General
-
Target
release.rar
-
Size
7.9MB
-
Sample
240307-1tj7psga4x
-
MD5
055bfe6e7bbf803236c3b1552f2ca0b1
-
SHA1
21559b4a5b1ab33dc5d91e5f3422d5d88dd70e93
-
SHA256
baa06057a238e7417c4a544875c85b8d4d408a2c4585631206530cd2360a713e
-
SHA512
410865555981d4da4eb11ab8fc37891ad01503c9bf86f30b0255460d6ed9cd3fdffa34bf4953f915254c81a6c8ed139ad389197fcd078eacdddfe92a3c5549a2
-
SSDEEP
196608:juqMF1FTRFBVltwEi790gw4RsYPdgoR2twuANg9QAFb:iqmLLBm8gw98BQwujP
Malware Config
Extracted
vidar
8.1
8698e6090462c2758aa8aa2f4abb74a2
https://steamcommunity.com/profiles/76561199649267298
https://t.me/uprizin
-
profile_id_v2
8698e6090462c2758aa8aa2f4abb74a2
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 OPR/96.0.0.0
Extracted
vidar
8.1
1118c2aa8aae3b819bd8b2706f8dbe9d
https://steamcommunity.com/profiles/76561199649267298
https://t.me/uprizin
-
profile_id_v2
1118c2aa8aae3b819bd8b2706f8dbe9d
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 OPR/96.0.0.0
Extracted
smokeloader
pub3
Extracted
gcleaner
185.172.128.90
5.42.65.115
Extracted
smokeloader
2022
http://kamsmad.com/tmp/index.php
http://souzhensil.ru/tmp/index.php
http://teplokub.com.ua/tmp/index.php
Extracted
risepro
193.233.132.62
Extracted
raccoon
-
user_agent
f
Extracted
raccoon
4ddee039c3c1cb01baf0736505e3e436
http://94.131.106.24:80
-
user_agent
MrBidenNeverKnow
Extracted
lumma
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Targets
-
-
Target
release.rar
-
Size
7.9MB
-
MD5
055bfe6e7bbf803236c3b1552f2ca0b1
-
SHA1
21559b4a5b1ab33dc5d91e5f3422d5d88dd70e93
-
SHA256
baa06057a238e7417c4a544875c85b8d4d408a2c4585631206530cd2360a713e
-
SHA512
410865555981d4da4eb11ab8fc37891ad01503c9bf86f30b0255460d6ed9cd3fdffa34bf4953f915254c81a6c8ed139ad389197fcd078eacdddfe92a3c5549a2
-
SSDEEP
196608:juqMF1FTRFBVltwEi790gw4RsYPdgoR2twuANg9QAFb:iqmLLBm8gw98BQwujP
Score10/10-
Detect Vidar Stealer
-
Detect ZGRat V1
-
Detected Djvu ransomware
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Modifies visibility of file extensions in Explorer
-
Modifies visiblity of hidden/system files in Explorer
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Raccoon Stealer V2 payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Enumerates VirtualBox registry keys
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Creates new service(s)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Drops Chrome extension
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Manipulates WinMonFS driver.
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Modifies boot configuration data using bcdedit
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
5Virtualization/Sandbox Evasion
3