Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://bazaar.abuse...

windows10-2004-x64

10

Resubmissions

07-04-2023 15:30

230407-sxfdxshe95 6

07-04-2023 14:43

230407-r3rhpshd76 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://bazaar.abuse.ch/

  • Sample

    230407-r3rhpshd76

Score
10/10
agentteslaamadeydcratquantumsmokeloadervidarxmrigea47dfbd9de704e5b28b9adeea49a50bsprgbackdoormicrosoftcollectiondiscoveryevasioninfostealerkeyloggerminerpersistencephishingransomwareratspywarestealerthemidatrojanupx

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

smokeloader

Version

2022

C2

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/
rc4.i32
rc4.i32

Extracted

Family

vidar

Version

3.3

Botnet

ea47dfbd9de704e5b28b9adeea49a50b

C2

https://steamcommunity.com/profiles/76561199492257783

https://t.me/justsometg
Attributes
  • profile_id_v2

    ea47dfbd9de704e5b28b9adeea49a50b

  • user_agent

    Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9

Extracted

Path

C:\Users\Admin\.oracle_jre_usage\README_TO_DECRYPT.html

Family

quantum

Ransom Note
<html> <head> <title>Quantum</title> </head> <body> <h1>Your ID:</h1> <b> <pre> 9064d8b148a0f19a9e3598a6e0b0aeb16c31d69d7e358254164eefdf45b6ef70 </pre> </b> <hr/> This message contains an information how to fix the troubles you've got with your network.<br><br> Files on the workstations in your network were encrypted and any your attempt to change, decrypt or rename them could destroy the content.<br> The only way to get files back is a decryption with Key, provided by the Quantum Locker.<br><br> During the period your network was under our control, we downloaded a huge volume of information.<br> Now it is stored on our servers with high-secure access. This information contains a lot of sensitive, private and personal data.<br> Publishing of such data will cause serious consequences and even business disruption.<br><br> It's not a threat, on the contrary - it's a manual how to get a way out.<br> Quantum team doesn't aim to damage your company, our goals are only financial.<br><br> After a payment you'll get network decryption, full destruction of downloaded data, information about your network vulnerabilities and penetration points.<br> If you decide not to negotiate, in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted among dozens of cyber forums, news agencies, websites etc.<br><br> To contact our support and start the negotiations, please visit our support chat.<br> It is simple, secure and you can set a password to avoid intervention of unauthorised persons.<br> <a href="http://tijykgureh7kqq5cczzeutaoxvmf6yinpar72o3bxome7b44vwqxadyd.onion/?cid=9064d8b148a0f19a9e3598a6e0b0aeb16c31d69d7e358254164eefdf45b6ef70">http://tijykgureh7kqq5cczzeutaoxvmf6yinpar72o3bxome7b44vwqxadyd.onion/?cid=9064d8b148a0f19a9e3598a6e0b0aeb16c31d69d7e358254164eefdf45b6ef70</a> <ul> <li>Password field should be blank for the first login. <li>Note that this server is available via Tor browser only. </ul> P.S. How to get TOR browser - see at https://www.torproject.org </body> </html>

Targets

    • Target

      https://bazaar.abuse.ch/

    Score
    10/10
    agentteslaamadeydcratquantumsmokeloadervidarxmrigea47dfbd9de704e5b28b9adeea49a50bsprgbackdoormicrosoftcollectiondiscoveryevasioninfostealerkeyloggerminerpersistencephishingransomwareratspywarestealerthemidatrojanupx

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Quantum Ransomware

      A rebrand of the MountLocker ransomware first seen in August 2021.

      ransomwarequantum

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Contacts a large (65827) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Detectes Phoenix Miner Payload

      miner

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • XMRig Miner payload

      miner

    • Downloads MZ/PE file

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Detected potential entity reuse from brand microsoft.

      phishingmicrosoft

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Hidden Files and Directories

1
T1158

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

File Deletion

2
T1107

Virtualization/Sandbox Evasion

1
T1497

Scripting

1
T1064

Modify Registry

2
T1112

Hidden Files and Directories

1
T1158

Credential Access

Credentials in Files

3
T1081

Discovery

Network Service Scanning

2
T1046

Query Registry

9
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

8
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

2
T1490

Tasks