Resubmissions

12-09-2024 02:23

240912-cvfznswere 10

04-09-2024 00:09

240904-afvheascla 10

03-09-2024 18:57

240903-xl8csavfrb 10

03-09-2024 18:12

240903-ws828asgnm 10

General

  • Target

    Archive.zip

  • Size

    25.8MB

  • Sample

    240903-ws828asgnm

  • MD5

    83671dbfab2418604f11993fdc392094

  • SHA1

    5386d1fb94ec2974736a4d8895a2218855ffda69

  • SHA256

    60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

  • SHA512

    9cf982c9b2949f05ea4ab7d27b369924334cb9f8a0b85c374cf08ac059281ecf96c97088bb983f74033a1a8fba01f09c2f3f41ae3a60e7c79db8b6312edd5138

  • SSDEEP

    786432:+r/Da8WA3C5BENmtAWzdVTkvq+GY8NEXcJap4DFEME/:4/W8WAS5BENmtZ1kvq+GYi8pw+T

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • pastebin_url

    https://pastebin.com/raw/2jTT3Lnj

Extracted

Family

revengerat

Botnet

system

C2

yj233.e1.luyouxia.net:20645

Mutex

RV_MUTEX-GeVqDyMpzZJHO

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below [email protected] Key Identifier: umin5W2u1lGR6W6xv/u0i+MHUatf9iAg1y1gkBFWPsOXFmmi5ti16qKcOE+AEOp06lxdy0i7WdQ0VnOKA9+KlNMB/PxI2Hsa2SmmrLow3j3x4fiOtk2vSyfX8k1zFcJPrH4dSDO6zwpTmAwcr45quIuoovo5lpmH4Eu2aR8VCF4qrA/bWgUYaiH6hSj9l7oZqG0nDSt8vDAqkuZjevn5DWESgu2BimOodtWPEyKVBkh4vj4g3olZROTMzHS3Xk9JqaMI0ynVHyYPh9xqJWFyqHPDDIZlfHZfzWty99wLcIJK2lPZIrRNC6HmEJC2hm18vwyHhXsmPbnV2tlyFFDE8DzsuKElSCBH/Tw9m0VvuNtooK8UhXqL2P8WxzUbn2xj3y3L+ZYPxDROxpuMJ+b36JfYkJwzAL19KSyqecZxYRFLb9n72YHB1622vqcBXxAjympmJY/c5clp5l4HUrNKntc463vde2oGIU2MYqn3ZQLz36iuJAC6eWzbxCq3dzzIUfCspYpaegQHyzYN2U4PSu8hKmlNfgyVfXmDnjf67h3Ar9Uf9uSCf/1CF24aMR033DEIqBSHVxhPM7lffg4w9deFqK/QU/pN3lGUcbRVM1B0SKKjm1MZKInk4Xfid8wnMnn++ojmjy6nmYzQJ5NlozG0MLwzCkg0RUUR0zuedB4= Number of files that were processed is: 481

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below [email protected] Key Identifier: AY6RYGOaMti1FgsHx63BzAJ/3J5kUXjoPuoNNZKz7B7FVXiY6uKLNgvNsBlbEQQvWOmO/6ZZONYw5KgVtjztdgPE26ddA9n+8v2KTjrZDC5vQOmT1ahcT9T5DOZ0BO66e63Hdjrz4WIaI0sQWq5Kcp6KLw0GWXoqB1Flkb82N47pIwA4+k07jGzwyXsE3yuwS1D5kNwTtzJi0ZAN8u/kKhnBu2jlWsV0/6Dam+v7BUEBlOxgIlDWQXEi3/ryepNAvz/NlZraavloXK74AtsU+BV6Za3RdF9aVpU3jvF88ofoLIlYQS9Y0FTBf1ewq32jxmzdGkuoBIIXbsrx7kcYB5zxmhi66t80Z/kRFGtlwUVoHPX5Pxu9nX9TD59sDYsJrEEL6wCH3zTmJt7cgAtiOVPg3ND1Na25NCE6ECz8xSJ7c1s8cGwezcvFvhzXPZ8+lAMc5E4lBq7CFO7YgYwbtm052u/tmFnoQsCFqQEsWRdn0os3Cl95KrWF4YPFRvxpXczIRS2kIYB0oKSpAKsekOTGvPoKrs3f+Xvn5hiFUO2wh9lBUg9EdshzPhLHbW+RgrNV19GkOFR+IVdeQszRxewpNbHxxwCYI1cVSCYARijJJ3OTYeFD3fZVtTD1owGx9itOD+MNlOQmLpTsVfhmuQmrSy+vXe6BmMz2A2vK7/A= Number of files that were processed is: 446

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>HptiXnPCAN2UHN3G433aL0bNL7fiSHkAV+C8o5zZU++/tMcS4knerx+GNlSxo5Sn3fPG9/MQKWlvotxCITelv48nZxaK7lzU8nAHcqOTbU4TsjHHrXByza4WmuVHVfWhxejGZ+m5tiFOz8IWRmsD9jniuBdhJdoRdYiFiVXaJ/FIZv0FqwaitVq4OGd9cVxfueQ7sziWPpYWXN/Iu4Gde50hAyXGhGoPxVYLjj7PUdNgotGRma8iVR6bCJTv3Y1wcN0TJTp4i8cI4fejie1g1d1k/6FXy7aJeTxBPbWeHD+8xbKl/hEOsTjwbl5IPX3Ga+49nGHa5rVi13k3nr7Txg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>oXALHwIqTHD5K0z5ImAcQ9VsX6Qau3WSf1hqsWow7GTxw2dG585iKLQKCaCLMkQJNX0u0CgyyDKFsq1jDdoc+v8ujw7XHZYm6Mr2rTEwhDUUFryA7PzFh2T5g0QLZvAwXrMvC2++rxhO1+GTlIp/BzWFLKwqqQeFrS1oc8z6QBGsm7kpWrsa/taGh5/hLa6TFsRhYTVvuMKOsMMTi5FaupThl5XVOa0/1144DNaQ4NJce4OyVx0kHrFoTDLNUwoV7MGByL79El7N2FciPirtBJnyNX/UxAKW2hfxAC51qsSO+boniR3cJyvXcNdZsexb6yim8M5DPUrh+pIQ7jtISw==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 993-644-0EB Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Path

C:\Program Files\Crashpad\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 1C3-BEB-8BF Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

lumma

C2

https://whispedwoodmoodsksl.shop/api

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://zippyfinickysofwps.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

Extracted

Family

formbook

Version

4.0

Campaign

w9z

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

Extracted

Family

gozi

Attributes
  • build

    300869

  • exe_type

    loader

Extracted

Family

gozi

Botnet

86920224

C2

https://sibelikinciel.xyz

Attributes
  • build

    300869

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Extracted

Family

danabot

C2

92.204.160.54

2.56.213.179

45.153.186.47

93.115.21.29

185.45.193.50

193.34.166.247

rsa_pubkey.plain

Extracted

Family

formbook

Version

4.1

Campaign

i0qi

Decoy

mytakeawaybox.com

goutaihuo.com

kuzey.site

uppertenpiercings.amsterdam

honeygrandpa.com

jenniferabramslaw.com

ncarian.com

heavilymeditatedhouston.com

gsbjyzx.com

akisanblog.com

taoyuanreed.com

jasperrvservices.com

yabbanet.com

myhealthfuldiet.com

flipdigitalcoins.com

toes.photos

shoottillyoumiss.com

maserental.com

smarteacher.net

hamdimagdeco.com

Extracted

Family

qakbot

Version

324.141

Botnet

spx129

Campaign

1590734339

C2

94.10.81.239:443

94.52.160.116:443

67.0.74.119:443

175.137.136.79:443

73.232.165.200:995

79.119.67.149:443

62.38.111.70:2222

108.58.9.238:993

216.110.249.252:2222

67.209.195.198:3389

84.247.55.190:443

96.37.137.42:443

94.176.220.76:2222

173.245.152.231:443

96.227.122.123:443

188.192.75.8:995

24.229.245.124:995

71.163.225.75:443

75.71.77.59:443

104.36.135.227:443

Targets

    • Target

      Dropper/Berbew.exe

    • Size

      109KB

    • MD5

      331d4664aaa1e426075838bac0ba0e80

    • SHA1

      b5825947ed101a498fadd55ed128172773f014e3

    • SHA256

      90a4b2cba38cde1495721ebc965e888440e212585cb565acf18b6216631d13d1

    • SHA512

      9da4eb7b4fee5956f9ad0444c362fb884295d0a8e087ee7f6ed5d3f9e54422730f8c75553edf6ebf57435f2588e9045573f23879d2d8ec1d3843d80c75cd91ec

    • SSDEEP

      3072:vZYeP+XEYkuuHbJ9GLCqwzBu1DjHLMVDqqkSpR:vPUk3J9Cwtu1DjrFqhz

    Score
    10/10
    • Adds autorun key to be loaded by Explorer.exe on startup

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      Dropper/Phorphiex.exe

    • Size

      143KB

    • MD5

      b034e2a7cd76b757b7c62ce514b378b4

    • SHA1

      27d15f36cb5e3338a19a7f6441ece58439f830f2

    • SHA256

      90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac

    • SHA512

      1cea6503cf244e1efb6ef68994a723f549126fc89ef8a38c76cdcc050d2a4524e96402591d1d150d927a12dcac81084a8275a929cf6e5933fdf62502c9c84385

    • SSDEEP

      3072:VMb/kbqjO/3FxV8l8wiEXHPV9r99rWhzAxH7wpjv4z:VMxo3Z8BvV9rL6h2H7wJ4

    • Modifies Windows Defender Real-time Protection settings

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    • Windows security bypass

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Target

      RAT/31.exe

    • Size

      12.5MB

    • MD5

      af8e86c5d4198549f6375df9378f983c

    • SHA1

      7ab5ed449b891bd4899fba62d027a2cc26a05e6f

    • SHA256

      7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

    • SHA512

      137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1

    • SSDEEP

      393216:oKzkshyIMtAcwzhQ/CceAocPwz3fwnjWKlDc8F6tB:BzkmSmzS/Be/cPquj7D36r

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Danabot x86 payload

      Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • Raccoon Stealer V1 payload

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Formbook payload

    • Looks for VirtualBox Guest Additions in registry

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Renames multiple (72) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Blocklisted process makes network request

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      RAT/XClient.exe

    • Size

      172KB

    • MD5

      75ba783757c5b61bd841afa136fc3eda

    • SHA1

      8db9cda9508471a23f9b743027fa115e01bc1fe1

    • SHA256

      75a8719e83e4aecbe51287d7bfaf1e334fa190c7784324f24bcf61ab984de20a

    • SHA512

      9a6cfbf4302336662527837bf60b30b458f8d438bd6e9563093d4948bf81c79d56578e965d836e90aafde553d1cdc9c6df81a254aafcfb3379fbe6405dce0ea1

    • SSDEEP

      1536:vJcr5kCyoAp30kaF6CiJzt7UbjFdZe8e6TOAJkU7JsOpysa7iAMI:BcmNNxda6zZUbjHZe8jO6H2OpYuAf

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      RAT/file.exe

    • Size

      101KB

    • MD5

      88dbffbc0062b913cbddfde8249ef2f3

    • SHA1

      e2534efda3080e7e5f3419c24ea663fe9d35b4cc

    • SHA256

      275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06

    • SHA512

      036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4

    • SSDEEP

      1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS

    Score
    7/10
    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Target

      Ransomware/Client-2.exe

    • Size

      80KB

    • MD5

      8152a3d0d76f7e968597f4f834fdfa9d

    • SHA1

      c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

    • SHA256

      69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

    • SHA512

      eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

    • SSDEEP

      1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

    • Disables service(s)

    • Hakbit

      Ransomware which encrypts files using AES, first seen in November 2019.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Renames multiple (52) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      Ransomware/criticalupdate01.exe

    • Size

      261KB

    • MD5

      7d80230df68ccba871815d68f016c282

    • SHA1

      e10874c6108a26ceedfc84f50881824462b5b6b6

    • SHA256

      f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

    • SHA512

      64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

    • SSDEEP

      3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

    • Fantom

      Ransomware which hides encryption process behind fake Windows Update screen.

    • Renames multiple (3053) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Disables Task Manager via registry modification

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops file in System32 directory

    • Target

      Ransomware/default.exe

    • Size

      211KB

    • MD5

      f42abb7569dbc2ff5faa7e078cb71476

    • SHA1

      04530a6165fc29ab536bab1be16f6b87c46288e6

    • SHA256

      516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

    • SHA512

      3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

    • SSDEEP

      6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    • Detects Zeppelin payload

    • Zeppelin Ransomware

      Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (7388) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      Stealers/Azorult.exe

    • Size

      10.6MB

    • MD5

      5e25abc3a3ad181d2213e47fa36c4a37

    • SHA1

      ba365097003860c8fb9d332f377e2f8103d220e0

    • SHA256

      3e385633fc19035dadecf79176a763fe675429b611dac5af2775dd3edca23ab9

    • SHA512

      676596d21cab10389f47a3153d53bbd36b161c77875a4e4aa976032770cb4ec7653c521aaeda98ab4da7777e49f426f4019298d5fc4ed8be2f257e9d0868d681

    • SSDEEP

      196608:Lj43l1SYnShCcjEtOsZ1MJWTqHkzNcWUU5QH7MiXBhxsns3qveh1DCJv/zdM:LGzUCcUOmKoTqH0N9UV7VxHsnpjXK

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Modifies Windows Defender Real-time Protection settings

    • Modifies visiblity of hidden/system files in Explorer

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    • UAC bypass

    • Windows security bypass

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Remote Service Session Hijacking: RDP Hijacking

      Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

    • Blocklisted process makes network request

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Server Software Component: Terminal Services DLL

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Stops running service(s)

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Indicator Removal: Clear Persistence

      Clear artifacts associated with previously established persistence like scheduletasks on a host.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

    • Password Policy Discovery

      Attempt to access detailed information about the password policy used within an enterprise network.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Hide Artifacts: Hidden Users

    • Target

      Stealers/BlackMoon.exe

    • Size

      387KB

    • MD5

      336efa7460c08e3d47f29121742eb010

    • SHA1

      f41c36cd83879d170309dede056563d35741b87b

    • SHA256

      e6dd3fa33ad938b07c8978691f86b73e9f6fd84104b92f42566498bdb6b2930e

    • SHA512

      e8d118fbe907a00d89c2514af4de475a0ea54943076bf90174234f77f2ec093a1246a0d4e78d1104a0dcda150b5441d28f4f3d1e768ecb20ae86383a99863c14

    • SSDEEP

      12288:n3C9ytvngQjpUXoSWlnwJv90aKToFqwfN:SgdnJVU4TlnwJ6Goo

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Stealers/Dridex.exe

    • Size

      1.2MB

    • MD5

      304109f9a5c3726818b4c3668fdb71fd

    • SHA1

      2eb804e205d15d314e7f67d503940f69f5dc2ef8

    • SHA256

      af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d

    • SHA512

      cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01

    • SSDEEP

      24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm

    • Dridex

      Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    • Dridex Shellcode

      Detects Dridex Payload shellcode injected in Explorer process.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Target

      Stealers/Masslogger/mouse_2.exe

    • Size

      984KB

    • MD5

      af8ab92992ccc4cc6a637953836edf93

    • SHA1

      ac17c77cae31fdfeb618b0083285ba869baf29fc

    • SHA256

      03968a3a5a7a880feefca31686fcfbed445080a0c06eda2b6d623757179b782c

    • SHA512

      9dc3bdfe45f9333d62ef3b0aaf3860a9ef1e94ced02ed0437d3ac2f96b3b9aacf6e621703f13d62f356bd50dec84cc3a3dc787a8a14c9ce0ceeed9ff63c45ad2

    • SSDEEP

      24576:iNg+tKkEYA7Gmvv/HGsvPw9vz/DrELE7VUH:0g4K7YA7vvRMbcLa

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger Main payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      Stealers/lumma.exe

    • Size

      311KB

    • MD5

      33753bbc9a828b7be03eab11ef15d1f0

    • SHA1

      dc2ffad4ab05bab6fcd9f0258d2071bdac910283

    • SHA256

      7d2cacef8fc24cd30f6b0596abaf37342f85ab1d8b6b0ccf01ad1bdb79317d92

    • SHA512

      06c529a8ad0991a3304c83df13093ade5dd37156709d863265703fc6ed23b6dd4519ecb15c08f1badc2d85870fb91912f177183453e63119a1f48641686a0465

    • SSDEEP

      6144:gZBeWp7SFZn5ZkolpkR/rwaYyJXiICeTB:gZBVpmFZPOJJXih2B

    Score
    10/10
    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Target

      Trojan/BetaBot.exe

    • Size

      609KB

    • MD5

      347d7700eb4a4537df6bb7492ca21702

    • SHA1

      983189dab4b523e19f8efd35eee4d7d43d84aca2

    • SHA256

      a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8

    • SHA512

      5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9

    • SSDEEP

      12288:Y71ezsKspcx7aSekHeX/BoVrWyrl/XYUx58wT7tRw:IYzsDyAS/HeyWql/XYUz8wTDw

    • BetaBot

      Beta Bot is a Trojan that infects computers and disables Antivirus.

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Modifies firewall policy service

    • ModiLoader Second Stage

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Indicator Removal: Clear Persistence

      remove IFEO.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      Trojan/SmokeLoader.exe

    • Size

      251KB

    • MD5

      924aa6c26f6f43e0893a40728eac3b32

    • SHA1

      baa9b4c895b09d315ed747b3bd087f4583aa84fc

    • SHA256

      30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95

    • SHA512

      3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a

    • SSDEEP

      6144:2E5sHpScP2xeQhp4wGoqPKNDF50AsurB:PsHIiQv4gBNDFiTuF

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

upxstealersystemxwormrevengeratzeppelinmodiloader
Score
10/10

behavioral1

discoverypersistence
Score
10/10

behavioral2

discoverypersistence
Score
10/10

behavioral3

phorphiexdiscoveryevasionloaderpersistencetrojanupxworm
Score
10/10

behavioral4

phorphiexdiscoveryevasionloaderpersistencetrojanupxworm
Score
10/10

behavioral5

agenttesladanabotdharmaformbookgoziqakbotraccoon86920224spx1291590734339i0qiw9zagilenetbankercryptonedefense_evasiondiscoveryexecutionimpactkeyloggerpackerpersistenceransomwareratrezer0rm3spywarestealertrojan
Score
10/10

behavioral6

agenttesladanabotformbookgozi86920224w9zagilenetbankerbotnetcredential_accesscryptonedefense_evasiondiscoveryevasionexecutionimpactkeyloggerpackerpersistenceransomwareratrezer0rm3spywarestealertrojan
Score
10/10

behavioral7

xwormexecutionpersistencerattrojan
Score
10/10

behavioral8

xwormexecutionpersistencerattrojan
Score
10/10

behavioral9

persistence
Score
7/10

behavioral10

persistence
Score
7/10

behavioral11

hakbitcredential_accessdiscoveryevasionexecutionransomwarespywarestealer
Score
10/10

behavioral12

hakbitcredential_accessdiscoveryevasionexecutionransomwarespywarestealer
Score
10/10

behavioral13

fantomdiscoveryevasionransomwarespywarestealer
Score
10/10

behavioral14

fantomdiscoveryevasionransomware
Score
10/10

behavioral15

buranzeppelindefense_evasiondiscoveryexecutionimpactpersistenceransomware
Score
10/10

behavioral16

buranzeppelindefense_evasiondiscoveryexecutionimpactpersistenceransomware
Score
10/10

behavioral17

azorultrmsaspackv2defense_evasiondiscoveryevasionexecutioninfostealerlateral_movementpersistenceprivilege_escalationrattrojanupx
Score
10/10

behavioral18

azorultrmsaspackv2defense_evasiondiscoveryevasionexecutioninfostealerlateral_movementpersistenceprivilege_escalationrattrojanupx
Score
10/10

behavioral19

blackmoonbankerdiscoverytrojanupx
Score
10/10

behavioral20

blackmoonbankerdiscoverytrojanupx
Score
10/10

behavioral21

dridexbotnetevasionpayloadpersistencetrojan
Score
10/10

behavioral22

dridexbotnetevasionpayloadpersistencetrojan
Score
10/10

behavioral23

massloggercollectioncredential_accessdiscoveryrezer0spywarestealer
Score
10/10

behavioral24

massloggercollectioncredential_accessdiscoveryrezer0spywarestealer
Score
10/10

behavioral25

lummastealer
Score
10/10

behavioral26

lummadiscoverystealer
Score
10/10

behavioral27

betabotmodiloaderbackdoorbotnetdefense_evasiondiscoveryevasionpersistencetrojan
Score
10/10

behavioral28

betabotmodiloaderbackdoorbotnetdefense_evasiondiscoveryevasionpersistencetrojan
Score
10/10

behavioral29

smokeloaderbackdoordiscoverytrojan
Score
10/10

behavioral30

smokeloaderbackdoordiscoverytrojan
Score
10/10