Overview

overview

10

Static

static

3

209b858f3b...c6.exe

windows7-x64

10

209b858f3b...c6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    95b17fdd3066fc39a97ec6a988004b73.bin

  • Size

    147KB

  • Sample

    230605-n8hwzaha2z

  • MD5

    b513920919878a2e46297867de141a93

  • SHA1

    e667e508ace2f5c8e6bedb38e655c2468cb8934c

  • SHA256

    52fd6f75036ed6149e36a7ab1e444b4e2c1b1d86de9ad650a2f1078eec24583e

  • SHA512

    779de9d5bec2f70f02d7bd7761c0734526f5f60b01ea0018f4bed4796d4a6e8eadab728e5ddb32788161491d6dba0bc6b8b7d71ec4d80e46b2cc94a0ea4595f1

  • SSDEEP

    3072:D0fV3omL56P3vDGrsrxrLgByhNNAT0yL6+hrLQ7cwSB3:DKYm56P3yah6YeTVhHQ7cwY

Score
10/10
amadeydjvusmokeloadervidar77a63e71a10ee1d81a28b5c866b75922pub1backdoordiscoverypersistenceransomwarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

http://toobussy.com/tmp/

http://wuc11.com/tmp/

http://ladogatur.ru/tmp/

http://kingpirate.ru/tmp/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

djvu

C2

http://zexeq.com/raud/get.php

http://zexeq.com/lancer/get.php
Attributes
  • extension

    .neon

  • offline_id

    0vTA6MA1m5nzrdffOCJC7YmAa4Lp6YNN8lOJ4mt1

  • payload_url

    http://colisumy.com/dl/build2.exe

    http://zexeq.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-vc50LyB2yb Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0725JOsie

rsa_pubkey.plain

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

vidar

Version

4.1

Botnet

77a63e71a10ee1d81a28b5c866b75922

C2

https://steamcommunity.com/profiles/76561199510444991

https://t.me/task4manager
Attributes
  • profile_id_v2

    77a63e71a10ee1d81a28b5c866b75922

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 Edg/112.0.1722.34

Extracted

Family

amadey

Version

3.67

C2

45.9.74.80/0bjdn2Z/index.php

Targets

    • Target

      209b858f3b9abafb8430c8f3110bd3ec104a314c53f94d95d68c8e9733b40dc6.exe

    • Size

      237KB

    • MD5

      95b17fdd3066fc39a97ec6a988004b73

    • SHA1

      e388d35a4707ea6c13e8837e18facf7fd6d73d50

    • SHA256

      209b858f3b9abafb8430c8f3110bd3ec104a314c53f94d95d68c8e9733b40dc6

    • SHA512

      1a206e68db40ebe2ba18a69cbb599be09f89de2829f35387056ca53f3cbd352dc75e508e1e5b983c382e9b6fa964557b8b496df4066ddf5d0b9f86732710ec53

    • SSDEEP

      3072:n43MmqbNUVnHzUQYYXirzwqgJ3Rk/+eFfMNr1egDhFJNnhYH:43IhU9YiY1Gk/+4fMNr1xFF

    Score
    10/10
    smokeloaderbackdoortrojanamadeydjvuvidar77a63e71a10ee1d81a28b5c866b75922pub1discoverypersistenceransomwarestealer

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

1
T1222

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks