General

  • Target

    Artic_X!.7z

  • Size

    9.2MB

  • Sample

    240213-y6mr9agh6w

  • MD5

    592d4a4f55e0498305aa4925ca5df5d2

  • SHA1

    8fe47a7347d7620c594fd48c095795b38c058268

  • SHA256

    dae8c36b46d77bb082e26366ff253f26948c946ed42ae2e0cbcb580588e69257

  • SHA512

    538453645d8b63b765eb354c61c4988d367e58b94d50bfcfce66912fba844ae658aa4b9182cdf45f43851efb8b8bfe3464c0de737109921ef3d1a1a4428e86dc

  • SSDEEP

    196608:0s15S+lJA0p9lVxZRVrxy5nT3hxpAJESeoiFLUd+ZajdkmDW:0s7bzLzRVw5nT7wbGpUEZCk+W

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.24

Attributes
  • url_path

    /f993692117a3fda2.php

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

risepro

C2

193.233.132.62

193.233.132.67:50500

193.233.132.49:50500

Extracted

Family

smokeloader

Version

2022

C2

http://sjyey.com/tmp/index.php

http://babonwo.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Extracted

Family

amadey

Version

4.14

C2

http://anfesq.com

http://cbinr.com

http://rimakc.ru

Attributes
  • install_dir

    68fd3d7ade

  • install_file

    Utsysc.exe

  • strings_key

    27ec7fd6f50f63b8af0c1d3deefcc8fe

  • url_paths

    /forum/index.php

rc4.plain

Extracted

Family

lumma

C2

https://resergvearyinitiani.shop/api

Extracted

Family

socks5systemz

C2

http://boveifp.com/search/?q=67e28dd83e5df42e425dfd4e7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ef819c5e9959a3c

http://boveifp.com/search/?q=67e28dd83e5df42e425dfd4e7c27d78406abdd88be4b12eab517aa5c96bd86e99c824896148ab2865b77f80ebad9c40f7cb63037ed2ab423a4604383ba915d911ec07bb606a0708727e40ea678c45abbe74ffb0e2807e12571c17f3e83fe16c0e89d9f3dcd6f91

Targets

    • Target

      PROPAMAT/ResIL.dll

    • Size

      1.7MB

    • MD5

      db09096c78ff5762f4b5487fa8b0fa5f

    • SHA1

      1f7dd2ea79e2ee986bb5285e3f304a8bc83bc1b2

    • SHA256

      a2d3d003bef45587349be9d6c715eefc0a104cf645338e2582b34c96d989e100

    • SHA512

      cd6566d633e4901f9be9bf38e085c434bcbf8335147da56b225d7d468297464710055aa8f8f27e2ac0e7820c19823e620ab1ebd602bcc0f625b9c9418eec5509

    • SSDEEP

      49152:qd4f2DvxlaBqB7S4dnf2BRBNRMhGTs1p5:sS4oE7

    Score
    1/10
    • Target

      PROPAMAT/chrome_elf.dll

    • Size

      812KB

    • MD5

      9a861199039507ef92b3ad2832cc9cec

    • SHA1

      ade7859a7bfea123fe37e6049ff6292605efba86

    • SHA256

      55fadde5e569cbe804abe26f4dfcb56595fc79e2bad91625df2309e5bd385266

    • SHA512

      3c6cf96bb3ae4f49f57f594615192c678088b7c7cdec0e00ae85232c81f9461eca985118ca7d130854ba9fc0b917b176f94d90c5e3af6dce3b328f0ac5bf8aa2

    • SSDEEP

      12288:UXxR37jWxg2Yb4zb9EF11sfWqEfROOtupHg1dsbDcgInQok7t6:UBxjW+lb4zZEFcwoOgpHOibDPVNZ6

    Score
    1/10
    • Target

      PROPAMAT/dbghelp.dll

    • Size

      1020KB

    • MD5

      74edbb03de3291fcf2094af1fb363f1d

    • SHA1

      16b5d948ed7843576781dc4f2a391607ac0120a4

    • SHA256

      dca9f45efed8eab442b491aebda3e3cce7f5f9fc5de527d2dbdfd85a5be85dfa

    • SHA512

      b08eb03c54f25979c5aee745530ecd51c5761eb99871b867ff84e14590b32ef3247e17cf63bf953ee1efcb0fda8c4540191b9280db33359fdca352967e42b289

    • SSDEEP

      24576:YXm4cpDFYD2aC0jH5yrrXlpWrCSyZC0wLHr298TG00g8EAB4a:hpKD2aC0jH5yr7DWRyZlwH29vjDIa

    Score
    1/10
    • Target

      PROPAMAT/lgc_api.dll

    • Size

      2.2MB

    • MD5

      f0b570e6ec2a1c395fef9a0bf893520b

    • SHA1

      527040ce92dce6467e4feb8522e95b6f8b5963b1

    • SHA256

      6d84c3e3a6d3e5793d0cb99c3b65a1c07985c3d821bfa5e092c4ef1b474988a9

    • SHA512

      8b6fa3b58e1376a99555331a681fa237840d33e6c9ec54c5f1c21c0b37187f22a66ab80c0852f70e2888472cca7c219713c2f08561896c1d5a1dcc17c52748c3

    • SSDEEP

      24576:hszqYiXwgjMMzsdH5yeknRHv+3zxZl9xbWNS/JlIVcV9rj/lq+ry:iqYosZyVWjF9lWNS/7IE9rj/lbG

    Score
    1/10
    • Target

      prom/ResIL.dll

    • Size

      1.7MB

    • MD5

      db09096c78ff5762f4b5487fa8b0fa5f

    • SHA1

      1f7dd2ea79e2ee986bb5285e3f304a8bc83bc1b2

    • SHA256

      a2d3d003bef45587349be9d6c715eefc0a104cf645338e2582b34c96d989e100

    • SHA512

      cd6566d633e4901f9be9bf38e085c434bcbf8335147da56b225d7d468297464710055aa8f8f27e2ac0e7820c19823e620ab1ebd602bcc0f625b9c9418eec5509

    • SSDEEP

      49152:qd4f2DvxlaBqB7S4dnf2BRBNRMhGTs1p5:sS4oE7

    Score
    1/10
    • Target

      prom/dbghelp.dll

    • Size

      1020KB

    • MD5

      74edbb03de3291fcf2094af1fb363f1d

    • SHA1

      16b5d948ed7843576781dc4f2a391607ac0120a4

    • SHA256

      dca9f45efed8eab442b491aebda3e3cce7f5f9fc5de527d2dbdfd85a5be85dfa

    • SHA512

      b08eb03c54f25979c5aee745530ecd51c5761eb99871b867ff84e14590b32ef3247e17cf63bf953ee1efcb0fda8c4540191b9280db33359fdca352967e42b289

    • SSDEEP

      24576:YXm4cpDFYD2aC0jH5yrrXlpWrCSyZC0wLHr298TG00g8EAB4a:hpKD2aC0jH5yr7DWRyZlwH29vjDIa

    Score
    1/10
    • Target

      prom/hro.dll

    • Size

      812KB

    • MD5

      9a861199039507ef92b3ad2832cc9cec

    • SHA1

      ade7859a7bfea123fe37e6049ff6292605efba86

    • SHA256

      55fadde5e569cbe804abe26f4dfcb56595fc79e2bad91625df2309e5bd385266

    • SHA512

      3c6cf96bb3ae4f49f57f594615192c678088b7c7cdec0e00ae85232c81f9461eca985118ca7d130854ba9fc0b917b176f94d90c5e3af6dce3b328f0ac5bf8aa2

    • SSDEEP

      12288:UXxR37jWxg2Yb4zb9EF11sfWqEfROOtupHg1dsbDcgInQok7t6:UBxjW+lb4zZEFcwoOgpHOibDPVNZ6

    Score
    1/10
    • Target

      prom/lgc_api.dll

    • Size

      2.2MB

    • MD5

      f0b570e6ec2a1c395fef9a0bf893520b

    • SHA1

      527040ce92dce6467e4feb8522e95b6f8b5963b1

    • SHA256

      6d84c3e3a6d3e5793d0cb99c3b65a1c07985c3d821bfa5e092c4ef1b474988a9

    • SHA512

      8b6fa3b58e1376a99555331a681fa237840d33e6c9ec54c5f1c21c0b37187f22a66ab80c0852f70e2888472cca7c219713c2f08561896c1d5a1dcc17c52748c3

    • SSDEEP

      24576:hszqYiXwgjMMzsdH5yeknRHv+3zxZl9xbWNS/JlIVcV9rj/lq+ry:iqYosZyVWjF9lWNS/7IE9rj/lbG

    Score
    1/10
    • Target

      prom/me_elf.dll

    • Size

      812KB

    • MD5

      9a861199039507ef92b3ad2832cc9cec

    • SHA1

      ade7859a7bfea123fe37e6049ff6292605efba86

    • SHA256

      55fadde5e569cbe804abe26f4dfcb56595fc79e2bad91625df2309e5bd385266

    • SHA512

      3c6cf96bb3ae4f49f57f594615192c678088b7c7cdec0e00ae85232c81f9461eca985118ca7d130854ba9fc0b917b176f94d90c5e3af6dce3b328f0ac5bf8aa2

    • SSDEEP

      12288:UXxR37jWxg2Yb4zb9EF11sfWqEfROOtupHg1dsbDcgInQok7t6:UBxjW+lb4zZEFcwoOgpHOibDPVNZ6

    Score
    1/10
    • Target

      setup.exe

    • Size

      727.0MB

    • MD5

      3258cc800407c70ca78fbbadc5714ffc

    • SHA1

      85610bc05a3efd39f93ef5a80c15d005ba2d3565

    • SHA256

      5c9ec77a657f11d8600eec7c726c1cdf618f402aa9ed1f3fa6a8f1f3380d0b29

    • SHA512

      393edf5151c42ecbce864e8fb5c1b7c3619f50f7924430cf51d5ecad0185ddf67ee10a1743a999a881b6ba2c771748c60cd9f992b7b3221aa4359edcbabc40dd

    • SSDEEP

      196608:kVbnTakY/r9+hrUT3tcgZ8dSvosK1CPa:GakIR+h4T3tRosK1Sa

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socks5Systemz

      Socks5Systemz is a botnet written in C++.

    • Stealc

      Stealc is an infostealer written in C++.

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Creates new service(s)

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks