General
-
Target
LEGO_Marvel_Super_Heroes_PC_[Full]_Español_[MEGA].7z
-
Size
4.4MB
-
Sample
240226-axehhsge33
-
MD5
5fcbb150d359e1ce12cbe321023d66b9
-
SHA1
7e05c7993cb93f682e7662cb36d53aa14805d181
-
SHA256
18fe0f6c0117efee30bf68971f4c0cbbc5126789888940bd70542aca5b49134c
-
SHA512
72ed1764bf8292e10188fc291830e1cbb220c458d315a8ea2fec8b7e584eca2673cb0e93cbe707d8fd19683d950b3926124ee4eba06e48fc866849fe24b3edd6
-
SSDEEP
98304:cZ0tlHnHJCX6Apw0NE1cz1XwDLTrzX3Re205/zLaRqiStYQMrI:qOfrAZNE1kXGw/5/zLaRLqMrI
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20240221-es
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20240221-es
Malware Config
Extracted
risepro
193.233.132.62
193.233.132.49:50500
193.233.132.32:50500
193.233.132.67:50500
Extracted
tofsee
vanaheim.cn
jotunheim.name
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Extracted
smokeloader
pub3
Extracted
djvu
http://habrafa.com/test2/get.php
-
extension
.lkfr
-
offline_id
OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1
- payload_url
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0852ASdw
Targets
-
-
Target
setup.exe
-
Size
726.0MB
-
MD5
d7c5a94b5914d06d3139a9963393793c
-
SHA1
85f79f4929ef8d0ce2a16b4c26a91e68e0946479
-
SHA256
96a6fdf8a0acdf2bd0b8a1d0b8a7a245839702733c903733c61cd1e9cc0fdb5d
-
SHA512
f62fe984995272caa128f5ed3c3f02aa4596e6ee5ba765ba3926bb7246e62ca7edbe2df135d0195253d6db5cf83d629ec78ca5f94fbc90fbaba723c8fddb4db2
-
SSDEEP
98304:RqzOAXymMjEQrchbwBBxhxz6URJjMd2mGzMp5rZk:RqCAtMjpl56URJwd2mGzMp5rZk
-
Detect ZGRat V1
-
Detected Djvu ransomware
-
Glupteba payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Creates new service(s)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Modifies file permissions
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2