Overview

overview

10

Static

static

3

V2Oopsies.exe

windows7-x64

10

V2Oopsies.exe

windows10-1703-x64

10

V2Oopsies.exe

windows10-2004-x64

10

V2Oopsies.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    V2Oopsies.exe

  • Size

    49KB

  • Sample

    231220-hppbrabgc3

  • MD5

    67e98eff54f87122a80b49a3783cf7d3

  • SHA1

    2def56cd333556458143fa8c5ff9cde8b0db4580

  • SHA256

    3f80f2eba7e314da83ce546d35b638efc7c82d6733857da7b0eaf82d4b1150fa

  • SHA512

    3bf78e15d02fc755944ff6d484cbb2022f559b0e5eb9e0db2ad4dff2fa14d0f76ebace3767dd5ae0e0c04c5c0a2ccf78160e1fb5b207f7cd2f3682a8082e119b

  • SSDEEP

    768:enkqOKtUenKtUenKtUenKtUenKtUenKtUenKtUehf3QV9wEWbh0sMDS:qrL5K5K5K5K5K5K5N3S9wEWbXMDS

Score
10/10
agentteslaasyncratblacknetdcratdjvugh0stratlummaneshtanetsupportprivateloaderredlineriseprosectopratxmrigxwormzgrataspackv2bootkitdiscoveryevasioninfostealerkeyloggerloaderminerpersistencepyinstallerransomwareratspywarestealerthemidatrojanupxvmprotect

Malware Config

Extracted

Family

djvu

C2

http://zexeq.com/test1/get.php

Attributes
  • extension

    .loqw

  • offline_id

    NrqpaQRhQqq5l2tBPp1QS34I3ME2IKsAlZ0A9pt1

  • payload_url

    http://brusuax.com/dl/build2.exe

    http://zexeq.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-MhbiRFXgXD Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0838ASdw

rsa_pubkey.plain

Extracted

Family

gh0strat

C2

www.996m2m2.top

Extracted

Family

risepro

C2

193.233.132.51

Extracted

Family

agenttesla

Credentials

Extracted

Path

F:\Program Files\AppPatch\_readme.txt

Family

djvu

Ransom Note
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-MhbiRFXgXD Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0838ASdwC84nkiLIOq6y9b38l4UiAIgDirWoqqlLGNEqNQJH
URLs

https://we.tl/t-MhbiRFXgXD

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://houssagynecologue.com/assets/js/debug2.ps1

Extracted

Family

lumma

C2

http://crudeleavelegendew.fun/api

http://freckletropsao.pw/api

Targets

    • Target

      V2Oopsies.exe

    • Size

      49KB

    • MD5

      67e98eff54f87122a80b49a3783cf7d3

    • SHA1

      2def56cd333556458143fa8c5ff9cde8b0db4580

    • SHA256

      3f80f2eba7e314da83ce546d35b638efc7c82d6733857da7b0eaf82d4b1150fa

    • SHA512

      3bf78e15d02fc755944ff6d484cbb2022f559b0e5eb9e0db2ad4dff2fa14d0f76ebace3767dd5ae0e0c04c5c0a2ccf78160e1fb5b207f7cd2f3682a8082e119b

    • SSDEEP

      768:enkqOKtUenKtUenKtUenKtUenKtUenKtUenKtUehf3QV9wEWbh0sMDS:qrL5K5K5K5K5K5K5N3S9wEWbXMDS

    Score
    10/10
    agenttesladcratdjvugh0stratlummaneshtaprivateloaderriseprozgratbootkitdiscoveryevasioninfostealerkeyloggerloaderpersistencepyinstallerransomwareratspywarestealerthemidatrojanupxxwormasyncratblacknetnetsupportredlinesectopratxmrigaspackv2minervmprotect

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • BlackNET

      BlackNET is an open source remote access tool written in VB.NET.

      trojanblacknet

    • BlackNET payload

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detect Lumma Stealer payload V2

    • Detect Lumma Stealer payload V4

    • Detect Neshta payload

    • Detect Xworm Payload

    • Detect ZGRat V1

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • XMRig Miner payload

      miner

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Async RAT payload

      rat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasion

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Modifies system executable filetype association

      persistence

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Uses the VBS compiler for execution

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Scheduled Task/Job

1
T1053

Defense Evasion

File and Directory Permissions Modification

1
T1222

Impair Defenses

1
T1562

Modify Registry

4
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scripting

1
T1064

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Process Discovery

1
T1057

Query Registry

8
T1012

Remote System Discovery

1
T1018

System Information Discovery

7
T1082

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

4
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks