Overview
overview
10Static
static
3ICQLiteShell.dll
windows7-x64
1ICQLiteShell.dll
windows10-2004-x64
1ICQRT.dll
windows7-x64
3ICQRT.dll
windows10-2004-x64
3Language/WinRar.exe
windows7-x64
1Language/WinRar.exe
windows10-2004-x64
1LiteRes.dll
windows7-x64
1LiteRes.dll
windows10-2004-x64
1LiteSkinUtils.dll
windows7-x64
1LiteSkinUtils.dll
windows10-2004-x64
3Resource/L...me.dll
windows7-x64
1Resource/L...me.dll
windows10-2004-x64
1Resource/L...UI.dll
windows7-x64
1Resource/L...UI.dll
windows10-2004-x64
1Resource/L...op.dll
windows7-x64
1Resource/L...op.dll
windows10-2004-x64
1Resource/L...to.dll
windows7-x64
1Resource/L...to.dll
windows10-2004-x64
1Resource/L...op.dll
windows7-x64
1Resource/L...op.dll
windows10-2004-x64
1Resource/opengl64.dll
windows7-x64
1Resource/opengl64.dll
windows10-2004-x64
1setup.exe
windows7-x64
10setup.exe
windows10-2004-x64
10General
-
Target
file_release_v3.rar
-
Size
16.9MB
-
Sample
240218-1sy98sfd25
-
MD5
94ec83b25bf1f1574aedb939601d9420
-
SHA1
0e0f31bb10186551b14d2e29c4fb72315f184446
-
SHA256
b5894034c64a59c927615881f133b65857c750d43f2cb5064f1a0c42d25f4e6b
-
SHA512
e8574f110ab92554709c44254a1d365fd99226388ee9ae74d52c5dbf32364372b3751a3771c7aea39063042663be710d46b944318d317f54f2a856597d09b7b8
-
SSDEEP
196608:z3+cXxXIkRZAY88Tz55JLsTe7dydv1UWk3A5ymQc8+lXw2f0IjTCnsneCls9Ppx8:L+oX+tkz3JLT78d0g3AMusneXNpxfZ6J
Static task
static1
Behavioral task
behavioral1
Sample
ICQLiteShell.dll
Resource
win7-20231215-es
Behavioral task
behavioral2
Sample
ICQLiteShell.dll
Resource
win10v2004-20231215-es
Behavioral task
behavioral3
Sample
ICQRT.dll
Resource
win7-20231215-es
Behavioral task
behavioral4
Sample
ICQRT.dll
Resource
win10v2004-20231222-es
Behavioral task
behavioral5
Sample
Language/WinRar.exe
Resource
win7-20231215-es
Behavioral task
behavioral6
Sample
Language/WinRar.exe
Resource
win10v2004-20231215-es
Behavioral task
behavioral7
Sample
LiteRes.dll
Resource
win7-20231215-es
Behavioral task
behavioral8
Sample
LiteRes.dll
Resource
win10v2004-20231222-es
Behavioral task
behavioral9
Sample
LiteSkinUtils.dll
Resource
win7-20231129-es
Behavioral task
behavioral10
Sample
LiteSkinUtils.dll
Resource
win10v2004-20231215-es
Behavioral task
behavioral11
Sample
Resource/Locals/x64/AdonisUI.ClassicTheme.dll
Resource
win7-20231215-es
Behavioral task
behavioral12
Sample
Resource/Locals/x64/AdonisUI.ClassicTheme.dll
Resource
win10v2004-20231215-es
Behavioral task
behavioral13
Sample
Resource/Locals/x64/AdonisUI.dll
Resource
win7-20231215-es
Behavioral task
behavioral14
Sample
Resource/Locals/x64/AdonisUI.dll
Resource
win10v2004-20231215-es
Behavioral task
behavioral15
Sample
Resource/Locals/x64/SQLite.Interop.dll
Resource
win7-20231215-es
Behavioral task
behavioral16
Sample
Resource/Locals/x64/SQLite.Interop.dll
Resource
win10v2004-20231215-es
Behavioral task
behavioral17
Sample
Resource/Locals/x86/BouncyCastle.Crypto.dll
Resource
win7-20231215-es
Behavioral task
behavioral18
Sample
Resource/Locals/x86/BouncyCastle.Crypto.dll
Resource
win10v2004-20231222-es
Behavioral task
behavioral19
Sample
Resource/Locals/x86/SQLite.Interop.dll
Resource
win7-20231215-es
Behavioral task
behavioral20
Sample
Resource/Locals/x86/SQLite.Interop.dll
Resource
win10v2004-20231215-es
Behavioral task
behavioral21
Sample
Resource/opengl64.dll
Resource
win7-20231129-es
Behavioral task
behavioral22
Sample
Resource/opengl64.dll
Resource
win10v2004-20231222-es
Malware Config
Extracted
risepro
193.233.132.62
193.233.132.49:50500
193.233.132.67:50500
Extracted
djvu
http://habrafa.com/test2/get.php
-
extension
.lkfr
-
offline_id
OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1
- payload_url
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0852ASdw
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
stealc
http://185.172.128.24
-
url_path
/f993692117a3fda2.php
Extracted
lumma
https://isotrimorphicnongrasse.shop/api
Targets
-
-
Target
ICQLiteShell.dll
-
Size
56KB
-
MD5
05e61539b8917fca37c03756bbdd043d
-
SHA1
5a72e0e528260de0ea5b34badb9e5f9873cb4245
-
SHA256
515c8e0b93f0fef15da3e2573ad92b7e7840374140e65e5d73df63d8e22cb3e8
-
SHA512
565d57783e6044d6e7e2026c79dbd897e637c5e1d96e7930dc704ef2b6d801669b38f0c26382f00e67e26668439274941e937a0ade54666de50b5d84f6da7e97
-
SSDEEP
768:YEGJ9blT7XZBSbHwJU+tGR0KZUyGKZ0ZgwmF1+3UVambg:YEGJ9bln5o0KZjGKZ0Z1mF1+3UVayg
Score1/10 -
-
-
Target
ICQRT.dll
-
Size
32KB
-
MD5
1aedcb8994d6ad63ef9dcb87016e028f
-
SHA1
f5b891aa15c6353b681bdb7e2d96c6ac8a5f02d7
-
SHA256
53e1f40144bab532f9700ff25ec3d5c6a39784a98e17fada583b4ee6d9dd5dbc
-
SHA512
89c0f408797c4d78afc52335a9e162345c614e1e419f55487cb358c14f7a69ec82138a7e6250be3133233386ba3659d241e80ab63c9b972b6c8b26b0424cb0c8
-
SSDEEP
384:+qtTeds1tkMAp4TxCW9su5UcSu93ggoXUQQIPGEANHl:FTedukelF95RjQUUPpANHl
Score3/10 -
-
-
Target
Language/WinRar.exe
-
Size
3.2MB
-
MD5
b66dec691784f00061bc43e62030c343
-
SHA1
779d947d41efafc2995878e56e213411de8fb4cf
-
SHA256
26b40c79356453c60498772423f99384a3d24dd2d0662d215506768cb9c58370
-
SHA512
6a89bd581baf372f07e76a3378e6f6eb29cac2e4981a7f0affb4101153407cadfce9f1b6b28d5a003f7d4039577029b2ec6ebcfd58e55288e056614fb03f8ba3
-
SSDEEP
98304:lJXOBfK92HbAw0CNB3kJElzNsy8vGUvfCo3ABH43:lJ192HbAXCvDlzNsy8vGUyo3AB8
Score1/10 -
-
-
Target
LiteRes.dll
-
Size
735KB
-
MD5
88962410244bc5c03482b82a7e3cb5e1
-
SHA1
4622be2d3deda305bf0a16c0e01bc2ecf9d56fad
-
SHA256
afa884228afc5c05f4b47e90b6de42854d5a8886ec5ed15a253faeccd5309036
-
SHA512
c6e7667f91c1439e33ad4d9e2052b7c9fcc3ca2c7688d9e2bc0550b71a5762b76aa76427331df0217429d9bd984925997c7a8d009f25e44e2776c5ce7cc9d98c
-
SSDEEP
6144:x9Ej/jb82/HRoXO1q2pt+Mc1/PDPicsUzM+gYESoE/wOuET8F62bH5vnGfcJvl+b:fqptG/PDPo0no2Iq8F6CHBTWqU
Score1/10 -
-
-
Target
LiteSkinUtils.dll
-
Size
48KB
-
MD5
059d94e8944eca4056e92d60f7044f14
-
SHA1
46a491abbbb434b6a1a2a1b1a793d24acd1d6c4b
-
SHA256
9fa7cacb5730faacc2b17d735c45ee1370130d863c3366d08ec013afe648bfa6
-
SHA512
0f45fe8d5e80a8fabf9a1fd2a3f69b2c4ebb19f5ffdcfec6d17670f5577d5855378023a91988e0855c4bd85c9b2cc80375c3a0acb1d7a701aff32e9e78347902
-
SSDEEP
768:FPGeoWyuTx6vrP/zAdWQS6Z9CSKh64crVKTl9inMUAK:tGeJxIHepSKzjVK9iMUAK
Score3/10 -
-
-
Target
Resource/Locals/x64/AdonisUI.ClassicTheme.dll
-
Size
287KB
-
MD5
8a1b183bca062f48402c74f2daba7b92
-
SHA1
d9417bf78b3b37d668c08e67f3c0f21dbc6dc11e
-
SHA256
8103f2cce6a864ceefe6c5b0c05087ac85ab04a2abf150e93bc9db90c54d9d20
-
SHA512
0f5120fa9ed24d2a49b82cdc62113302002ccc5e1cf389cc28830f36b2915f876bdf77094fa6dfa312fc01b6f482465297fa734509511fa7e72285569ce57e87
-
SSDEEP
6144:aMNTja9KIKf5RCs1ussMKlzI5iJQn9gu5DPOvObo:5Za9KIjs1ussMKlzI5lo
Score1/10 -
-
-
Target
Resource/Locals/x64/AdonisUI.dll
-
Size
164KB
-
MD5
3d4c8b6aad28ec574e56ccda22b34ef3
-
SHA1
bc22ac7097e597fba3d7367b2fd5c61adff28941
-
SHA256
db46b6106dc1b30041ce3f287ded91166895ff3f1928250fc79dd46c444b1e45
-
SHA512
fc56241e65dc7bcc678a2af92f79bda017ceb3f7c4f203c7e9ce753d573da868608a6f56545c0d181a625737278b7b73223e5dcce85bf1f3c5b7b1b06e5c5739
-
SSDEEP
3072:fuZPAdWKbu3355s555GPQKljrKxX0yAbTxin1YzqHf0llbS1sjZ73h39Iwj:GydWDrKxG3h39Iw
Score1/10 -
-
-
Target
Resource/Locals/x64/SQLite.Interop.dll
-
Size
1.7MB
-
MD5
56a504a34d2cfbfc7eaa2b68e34af8ad
-
SHA1
426b48b0f3b691e3bb29f465aed9b936f29fc8cc
-
SHA256
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961
-
SHA512
170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7
-
SSDEEP
24576:YPUxmkgSxPgobZPRjZ22H6edtOZzWySRO3mlE0i/Yl5P+qF+8k+ao/si6:8UxXPgo8e6WYBSJZSS5P97I
Score1/10 -
-
-
Target
Resource/Locals/x86/BouncyCastle.Crypto.dll
-
Size
3.2MB
-
MD5
0cf454b6ed4d9e46bc40306421e4b800
-
SHA1
9611aa929d35cbd86b87e40b628f60d5177d2411
-
SHA256
e51721dc0647f4838b1abc592bd95fd8cb924716e8a64f83d4b947821fa1fa42
-
SHA512
85262f1bc67a89911640f59a759b476b30ca644bd1a1d9cd3213cc8aae16d7cc6ea689815f19b146db1d26f7a75772ceb48e71e27940e3686a83eb2cf7e46048
-
SSDEEP
49152:JIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9Y:6BbBWIgWljGxRB/LLY
Score1/10 -
-
-
Target
Resource/Locals/x86/SQLite.Interop.dll
-
Size
1.3MB
-
MD5
8be215abf1f36aa3d23555a671e7e3be
-
SHA1
547d59580b7843f90aaca238012a8a0c886330e6
-
SHA256
83f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae
-
SHA512
38cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b
-
SSDEEP
24576:eiDAYMz2epP8AEXn8z7qsyb8c+gntHKuvKtBLtTvD0nsrFSK96fYlYyv:1AYMza36enEuyjpTV96A2yv
Score1/10 -
-
-
Target
Resource/opengl64.dll
-
Size
145.8MB
-
MD5
71466589eb444bbf272c0f5c920c57f0
-
SHA1
4fcace49ee032779d3bf7b8e03c6a9f29ed871ba
-
SHA256
e7d625cf255360b0ea96a52ca990be6f1cef522ff7440393e45b12793ac88031
-
SHA512
eff62450cf03d72af2594d750a70b008226fa2e46216661716287639bf5e1ff1303076fdaf4f062ca4098ef10a8e29502de55ecb3a6e04753aad7fcad01e3352
-
SSDEEP
48:0ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZY:n
Score1/10 -
-
-
Target
setup.exe
-
Size
796.0MB
-
MD5
20ec80218851ba0adc9e715e55951d35
-
SHA1
b6a2fc65ec253fdadaf84b6f22d268151aa02167
-
SHA256
20e3396489f07c8582f797f78a3ad3d6fa76bb229adb214bf1fc2b0386e3e1c0
-
SHA512
0ab5aa354fe64a55913dff67c469b9f79f92e2aaed8e62af7a61966ad245531c6ecd30eab3067249e457ec1de2ecfc1462939e210f2f79ca941d126e4153e2b3
-
SSDEEP
98304:Y48A1GVS1CftH2UTY4r2TLHYbr3Bv8tR8ed:Y9A1G6CfbT12Tr2Byd
-
Detect ZGRat V1
-
Detected Djvu ransomware
-
Glupteba payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1