buran

Resubmissions

11-11-2024 05:34

241111-f9w6zstjbz 10

11-11-2024 03:05

11-11-2024 03:00

08-11-2024 08:59

08-11-2024 08:55

Sharing

Copy URL

Twitter E-mail

General

Target

241105-dtxrgatbpg_pw_infected.zip
Size

132.7MB
Sample

241111-dlmlja1jbx
MD5

136b5aad00be845ec166ae8f6343b335
SHA1

e51860dfb734c9715b6c9b74d9c582abe03ca90c
SHA256

38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66
SHA512

ed56b1afa85e304d6973d69e289631f15955d1619c6943a376d7d319018057d1a6fa0aa340ea6d43037ee17014f13e74e5ebddaf3aec62bf8e2da6b20b14ce42
SSDEEP

3145728:m2t5SZQXkJuAwd3u5d5VO4Z9WSXL5qgP47khuJWCvcICllCCrE/z:m6ClwdeyqWSXVqeU5J7CvCCrgz

Malware Config

Extracted

Family

zloader

Botnet

main

Campaign

26.02.2020

https://airnaa.org/sound.php

https://banog.org/sound.php

https://rayonch.org/sound.php

Attributes

build_id
19

rc4.plain

Extracted

Family

revengerat

Botnet

XDSDDD

84.91.119.105:333

Mutex

RV_MUTEX-wtZlNApdygPh

Extracted

Family

revengerat

Botnet

Victime

cocohack.dtdns.net:84

Mutex

RV_MUTEX-OKuSAtYBxGgZHx

Extracted

Family

zloader

Botnet

25/03

https://wgyvjbse.pw/milagrecf.php

https://botiq.xyz/milagrecf.php

Attributes

build_id
103

rc4.plain

Extracted

Family

revengerat

Botnet

samay

shnf-47787.portmap.io:47787

Mutex

RV_MUTEX

Extracted

Family

zloader

Botnet

09/04

https://eoieowo.casa/wp-config.php

https://dcgljuzrb.pw/wp-config.php

Attributes

build_id
140

rc4.plain

Extracted

Family

zloader

Botnet

07/04

https://xyajbocpggsr.site/wp-config.php

https://ooygvpxrb.pw/wp-config.php

Attributes

build_id
131

rc4.plain

Extracted

Family

cobaltstrike

Botnet

305419896

http://47.91.237.42:8443/__utm.gif

Attributes

access_type
512
beacon_type
2048
host
47.91.237.42,/__utm.gif
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
8443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)
watermark
305419896

Extracted

Family

revengerat

Botnet

INSERT-COIN

3.tcp.ngrok.io:24041

Mutex

RV_MUTEX

Extracted

Family

revengerat

Botnet

yukselofficial.duckdns.org:5552

Mutex

RV_MUTEX-WlgZblRvZwfRtNH

Extracted

Family

revengerat

Botnet

system

yj233.e1.luyouxia.net:20645

Mutex

RV_MUTEX-GeVqDyMpzZJHO

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

srpmx.ddns.net:5552

Mutex

c6c84eeabbf10b049aa4efdb90558a88

Attributes

reg_key
c6c84eeabbf10b049aa4efdb90558a88
splitter
|'|'|

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

njrat

Version

0.7d

Botnet

HACK

43.229.151.64:5552

Mutex

6825da1e045502b22d4b02d4028214ab

Attributes

reg_key
6825da1e045502b22d4b02d4028214ab
splitter
Y262SUCZ4UJJ

Extracted

Family

revengerat

Botnet

Guest

178.17.174.71:3310

Mutex

RV_MUTEX-HxdYuaWVCGnhp

Extracted

Family

revengerat

Botnet

tenakt

94.23.220.50:559

Mutex

RV_MUTEX-YtjWSTUKIWwi

Targets

- Target
  
  241105-dtxrgatbpg_pw_infected.zip
- Size
  
  132.7MB
- MD5
  
  136b5aad00be845ec166ae8f6343b335
- SHA1
  
  e51860dfb734c9715b6c9b74d9c582abe03ca90c
- SHA256
  
  38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66
- SHA512
  
  ed56b1afa85e304d6973d69e289631f15955d1619c6943a376d7d319018057d1a6fa0aa340ea6d43037ee17014f13e74e5ebddaf3aec62bf8e2da6b20b14ce42
- SSDEEP
  
  3145728:m2t5SZQXkJuAwd3u5d5VO4Z9WSXL5qgP47khuJWCvcICllCCrE/z:m6ClwdeyqWSXVqeU5J7CvCCrgz
Score

10^/10

smokeloader backdoor discovery execution trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Smokeloader family
  smokeloader
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  201106-9sxjh7tvxj_pw_infected.zip
- Size
  
  162KB
- MD5
  
  be3fb61218c3f159acc5d2715662eef7
- SHA1
  
  c34ed3d26f606e0b59c5c6712a17638185f7db07
- SHA256
  
  b99f3781093d168fe884a5e9578589628d9df871f08aedc6cacddfb223339cb2
- SHA512
  
  94198ae99c40d9272ef30865f58fff78c919fd593625666c1c118e38cea73e91777148ea3167761565f9ab31693e3dc87893b5616ac39e7a84b38e616bee22a4
- SSDEEP
  
  3072:5gOrQAaFT9LjOAfocXVEvn7EAS2jePWkwlfBGk9JTwcJIVPlPGSdKNtZcRPAkSxo:RQ5FVOncF2SDPWkwfGk9JTwc2VRGkmtm
Score

10^/10

buran revengerat zeppelin guest tenakt defense_evasion discovery evasion execution impact persistence ransomware trojan
- Buran
  Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
  ransomware buran
- Buran family
  buran
- Detects Zeppelin payload
- Modifies WinLogon for persistence
  persistence
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Revengerat family
  revengerat
- UAC bypass
  evasion trojan
- Zeppelin Ransomware
  Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
  ransomware zeppelin
- Zeppelin family
  zeppelin
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (6077) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Disables RegEdit via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral3 behavioral4