Overview

overview

10

Static

static

3

UI721.bin.exe

windows7-x64

10

UI721.bin.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    UI721.bin.exe

  • Size

    5KB

  • Sample

    230521-xkts1abg82

  • MD5

    69525fa93fd47eb3c533afe3b1baba48

  • SHA1

    3dea1b337987177c73c64e89b370d90dc94c64cb

  • SHA256

    8e9c6b72a19705e65d654814d0770a67c7c4a2e52915f6115dc740ab254ed4a9

  • SHA512

    909202467de5c96404c154cd3be55643df62c13c395bd6e0406be5834c3a10b953f42cc3520ac5979af754af192260ec737d19892333e5a8dfab79aef9b23182

  • SSDEEP

    48:6di2oYDjX9iqhf3FXfkQHjJhyPFlWa8tYDdqIYM/cphuOulavTqXSfbNtm:uNiqp3JkQHyDUtE2WcpisvNzNt

Score
10/10
agentteslalockbitredlinesectopratwshratdizacollectiondiscoveryevasioninfostealerkeyloggerpersistenceransomwareratspywarestealertrojanupxvmprotect

Malware Config

Extracted

Path

C:\6KMVhDmrY.README.txt

Ransom Note
~~~ Your computer was infected with a ransomware virus~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You won't be able to decrypt them without our help. >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will decrypt all your files and delete your data from our database If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. >>>> Payment information To recover your files, Send $50 worth of Bitcoin to the following address: bc1qe4mvvcsycwsu6gp7chnd7r4wd5f5sgy2man87k Contact us (email addess): [email protected]

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6225839139:AAHOVxUdRr3_xezeR4e_GlriGQEKuUFBpW0/

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Targets

    • Target

      UI721.bin.exe

    • Size

      5KB

    • MD5

      69525fa93fd47eb3c533afe3b1baba48

    • SHA1

      3dea1b337987177c73c64e89b370d90dc94c64cb

    • SHA256

      8e9c6b72a19705e65d654814d0770a67c7c4a2e52915f6115dc740ab254ed4a9

    • SHA512

      909202467de5c96404c154cd3be55643df62c13c395bd6e0406be5834c3a10b953f42cc3520ac5979af754af192260ec737d19892333e5a8dfab79aef9b23182

    • SSDEEP

      48:6di2oYDjX9iqhf3FXfkQHjJhyPFlWa8tYDdqIYM/cphuOulavTqXSfbNtm:uNiqp3JkQHyDUtE2WcpisvNzNt

    Score
    10/10
    agentteslalockbitredlinedizacollectiondiscoveryevasioninfostealerkeyloggerpersistenceransomwarespywarestealertrojanupxsectopratwshratratvmprotect

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • WSHRAT payload

    • Renames multiple (347) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Downloads MZ/PE file

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Windows security modification

      evasiontrojan

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks