General

  • Target

    https://educationallibraryfurniture.com/wp-content/server2/v4_file_x86x64.rar

  • Sample

    240429-wft3jagf67

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

5.42.65.96:28380

Extracted

Family

vidar

C2

https://steamcommunity.com/profiles/76561199677575543

https://t.me/snsb82

Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0

Extracted

Family

risepro

C2

193.233.132.253:50500

193.233.132.226:50500

Extracted

Family

lumma

C2

https://greetclassifytalk.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Extracted

Family

socks5systemz

C2

http://cevduzd.net/search/?q=67e28dd86d5cf57b120caf497c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a371ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffb15c1ec929839

http://cevduzd.net/search/?q=67e28dd86d5cf57b120caf497c27d78406abdd88be4b12eab517aa5c96bd86ec958f48835a8bbc896c58e713bc90c91936b5281fc235a925ed3e00d6bd974a95129070b616e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee919e3ace689414

Targets

    • Detect Vidar Stealer

    • Detect ZGRat V1

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Modifies firewall policy service

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • Socks5Systemz

      Socks5Systemz is a botnet written in C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Creates new service(s)

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks