Resubmissions

04-10-2024 16:44

241004-t8yv3syhpd 10

27-09-2024 16:54

240927-vepkzsvbre 10

27-09-2024 16:44

240927-t86wpavard 10

04-08-2024 18:04

240804-wnq1vawbpg 10

03-08-2024 17:26

240803-vzvbzazekn 10

03-08-2024 16:14

240803-tpp4tsshqa 10

03-08-2024 15:52

240803-tbarzsseqc 10

31-07-2024 19:40

240731-ydk3yszdpq 10

31-07-2024 10:53

240731-my145atfmf 10

General

  • Target

    New folder (8).7z

  • Size

    17.6MB

  • Sample

    241004-t8yv3syhpd

  • MD5

    be23bf21f50efe03646c00428769da08

  • SHA1

    588f68a1f66ee0c689104d9096415b9070838827

  • SHA256

    0e06e9585cc9db33ee999ca4de668ab64ef6e9fa928ae6541b2f1ec68ff09da8

  • SHA512

    b3850d8b79c88e5a1ac7d2855f5b03b08c3392629f041474a997f4c9d71e321c24b9a2c5dad79e8fa6a1bb94648a30808dfa37dbb61e1348fd221594beeda8aa

  • SSDEEP

    393216:gTZqJOaXIZoQGPISZpx/0iw+lT+6uxC2JxpG25Bbm:gsJd7ISLW+t+6mCOTdm

Malware Config

Extracted

Family

icedid

Botnet

2683308570

C2

funnymemos.shop

trythisshop.club

shopoholics.best

buytheone.best

Attributes
  • auth_var

    1

  • url_path

    /audio/

Extracted

Family

wellmess

C2

http://178.211.39.6:80

https://141.98.212.55:121

rsa_privkey.plain
rsa_pubkey.plain
rsa_pubkey.plain
rsa_pubkey.plain

Extracted

Family

danabot

Botnet

4

C2

192.119.110.73:443

192.236.192.201:443

Attributes
  • embedded_hash

    F4711E27D559B4AEB1A081A1EB0AC465

  • type

    loader

rsa_pubkey.plain
rsa_privkey.plain

Extracted

Family

djvu

C2

http://asvb.top/nddddhsspen6/get.php

http://astdg.top/nddddhsspen6/get.php

Attributes
  • extension

    .ehiz

  • offline_id

    94ZMASYQt4QGhpOo8gEwVMGuTvtKzw670thXUlt1

  • payload_url

    http://asvb.top/files/penelop/updatewin1.exe

    http://asvb.top/files/penelop/updatewin2.exe

    http://asvb.top/files/penelop/updatewin.exe

    http://asvb.top/files/penelop/3.exe

    http://asvb.top/files/penelop/4.exe

    http://asvb.top/files/penelop/5.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-IMhsjaUZQE Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0299ewgfDd

rsa_pubkey.plain
rsa_pubkey.plain

Extracted

Family

icedid

Campaign

1677747888

C2

jeliskvosh.com

Extracted

Family

lokibot

C2

http://becharnise.ir/fa11/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

icedid

Campaign

1910897067

C2

epicprotovir.download

Targets

    • Target

      0297bbb0f00b3f591894ebcf042f2c6b0ed52e6662def1a9dbca0f8d20133cee.exe

    • Size

      2KB

    • MD5

      4a6ac8d48c9793c0c852a6ac93ba2002

    • SHA1

      cdc7a9cf8ee36099c823779ac2dd8ffe3a84d723

    • SHA256

      0297bbb0f00b3f591894ebcf042f2c6b0ed52e6662def1a9dbca0f8d20133cee

    • SHA512

      3aacced9817519ae31ed2bc4cf4063b2eb0a1c9e9addbcb9e08b3431f519ca0a8a6a8962e1039835a48e50cb52cd08d21cad642a66822c288d2b0a88541c361e

    Score
    3/10
    • Target

      15aeb8380c7b5b50ed1e2ff29c342cfe5c29a26554020001f7f9f1449f996e71.exe

    • Size

      150KB

    • MD5

      022f5345cfab4ef75476ffc7f708fcfe

    • SHA1

      81802b0a5f738b7333a60eece96441c1bca19792

    • SHA256

      15aeb8380c7b5b50ed1e2ff29c342cfe5c29a26554020001f7f9f1449f996e71

    • SHA512

      6595ef6e3e0b65afd0a4f7d5bd5650466a4299df8284180b48ff0e30a537a42616a98c530fa4d39fdbe30eb1cc6c72fd749a98551890a0b488f04fd164b49f53

    • SSDEEP

      1536:YyuipsAiJm4cJI7CweL+eX9kEnOCGzJoQL2VwEeYIsUE4KvVf+boJPtgm4qeYwqN:FlpYU6vqXRPE2VyYIsf4K9ffFSqe72

    • Target

      1820a0542f5950fd92ffa787cf09377a14d0fb42f0fa7419366090a5771a5f34.exe

    • Size

      38KB

    • MD5

      a4017c06209e16b8f47fcf6e5845aba9

    • SHA1

      66d99a1cc92ed316e0d7a2ab6df466c289154ec3

    • SHA256

      1820a0542f5950fd92ffa787cf09377a14d0fb42f0fa7419366090a5771a5f34

    • SHA512

      52e4df915b3cb6eb60a3f37874b0d8a14646ffadb9aa621cf8ea3fb04b5cbb4250fb9cec3a2ed8722a7eae4b600836b5b7bf72e53e297e464fb844096a9b2f5e

    • SSDEEP

      768:tojIJWP0znqX60+KU6nCVUO2gTjZSXulSJ474fLv/zkSf2Vz:NnqXn+YoQ+lu474zo

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

    • Target

      1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad.exe

    • Size

      1.3MB

    • MD5

      9344afc63753cd5e2ee0ff9aed43dc56

    • SHA1

      ee1fa399ace734c33b77c62b6fb010219580448f

    • SHA256

      1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad

    • SHA512

      6434c212a85180c1af00f5c5fa081a6a6ab66f5633edb74e130a7b9d754a6a65dc973f5e820f6f57a43956c276dbf3721021d1e9bb53fa79ac51ed8cb23f4090

    • SSDEEP

      24576:/U1v3pE+zO9mBt2bdm3EHVXkNA80Jl5IzCxWWDrSBkian7X5:/Qv74bdm3EHEA8UIzm8aj5

    Score
    5/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      22934e006b3f1b8225c51a93ce0acaa1874c4f1dc895fa1664bdf16b0065d2e7.exe

    • Size

      2KB

    • MD5

      af8ae6c1f2859cc139cd176a6656a855

    • SHA1

      161e2d577b418eaa94bf1959a634956b75d7922b

    • SHA256

      22934e006b3f1b8225c51a93ce0acaa1874c4f1dc895fa1664bdf16b0065d2e7

    • SHA512

      a80672ea1f49ebaeaf5b850377ee346e7953bf6379a79db91b826ba2249a66424b0f1be189351dc86088ff9efd72142a46f6d4bff2c5dc7271a4db22c10bcd1e

    Score
    3/10
    • Target

      24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7.exe

    • Size

      1.2MB

    • MD5

      39ae3110dc8ee4239811f2a1083e675e

    • SHA1

      f235ea35b4a408a052ec5bc93310adb77b52ecbc

    • SHA256

      24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7

    • SHA512

      cee1b9804a3a3d4f033d8076f66ffd6021a0b017a7588b96749d319d382056847d26aedc2f1fa5b7140c01697407da3c2873d59c78044376b083bc8f0c8494ee

    • SSDEEP

      24576:aG4NAckBXt2Uj3WTNWIcXuDTPyYaOnuhZiOASiN0A:O0shOeDjzagumObiN

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Danabot Loader Component

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Target

      2828fabf3937d88b85183664c9019c4639776ba7c2322f48e4957108ef07ed65.exe

    • Size

      179KB

    • MD5

      69828a3d5c60eb466c3a62f3389f6f87

    • SHA1

      7b9526f82448d0a1fb59a8125d1de55e3a166d72

    • SHA256

      2828fabf3937d88b85183664c9019c4639776ba7c2322f48e4957108ef07ed65

    • SHA512

      ce8818f78b62453fb56fcaf98efa7bc52068f7ddf915e1df6841f33a39aff6bd7c60692af16ea361cdf15b3cc79787e4a39bb6648faffc3eaac10ce886b45d5f

    • SSDEEP

      3072:uq3W3hXSPA5aodE8pn6kTDnlBtx6Qg9+Fh3SslsR/dLcEZD6zs:uIuXSPA5aWpn6kTDnjzjFm/1Z+4

    Score
    1/10
    • Target

      32b0fbaf95fefcc9b89243be8721625592fc9ed92d76a48cab263898fd3d5c08.exe

    • Size

      844KB

    • MD5

      a6f049a056e37a65280ddfe17f689b50

    • SHA1

      479e08954d4d58b643ada84da280bd01c71e779a

    • SHA256

      32b0fbaf95fefcc9b89243be8721625592fc9ed92d76a48cab263898fd3d5c08

    • SHA512

      f7effb9a12c0723ed336117e3399940d4fe9e3682eec18cdf19cf074dab27d2ce8b1c14d30f1e3e26b5883732f8b970477a32ca4c12fe36a8fa3bc452586511b

    • SSDEEP

      24576:40bAk9PkFMVNgsbj6d2dXrpcpZBWGyDs1lwBUeF:PEGNgsnHDIZB/yDseB

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

    • Renames multiple (171) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies file permissions

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      4bf2dace8a23551a3cd374a14b68cef6185aa18f9148dac8bf77f19f734d3ad7.exe

    • Size

      787KB

    • MD5

      0b862b9c889d4bdc6f0bac7d702d8753

    • SHA1

      fdc030df123e6e6a712cbc960a2e7c63266bf040

    • SHA256

      4bf2dace8a23551a3cd374a14b68cef6185aa18f9148dac8bf77f19f734d3ad7

    • SHA512

      4f7284a625b4909f9a0d80023c1dbfe3ed2de8a14fdf9a5bd3687d7e2fb21e265ee6cca613e4e6c8cab35f806501b155e6ed70a11530eb1cc78dbc38b22d3e8b

    • SSDEEP

      24576:reKt4RjnJ+wWEr55fRue+cfxiskJM0BPA:rORdGA55fkcJinM0BI

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

    • Renames multiple (160) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies file permissions

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      55d03f9954e35d8bce3fbd084d909744b3719310bac7c359cda87e7831cc1344.exe

    • Size

      231KB

    • MD5

      ee28a178e3aacfa1398ca74a9bc1822e

    • SHA1

      193bc249bac79c0a195e736c62de5ec16e5ef38d

    • SHA256

      55d03f9954e35d8bce3fbd084d909744b3719310bac7c359cda87e7831cc1344

    • SHA512

      3f0dbbbda0cba4a32fe49fd7941d3fa640a8b7aeec56a3f584d519593de68e4acf8036c651cd469e386a32c5465521035dccebb6f3732f7893be552803d48353

    • SSDEEP

      3072:ktkuGh43+xNkZ4I0+NFS1I74Y61cyJDz/+6BjbkJuWg349uoZaOG/mf3vfUgrfQj:FMZ4P+NEc4zYgV9QFhP0grf0dd

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

    • Target

      5e58e3818a1b7a5c46fab0a1400f7ccd88f088a782bb9c9f229f5e835e57aecb.exe

    • Size

      865KB

    • MD5

      aeccd0447a233ab8f7de5d7df28e9331

    • SHA1

      c9dbaac42e30413f8cdb6ef09cf90ca75d0137a7

    • SHA256

      5e58e3818a1b7a5c46fab0a1400f7ccd88f088a782bb9c9f229f5e835e57aecb

    • SHA512

      44bcb72760eacb7c69b30b2835043f11fa47e3c950afc795286317645d92925cc1c7884bd611b4f0df2b74750949401e377c6d4fe5741926a0f720ddf99ca40e

    • SSDEEP

      24576:EejP2Qq5NJf5osyeT2DiqkRD73mOcohh:/jYNp5PTZqkRn3mz

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

    • Target

      611cf2be6752c173be1328ea47cc8ea736bc3bda9030da617390b23afa955b47.exe

    • Size

      280KB

    • MD5

      284b061036a1e367e41c00235d1b5e6f

    • SHA1

      f6277c4d7a39427e7c86a3f9040729d6b17aff65

    • SHA256

      611cf2be6752c173be1328ea47cc8ea736bc3bda9030da617390b23afa955b47

    • SHA512

      21733f5d5953a07021536928842bce4be637235b7c1578fa0096c53a546614ecbc172f0e500fddf2611acd2dba94b13152fb1eff75efb0666342183c0f6627c6

    • SSDEEP

      6144:x6DKNllJ4Uc/gqXKq8+RigIWU+Ydm0UAtXbe9bu:sDKNlAUcBaq8+RnWm0UA9b

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      654e574fb479af0a9f8d277ed12f2d86681b76b4cfe63d7c9e774f5144be8801.exe

    • Size

      8KB

    • MD5

      096a19cd1460c87f343444a4740327c2

    • SHA1

      0f55409dbc70927548c2d351185408f7615ee47c

    • SHA256

      654e574fb479af0a9f8d277ed12f2d86681b76b4cfe63d7c9e774f5144be8801

    • SHA512

      259552c2bd72062aa531ea9dac59b6411b64d735c01197dbf0e2943cc8a9ddc37eb1e0be9f22118a48bead99f57a237f9bb986f8ceafc67ed463f9c00a6587bf

    • SSDEEP

      192:/G6OThBwj6k8TqLUh5wCb3py+g2O9Cung9C:/G9hNxh5Zp1i9Cun

    Score
    3/10
    • Target

      6f4ac0da343abb9dd25d7a27c302a6ab29ed9e7c49123b3c8200138abd3eaea5.exe

    • Size

      3.0MB

    • MD5

      07ab47ba492cb4ce3b9255ecbfb543f7

    • SHA1

      b86f8aeddddd245f0198ad92ff6cee605cbe1d4e

    • SHA256

      6f4ac0da343abb9dd25d7a27c302a6ab29ed9e7c49123b3c8200138abd3eaea5

    • SHA512

      0f161c751011070eca63baf0d544e35adfb7ae23c7bef6ef21684d93ee81d88fa0a83f5f1cc7be10e5a31c2012711298e599e4264d13f6607c9ce7abc8c5ad3a

    • SSDEEP

      49152:fb1ZTEb66GZQJAaYqh3owdV+xYtb/Khu0Ar51hRzEHgR8wfXhxld4sl9O3/TvHv0:5ZQ+6uQhYEom+mtkQ1hRwH2X9i/vFO

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      $PLUGINSDIR/UserInfo.dll

    • Size

      4KB

    • MD5

      c7ce0e47c83525983fd2c4c9566b4aad

    • SHA1

      38b7ad7bb32ffae35540fce373b8a671878dc54e

    • SHA256

      6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

    • SHA512

      ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

    Score
    3/10
    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      4ccc4a742d4423f2f0ed744fd9c81f63

    • SHA1

      704f00a1acc327fd879cf75fc90d0b8f927c36bc

    • SHA256

      416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

    • SHA512

      790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

    • SSDEEP

      192:SbEunjqjIcESwFlioU3M0LLF/t8t9pKSfOi:SbESjFCw6oWPFl8jfOi

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks

static1

upxloader2683308570themidastormkittyicedidwellmess
Score
10/10

behavioral1

discovery
Score
3/10

behavioral2

discovery
Score
3/10

behavioral3

smokeloaderbackdoordiscoverytrojan
Score
10/10

behavioral4

smokeloaderbackdoordiscoverytrojan
Score
10/10

behavioral5

icedid1910897067bankerloadertrojan
Score
10/10

behavioral6

icedid1910897067bankerloadertrojan
Score
10/10

behavioral7

upx
Score
5/10

behavioral8

upx
Score
5/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

danabot4bankerdiscoverytrojan
Score
10/10

behavioral12

danabot4bankerdiscoverytrojan
Score
10/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

djvudiscoverypersistenceransomware
Score
10/10

behavioral16

djvudiscoverypersistenceransomware
Score
10/10

behavioral17

djvudiscoverypersistenceransomware
Score
10/10

behavioral18

djvudiscoverypersistenceransomware
Score
10/10

behavioral19

icedid1677747888bankerloadertrojan
Score
10/10

behavioral20

icedid1677747888bankerloadertrojan
Score
10/10

behavioral21

lokibotcollectiondiscoveryspywarestealertrojan
Score
10/10

behavioral22

lokibotcollectiondiscoveryspywarestealertrojan
Score
10/10

behavioral23

stormkittydiscoverypersistenceprivilege_escalationspywarestealer
Score
10/10

behavioral24

stormkittydiscoverypersistenceprivilege_escalationspywarestealer
Score
10/10

behavioral25

discovery
Score
3/10

behavioral26

discovery
Score
3/10

behavioral27

discoveryevasionpersistencethemidatrojan
Score
9/10

behavioral28

discoveryevasionpersistencethemidatrojan
Score
9/10

behavioral29

discovery
Score
3/10

behavioral30

discovery
Score
3/10

behavioral31

discovery
Score
3/10

behavioral32

discovery
Score
3/10