Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://bazaar.abuse...

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://bazaar.abuse.ch/browse/

  • Sample

    230725-wgcjwaef78

Score
10/10
chaosdcrathealerphobosredlinesmokeloadersnakekeyloggervidarxwormhttps://t.me/dastantimkrastbackdoorcollectiondiscoverydropperevasioninfostealerkeyloggerpersistenceransomwareratspywarestealerthemidatrojan

Malware Config

Extracted

Family

xworm

C2

stores-anytime.at.ply.gg:36673

Mutex

yS58McQ9w9RnawSv

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

vidar

Version

4.9

Botnet

https://t.me/dastantim

C2

https://t.me/dastantim

https://steamcommunity.com/profiles/76561199529242058
Attributes
  • profile_id_v2

    https://t.me/dastantim

  • user_agent

    Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Vivaldi/3.7

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    UWzDeXWsD8

Targets

    • Target

      https://bazaar.abuse.ch/browse/

    Score
    10/10
    chaosdcrathealerphobosredlinesmokeloadersnakekeyloggervidarxwormhttps://t.me/dastantimkrastbackdoorcollectiondiscoverydropperevasioninfostealerkeyloggerpersistenceransomwareratspywarestealerthemidatrojan

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (490) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Installed Components in the registry

      persistence

    • Modifies RDP port number used by Windows

    • Modifies Windows Firewall

      evasion

    • Sets file execution options in registry

      persistence

    • Sets service image path in registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Registers COM server for autorun

      persistence

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Windows security modification

      evasiontrojan

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

5
T1547

Registry Run Keys / Startup Folder

5
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

5
T1547

Registry Run Keys / Startup Folder

5
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

9
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Virtualization/Sandbox Evasion

1
T1497

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Query Registry

9
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

8
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Remote Services

1
T1021

Remote Desktop Protocol

1
T1021.001

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4
T1490

Resource Development

Reconnaissance

Tasks