Overview

overview

10

Static

static

3

ICQLiteShell.dll

windows7-x64

1

ICQLiteShell.dll

windows10-2004-x64

1

ICQRT.dll

windows7-x64

3

ICQRT.dll

windows10-2004-x64

3

Language/WinRar.exe

windows7-x64

1

Language/WinRar.exe

windows10-2004-x64

1

LiteRes.dll

windows7-x64

1

LiteRes.dll

windows10-2004-x64

1

LiteSkinUtils.dll

windows7-x64

1

LiteSkinUtils.dll

windows10-2004-x64

3

Resource/L...me.dll

windows7-x64

1

Resource/L...me.dll

windows10-2004-x64

1

Resource/L...UI.dll

windows7-x64

1

Resource/L...UI.dll

windows10-2004-x64

1

Resource/L...op.dll

windows7-x64

1

Resource/L...op.dll

windows10-2004-x64

1

Resource/L...to.dll

windows7-x64

1

Resource/L...to.dll

windows10-2004-x64

1

Resource/L...op.dll

windows7-x64

1

Resource/L...op.dll

windows10-2004-x64

1

Resource/opengl64.dll

windows7-x64

1

Resource/opengl64.dll

windows10-2004-x64

1

setup.exe

windows7-x64

10

setup.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file_release_v3.rar

  • Size

    16.9MB

  • Sample

    240218-1sy98sfd25

  • MD5

    94ec83b25bf1f1574aedb939601d9420

  • SHA1

    0e0f31bb10186551b14d2e29c4fb72315f184446

  • SHA256

    b5894034c64a59c927615881f133b65857c750d43f2cb5064f1a0c42d25f4e6b

  • SHA512

    e8574f110ab92554709c44254a1d365fd99226388ee9ae74d52c5dbf32364372b3751a3771c7aea39063042663be710d46b944318d317f54f2a856597d09b7b8

  • SSDEEP

    196608:z3+cXxXIkRZAY88Tz55JLsTe7dydv1UWk3A5ymQc8+lXw2f0IjTCnsneCls9Ppx8:L+oX+tkz3JLT78d0g3AMusneXNpxfZ6J

Score
10/10
djvugluptebalummariseprosmokeloaderstealczgratpub3backdoordiscoverydropperevasionloaderpersistenceransomwareratrootkitspywarestealerthemidatrojan

Malware Config

Extracted

Family

risepro

C2

193.233.132.62

193.233.132.49:50500

193.233.132.67:50500

Extracted

Family

djvu

C2

http://habrafa.com/test2/get.php

Attributes
  • extension

    .lkfr

  • offline_id

    OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1

  • payload_url
  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0852ASdw

rsa_pubkey.plain

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2022

C2

http://sjyey.com/tmp/index.php

http://babonwo.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php
rc4.i32
rc4.i32

Extracted

Family

stealc

C2

http://185.172.128.24

Attributes
  • url_path

    /f993692117a3fda2.php

Extracted

Family

lumma

C2

https://isotrimorphicnongrasse.shop/api

Targets

    • Target

      ICQLiteShell.dll

    • Size

      56KB

    • MD5

      05e61539b8917fca37c03756bbdd043d

    • SHA1

      5a72e0e528260de0ea5b34badb9e5f9873cb4245

    • SHA256

      515c8e0b93f0fef15da3e2573ad92b7e7840374140e65e5d73df63d8e22cb3e8

    • SHA512

      565d57783e6044d6e7e2026c79dbd897e637c5e1d96e7930dc704ef2b6d801669b38f0c26382f00e67e26668439274941e937a0ade54666de50b5d84f6da7e97

    • SSDEEP

      768:YEGJ9blT7XZBSbHwJU+tGR0KZUyGKZ0ZgwmF1+3UVambg:YEGJ9bln5o0KZjGKZ0Z1mF1+3UVayg

    Score
    1/10
    behavioral1behavioral2

    • Target

      ICQRT.dll

    • Size

      32KB

    • MD5

      1aedcb8994d6ad63ef9dcb87016e028f

    • SHA1

      f5b891aa15c6353b681bdb7e2d96c6ac8a5f02d7

    • SHA256

      53e1f40144bab532f9700ff25ec3d5c6a39784a98e17fada583b4ee6d9dd5dbc

    • SHA512

      89c0f408797c4d78afc52335a9e162345c614e1e419f55487cb358c14f7a69ec82138a7e6250be3133233386ba3659d241e80ab63c9b972b6c8b26b0424cb0c8

    • SSDEEP

      384:+qtTeds1tkMAp4TxCW9su5UcSu93ggoXUQQIPGEANHl:FTedukelF95RjQUUPpANHl

    Score
    3/10
    behavioral3behavioral4

    • Target

      Language/WinRar.exe

    • Size

      3.2MB

    • MD5

      b66dec691784f00061bc43e62030c343

    • SHA1

      779d947d41efafc2995878e56e213411de8fb4cf

    • SHA256

      26b40c79356453c60498772423f99384a3d24dd2d0662d215506768cb9c58370

    • SHA512

      6a89bd581baf372f07e76a3378e6f6eb29cac2e4981a7f0affb4101153407cadfce9f1b6b28d5a003f7d4039577029b2ec6ebcfd58e55288e056614fb03f8ba3

    • SSDEEP

      98304:lJXOBfK92HbAw0CNB3kJElzNsy8vGUvfCo3ABH43:lJ192HbAXCvDlzNsy8vGUyo3AB8

    Score
    1/10
    behavioral5behavioral6

    • Target

      LiteRes.dll

    • Size

      735KB

    • MD5

      88962410244bc5c03482b82a7e3cb5e1

    • SHA1

      4622be2d3deda305bf0a16c0e01bc2ecf9d56fad

    • SHA256

      afa884228afc5c05f4b47e90b6de42854d5a8886ec5ed15a253faeccd5309036

    • SHA512

      c6e7667f91c1439e33ad4d9e2052b7c9fcc3ca2c7688d9e2bc0550b71a5762b76aa76427331df0217429d9bd984925997c7a8d009f25e44e2776c5ce7cc9d98c

    • SSDEEP

      6144:x9Ej/jb82/HRoXO1q2pt+Mc1/PDPicsUzM+gYESoE/wOuET8F62bH5vnGfcJvl+b:fqptG/PDPo0no2Iq8F6CHBTWqU

    Score
    1/10
    behavioral7behavioral8

    • Target

      LiteSkinUtils.dll

    • Size

      48KB

    • MD5

      059d94e8944eca4056e92d60f7044f14

    • SHA1

      46a491abbbb434b6a1a2a1b1a793d24acd1d6c4b

    • SHA256

      9fa7cacb5730faacc2b17d735c45ee1370130d863c3366d08ec013afe648bfa6

    • SHA512

      0f45fe8d5e80a8fabf9a1fd2a3f69b2c4ebb19f5ffdcfec6d17670f5577d5855378023a91988e0855c4bd85c9b2cc80375c3a0acb1d7a701aff32e9e78347902

    • SSDEEP

      768:FPGeoWyuTx6vrP/zAdWQS6Z9CSKh64crVKTl9inMUAK:tGeJxIHepSKzjVK9iMUAK

    Score
    3/10
    behavioral10behavioral9

    • Target

      Resource/Locals/x64/AdonisUI.ClassicTheme.dll

    • Size

      287KB

    • MD5

      8a1b183bca062f48402c74f2daba7b92

    • SHA1

      d9417bf78b3b37d668c08e67f3c0f21dbc6dc11e

    • SHA256

      8103f2cce6a864ceefe6c5b0c05087ac85ab04a2abf150e93bc9db90c54d9d20

    • SHA512

      0f5120fa9ed24d2a49b82cdc62113302002ccc5e1cf389cc28830f36b2915f876bdf77094fa6dfa312fc01b6f482465297fa734509511fa7e72285569ce57e87

    • SSDEEP

      6144:aMNTja9KIKf5RCs1ussMKlzI5iJQn9gu5DPOvObo:5Za9KIjs1ussMKlzI5lo

    Score
    1/10
    behavioral11behavioral12

    • Target

      Resource/Locals/x64/AdonisUI.dll

    • Size

      164KB

    • MD5

      3d4c8b6aad28ec574e56ccda22b34ef3

    • SHA1

      bc22ac7097e597fba3d7367b2fd5c61adff28941

    • SHA256

      db46b6106dc1b30041ce3f287ded91166895ff3f1928250fc79dd46c444b1e45

    • SHA512

      fc56241e65dc7bcc678a2af92f79bda017ceb3f7c4f203c7e9ce753d573da868608a6f56545c0d181a625737278b7b73223e5dcce85bf1f3c5b7b1b06e5c5739

    • SSDEEP

      3072:fuZPAdWKbu3355s555GPQKljrKxX0yAbTxin1YzqHf0llbS1sjZ73h39Iwj:GydWDrKxG3h39Iw

    Score
    1/10
    behavioral13behavioral14

    • Target

      Resource/Locals/x64/SQLite.Interop.dll

    • Size

      1.7MB

    • MD5

      56a504a34d2cfbfc7eaa2b68e34af8ad

    • SHA1

      426b48b0f3b691e3bb29f465aed9b936f29fc8cc

    • SHA256

      9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

    • SHA512

      170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

    • SSDEEP

      24576:YPUxmkgSxPgobZPRjZ22H6edtOZzWySRO3mlE0i/Yl5P+qF+8k+ao/si6:8UxXPgo8e6WYBSJZSS5P97I

    Score
    1/10
    behavioral15behavioral16

    • Target

      Resource/Locals/x86/BouncyCastle.Crypto.dll

    • Size

      3.2MB

    • MD5

      0cf454b6ed4d9e46bc40306421e4b800

    • SHA1

      9611aa929d35cbd86b87e40b628f60d5177d2411

    • SHA256

      e51721dc0647f4838b1abc592bd95fd8cb924716e8a64f83d4b947821fa1fa42

    • SHA512

      85262f1bc67a89911640f59a759b476b30ca644bd1a1d9cd3213cc8aae16d7cc6ea689815f19b146db1d26f7a75772ceb48e71e27940e3686a83eb2cf7e46048

    • SSDEEP

      49152:JIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9Y:6BbBWIgWljGxRB/LLY

    Score
    1/10
    behavioral17behavioral18

    • Target

      Resource/Locals/x86/SQLite.Interop.dll

    • Size

      1.3MB

    • MD5

      8be215abf1f36aa3d23555a671e7e3be

    • SHA1

      547d59580b7843f90aaca238012a8a0c886330e6

    • SHA256

      83f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae

    • SHA512

      38cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b

    • SSDEEP

      24576:eiDAYMz2epP8AEXn8z7qsyb8c+gntHKuvKtBLtTvD0nsrFSK96fYlYyv:1AYMza36enEuyjpTV96A2yv

    Score
    1/10
    behavioral19behavioral20

    • Target

      Resource/opengl64.dll

    • Size

      145.8MB

    • MD5

      71466589eb444bbf272c0f5c920c57f0

    • SHA1

      4fcace49ee032779d3bf7b8e03c6a9f29ed871ba

    • SHA256

      e7d625cf255360b0ea96a52ca990be6f1cef522ff7440393e45b12793ac88031

    • SHA512

      eff62450cf03d72af2594d750a70b008226fa2e46216661716287639bf5e1ff1303076fdaf4f062ca4098ef10a8e29502de55ecb3a6e04753aad7fcad01e3352

    • SSDEEP

      48:0ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZY:n

    Score
    1/10
    behavioral21behavioral22

    • Target

      setup.exe

    • Size

      796.0MB

    • MD5

      20ec80218851ba0adc9e715e55951d35

    • SHA1

      b6a2fc65ec253fdadaf84b6f22d268151aa02167

    • SHA256

      20e3396489f07c8582f797f78a3ad3d6fa76bb229adb214bf1fc2b0386e3e1c0

    • SHA512

      0ab5aa354fe64a55913dff67c469b9f79f92e2aaed8e62af7a61966ad245531c6ecd30eab3067249e457ec1de2ecfc1462939e210f2f79ca941d126e4153e2b3

    • SSDEEP

      98304:Y48A1GVS1CftH2UTY4r2TLHYbr3Bv8tR8ed:Y9A1G6CfbT12Tr2Byd

    Score
    10/10
    djvugluptebariseprosmokeloaderstealczgratpub3backdoordiscoverydropperevasionloaderransomwareratspywarestealertrojanlummapersistencerootkitthemida

    • Detect ZGRat V1

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba payload

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

      rootkitevasion

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

3
T1112

Virtualization/Sandbox Evasion

1
T1497

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

File and Directory Permissions Modification

1
T1222

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

8
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

8
T1082

Software Discovery

1
T1518

Security Software Discovery

1
T1518.001

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
3/10

behavioral4

Score
3/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
3/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

djvugluptebariseprosmokeloaderstealczgratpub3backdoordiscoverydropperevasionloaderransomwareratspywarestealertrojan
Score
10/10

behavioral24

djvugluptebalummariseprosmokeloaderstealczgratpub3backdoordiscoverydropperevasionloaderpersistenceransomwareratrootkitspywarestealerthemidatrojan
Score
10/10