Overview

overview

10

Static

static

3

a041839327...d1.exe

windows7-x64

10

a041839327...d1.exe

windows10-1703-x64

10

a041839327...d1.exe

windows10-2004-x64

10

a041839327...d1.exe

windows11-21h2-x64

10

b102ed1018...01.exe

windows7-x64

10

b102ed1018...01.exe

windows10-1703-x64

10

b102ed1018...01.exe

windows10-2004-x64

10

b102ed1018...01.exe

windows11-21h2-x64

1

650f0d694c...7e.exe

windows7-x64

10

650f0d694c...7e.exe

windows10-1703-x64

10

650f0d694c...7e.exe

windows10-2004-x64

10

650f0d694c...7e.exe

windows11-21h2-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Desktop.rar

  • Size

    198KB

  • Sample

    240415-pfh7psgd91

  • MD5

    7f7effdc4c7a19c224be6237dff8d701

  • SHA1

    3897e1baf0d072d606f77b7b07ad58ecfb2da380

  • SHA256

    c80fed268a0c461e382fe561fb0e94f41f4d1c4d611858bc56ea6118293e3de1

  • SHA512

    8b17efb97c460d6f5cf7010206e3180992455beb1d6180c2aed5db045d4770401ffd2513790e2fcff605948ce5c23acf580e2a8d51919eabc1da3b5b6ebe9d13

  • SSDEEP

    3072:IZL3PGErh57/VTnpKvp5QcHck6wyagpd5h11ANXqIJSw78RQSzipSoqI9oFKD29L:IxeI5TpYStkvyJpZfANXqIJyUcVu2x

Score
10/10
azovsmokeloaderbackdoorpersistenceransomwarespywarestealertrojanwiper

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://furubujjul.net/

http://starvestitibo.org/

http://liubertiyyyul.net/

http://bururutu44org.org/

http://nvulukuluir.net/

http://gulutina49org.org/

http://hulimudulinu.net/

http://stalnnuytyt.org/

http://nuluitnulo.me/

http://youyouumenia5.org/

http://guluiiiimnstra.net/
rc4.i32
rc4.i32

Extracted

Path

C:\Program Files\7-Zip\Lang\RESTORE_FILES.txt

Family

azov

Ransom Note
Hello, all your files have been damaged without any possible way to recover. Feel free to commit suicide. [Why did you do this to my files?] They asked me to do this... The hatred is that what makes me feel alive. That's what you secretly have fallen in love with. The hatred is the force that drives the life forward. The hell is my paradise. The suffer is the bliss. Others say the hate is what destroys yourself. I say that the hatred is eternal cure. If you feel desperate you lost the files. Use this despair to create the pain for others. Make them hate you, it is the source of your power. Do you think why the people go to schools and kill others? Why do people make terrorist ideologies? Why do governments covertly makes you suffer? It's the essence of the future life. All we are immortal beings. When spiritual is not a way, the antispiritual is your victory point. In the manifested life you have a choice to be with us either be against. Sow the evil, reap the power is what I say to you. Saw the good, reap the weakness is what spiritual says to you. When you hate, you feel the power. You feel the flight. That fly is the antispirit touch. Use this to multiply the suffer. [How can I use this power?] Find inside the source of bliss. If this bliss goes stronger when you see the suffer. That is what I call the source. Check that by looking through the news how people kill others. How the people dies. How children are being tortured. How animals are executed. The death is your key. [How can I give you my power?] When you read this concentrate on the intent to give the energy of your source to the meta-source of this text. Am vizu der strotum la fictus om spiritus.

Targets

    • Target

      a041839327295fde3df12ea61374abd19c4499b87e211757c593179d6a6870d1

    • Size

      255KB

    • MD5

      7fdba86bba0508054fd1f058a6a2d134

    • SHA1

      131aa6889c55b9348a452fdf369fe54c2f05ba48

    • SHA256

      a041839327295fde3df12ea61374abd19c4499b87e211757c593179d6a6870d1

    • SHA512

      901b368bf99f8b715186d22d73bbb80a87f8498fd375b9023d798651f5c0939d01d3ec3ec50ce148699b6228aca59711883e9a30e986c1c5d18e95e8ab1967f1

    • SSDEEP

      6144:VU8vCLXBfoCmgZw6NNTs9VUkIqj8m+z7:VU8apkQw6N6LUkpv+z7

    Score
    10/10
    smokeloaderbackdoortrojan
    behavioral1behavioral2behavioral3behavioral4

    • Target

      b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801

    • Size

      32KB

    • MD5

      6468ee100d88c71d55dfdcf4e30f991e

    • SHA1

      5c520d2d7dc4c9e5d536d3aff998185657d40ac8

    • SHA256

      b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801

    • SHA512

      41913eb5adaab42c7ebff547421c0faedede5a3356cb2aa8b92ab20320f73766101056853f450435281cf31e7f32603c62fbd88fa3a680b19abda5d8cc9a98ae

    • SSDEEP

      768:QzG3EG0IUJrd6dQar/MjfW33AMar6q3Fu:QKEG4Jx6Ky/Mjo3AMa13U

    Score
    10/10
    azovransomwarespywarestealerwiper

    • Azov

      A wiper seeking only damage, first seen in 2022.

      ransomwarewiperazov

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6behavioral7behavioral8

    • Target

      650f0d694c0928d88aeeed649cf629fc8a7bec604563bca716b1688227e0cc7e

    • Size

      32KB

    • MD5

      7129291fc3d97377200f8a24ad06930a

    • SHA1

      3f858d2837529e6c973ffa7c26c643e9748e7282

    • SHA256

      650f0d694c0928d88aeeed649cf629fc8a7bec604563bca716b1688227e0cc7e

    • SHA512

      6bd4537a79f839c2964a814eed2fd5c217a969632e267afbe028b04a91a410abd594fb45bf1cba954f8be71e6041a923e932994754fcd46cc71a0bbaf4a932a1

    • SSDEEP

      384:s+ImkKRjvD/XlXPRPNTEUZytgSisYuaDhcWNDkSIvrfPxLCk9Hf/z:WKRjvTXlXPRNTRZ6hisYugcXjfNCkl

    Score
    10/10
    azovpersistenceransomwarespywarestealerwiper

    • Azov

      A wiper seeking only damage, first seen in 2022.

      ransomwarewiperazov

    • Renames multiple (7659) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral10behavioral11behavioral12behavioral9

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

4
T1012

Peripheral Device Discovery

3
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks