d4d149d9c36d0e1e5c156ddb85cd1

    • SHA512

      4ea3c2ef3226b7ed9adb966708b70dd79d6295ea603a23f34b6cada7346ce08bb2f95b2ff686ee922060ab387c5a22b34ee082d23f1d69ccf3fc46036c04c000

    • SSDEEP

      3072:gahKyd2n31z5vWp1icKAArDZz4N9GhbkENEkYg6Au/TXlbodEgY:gahOCp0yN90vEXgMrXleEd

    Score
    10/10
    purecrypterdownloaderloaderpersistenceraccoon8f25ed0aa267992c7856160c3951e20bdiscoveryspywarestealer

    • PureCrypter

      PureCrypter is a .NET malware loader first seen in early 2021.

      loaderdownloaderpurecrypter

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      infected/RobloxSynapceX Cracked.exe

    • Size

      521KB

    • MD5

      0afb47c295e5bc185b8272dc5a8967b6

    • SHA1

      5cedced75b7fc0a2f3457e9ff4e0c98b171b9ccb

    • SHA256

      0a7431f4637b27f103a4fb6d8cca52248cb4c7a77c8dd5500ca351c45c355320

    • SHA512

      03f49b5f06ebfb4ee42b1e82ad36515a34823904b9d7b3c28e99d9345b2052ea689552e8b9c39b4ca47efa5dbf60ab98cf325397e4be68c759777d7cdd7823dc

    • SSDEEP

      12288:O8DF2BeDFTYaOCaDecRe6kFfo13yzbVMyVS:O8DF2wDFTYaCY6kXz1VS

    Score
    10/10
    redlineinfostealerspyware

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      infected/Setup x64.exe

    • Size

      331.8MB

    • MD5

      4210316bf41a99563cca90927f82244d

    • SHA1

      fe76eba47cb59bbc8a45dd6e856d729e578081da

    • SHA256

      0c7e2b060922788050b2af5250a8ebd462f9d52bdfd6ed6e9cf3a7a80420f12a

    • SHA512

      db43e3f85856c7b7de9fd99526637a3e5fc07ab34b52426538c4fc1aae780db6039c7ef14b50c9cbcd48e9e544250408d71183c9272f3b088e4e4cc21db2f6bb

    • SSDEEP

      196608:Hajex6RtY/8gpeV8gULTfHjZUtuggWAezYpT:hg8gULTfDONgWAezYp

    Score
    10/10
    vidar814stealerspyware

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Loads dropped DLL

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      infected/best-setup_FLc4rckO.exe

    • Size

      5.0MB

    • MD5

      c528c3d6799af4bf0dfc38e9b549fb75

    • SHA1

      489837e49d9f655f8adbd8a7bd9929fefed3679b

    • SHA256

      ec08d9c7f34da0f45d1c5d6419e4705e18cb75912f7afc6a46c967cc3c1ed603

    • SHA512

      b79c1179dbfda1bc1a1f348c21d37c646ca0641a74938990eb1ad77bd560fd4f4ce466a83898161a7942304b0c6ae65566646ed81e544f17a66abaf283ca6538

    • SSDEEP

      98304:xbUPREbmFZgVTVr38OMVyYow2JsOnPtTvxtWXdqqMU00tBh+0HdSzvCC6vgtuZ:dUPREGyr38HVyY2xljx1XPW7Y7Cd4tuZ

    Score
    10/10
    gcleanerraccoonredlinerhadamanthyseb3a206cd939601b2a6d00ea009a6d7ebootkitdiscoveryinfostealerloaderpersistencespywarestealerupxevasiontrojan

    • Detect rhadamanthys stealer shellcode

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Windows security bypass

      evasiontrojan

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

MITRE ATT&CK Enterprise v6

Tasks