Resubmissions

15-11-2024 18:05

241115-wpjcdsxrdy 10

11-11-2024 21:40

241111-1h6xbsxcql 10

03-12-2022 17:54

221203-wg4ncscc33 10

General

  • Target

    8547977480.zip

  • Size

    34.2MB

  • Sample

    241115-wpjcdsxrdy

  • MD5

    2d80845d65f702b4c692e75b67f04b7a

  • SHA1

    3aecbf1263d599dc24fe3c92bcad4c41e23bc955

  • SHA256

    649c75d99b6d8e237d8a8d0142796fcbfa7381674628201f474b58039144ec2a

  • SHA512

    9e2e77b037b815b660403aa9edfe9911301aed7fdd056a3a8b5ac7c229ff25b723acfc41d1d2d59aa8e0268564bce3d854dd9dae3e49917c4b294c1b08a695b6

  • SSDEEP

    786432:dSwjjNxcsSEy6TYX9I9g56wCjlup1pGmlECm9S6N6zZ0cESSNU:dSUN+s81gwC+1pG4WS6Y0cNSe

Malware Config

Extracted

Family

vidar

Version

55

Botnet

1703

C2

https://t.me/truewallets

https://mas.to/@zara99

http://116.203.10.3:80

Attributes
  • profile_id

    1703

Extracted

Family

raccoon

Botnet

bd3a3a503834ef8e836d8a99d1ecff54

C2

http://77.73.133.7/

Attributes
  • user_agent

    TakeMyPainBack

xor.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @mr_golds)

C2

51.89.201.21:7161

Attributes
  • auth_value

    4b2de03af6b6ac513ac597c2e6c1ad51

Extracted

Family

redline

Botnet

nam6.1

C2

103.89.90.61:34589

Attributes
  • auth_value

    5a3c8b8880f6d03e2acaaa0ba12776e3

Extracted

Family

privateloader

C2

208.67.104.60

Targets

    • Target

      233f95c87f4930fc7608e264cf8be9d4ff0d5f073c411dc986c7aa8ac2055231

    • Size

      3.5MB

    • MD5

      d0c77a8d28ac7ed062de16103b7b7a9e

    • SHA1

      2aff43098626864c0bbb1ab5463683321b54cdcd

    • SHA256

      233f95c87f4930fc7608e264cf8be9d4ff0d5f073c411dc986c7aa8ac2055231

    • SHA512

      05d6e0f5d3677e1cc268ecc1ad3d5e1b7925f61bfa0e91516805d19b44a776fc7bad0725809109ab62b73916d5bc92a09e22d8f4fdfa3e191347c2ba066a7120

    • SSDEEP

      49152:bDLaXbiwy/9Zxi9wrxqeMho8OYetIqRLC4GBN0ILUMh+l4Im2ZvrOYa7DYya/Ku8:3OXzEnkGxqeQohS8LCR4kL7Hcdfro/o

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Target

      2d8ea1230d6d994febd35edec21f298efe7e1a2a6f75d00a691035980f30a5aa

    • Size

      786KB

    • MD5

      7185834758af3441e82bba85cd5b8ff0

    • SHA1

      58520459530dcd3f840825b540d02b0a86590b86

    • SHA256

      2d8ea1230d6d994febd35edec21f298efe7e1a2a6f75d00a691035980f30a5aa

    • SHA512

      9a99d1a453a830b8c17e42e9c746b12483f3c9e8585e94e6a615b8d50cbf612610628670d8e261bab1450ed8ed7c1dac9ad7e04e1723a545325cbea098b734e8

    • SSDEEP

      24576:26UqGLpGLMMMHMMMvMMZMMMKzbKXOMMHMMMvMMZMMMKzbKXT7GLMMMHMMMvMMZM0:Z6MMHMMMvMMZMMMFOMMHMMMvMMZMMMFi

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • Raccoon family

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    • Target

      34dba85bb25c6589d0a5befe607e52b82a740402b92dbb5989797a523fb7561a

    • Size

      215KB

    • MD5

      926677dc69319999351c0771c03ca302

    • SHA1

      0d36a4435c234015d7c3207762b08c1924272753

    • SHA256

      34dba85bb25c6589d0a5befe607e52b82a740402b92dbb5989797a523fb7561a

    • SHA512

      3e34fb409fec7dbe39a6f3e19a0db3f97ac944dfa0c0ffecc00d5510285fe99f42ba80cb6a910f834cb7ba47b487329dc1facc168ce970de34a8e2a32c5abe42

    • SSDEEP

      1536:8I47GyTGCwiSnmQUt0LB18rs5gc3H2KrmswOOF+xcYPit0AQ:8vGyYiSDnt18w5X3HrrmsQMxDqqAQ

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      463d0b090396ffa05d579521256e421080a955415554feebe490482551eb08ea

    • Size

      8KB

    • MD5

      fd1489c65b0d75f4cdc7b1f2634b5359

    • SHA1

      f8431629d627f8dc13ca486e8b5d0a46f47d46fd

    • SHA256

      463d0b090396ffa05d579521256e421080a955415554feebe490482551eb08ea

    • SHA512

      e4fc02e1567e188caaf67ccd3a068e6b9db1c20b22a6949ec9ffd9d1a037afe36d744ac8c94a0fd5df55c7e2a51c10a9bcf05c3274175c8296cf16be718a99a2

    • SSDEEP

      96:a9hcOxiPwrltSJ1+pa/4/pzzkZj6tfCIQJ25FsfQungwffm2gbFnU:avc4rvpPd4Z+t6BJyungwffPZ

    Score
    1/10
    • Target

      4bcf45bde8ef34c0afeea288098cf34da11c2748eead6cf4752db1a4a2e79c39

    • Size

      720KB

    • MD5

      deece2ef4fe8f9c0c587d67ecb2d1fa4

    • SHA1

      cf7588cf77acd63a4ecf3f554e1672708ee4eaac

    • SHA256

      4bcf45bde8ef34c0afeea288098cf34da11c2748eead6cf4752db1a4a2e79c39

    • SHA512

      c062403aaccc83f090704f79540d22f4a6d7de7d18de1297d3170ebb9653a8e40ec3719e45f91782c2eb4829ba623aba3b3040ab716901dc81d939356a21ebd6

    • SSDEEP

      12288:+SipcKrMXnVVLsx7i0ioWvVGYmp7aGEiN8ut/DIXIrVO6b04huXB1lyqmxlz4lVP:fipcKOnVVLsxXEir/DqIrVG4eyjbz4zP

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Suspicious use of SetThreadContext

    • Target

      5292b8004f9078cfddbb45f7a0a1d0e6c84a958e43e602f43f8af4161983b6ce

    • Size

      450KB

    • MD5

      47d4b2fd7654ad71026eb66dd2aa5d97

    • SHA1

      dabbda8e945fadee09c5bbee1b0ed9a4036038f5

    • SHA256

      5292b8004f9078cfddbb45f7a0a1d0e6c84a958e43e602f43f8af4161983b6ce

    • SHA512

      3412e220dfcfa4401b03e0ca36c55c03f65bc92016a5a52db625a16c4e1171b1305477e9b461f3aaffeafcae99ccfdf1c9e4729695007718469bda1d753f28f1

    • SSDEEP

      6144:Z8fFQo+7Q0H3y+nvEGiBpYbgBUR4JttcBDlxdwpfxfBThM9eo1I7u0Kry2wej99u:ZYFiISM5jY9IfBTy9eo1dC

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    • Target

      6babc5b52d59c0b41e526f06b9e751aeef7ad6fc8b9eef5f56f95d4e3cded853

    • Size

      3.4MB

    • MD5

      4d536854aa5cbf1fc1c7d2cfc8ee65f6

    • SHA1

      d29e0930c73e808b394c082e372033b0e57bc8b9

    • SHA256

      6babc5b52d59c0b41e526f06b9e751aeef7ad6fc8b9eef5f56f95d4e3cded853

    • SHA512

      1aa95fa137e5fc15b56f2155877f23e6609a440f22d143daff0436c0573ec75c528cb2a4af6d76b29085187ba2bc7ea105af65a89559445f248b466cd0079ad4

    • SSDEEP

      49152:naJlbM2hKrp949JqBaaI8zAlhSQrhF0Cph4D4QGpUFCU/rc6jQ6qv/:Ei94AIRSQrhF0K2DX6U/rk

    Score
    3/10
    • Target

      85b73b7b3c9acc6648beb77ce878ebeea26a2a949bf17c3184f2bd4544d12b45

    • Size

      4.8MB

    • MD5

      854d5dfe2d5193aa4150765c123df8ad

    • SHA1

      1b21d80c4beb90b03d795cf11145619aeb3a4f37

    • SHA256

      85b73b7b3c9acc6648beb77ce878ebeea26a2a949bf17c3184f2bd4544d12b45

    • SHA512

      48ed604ea966a35cc16631ce5da692bb236badafdb6d3d01ef3a27ab5a9c1ea6a19d6e8209c894ab292614cfbd355c2ca96401fd4dbb9a3abbfd886cddae77cc

    • SSDEEP

      98304:GiIOIQKetb5uDv/tFAOoLKSIc5EP61wNYZiu7JfQmEM9:rIbCEA1EP614g9fQm59

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Privateloader family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      8eb41b097a51665e2a51b7d055260ea06b5224123450a147080de0a0ebcb4fff

    • Size

      7.3MB

    • MD5

      83dbe0cb14f889e38fc0f8889842cf9d

    • SHA1

      ded313ca908136000fd9e5f623dcf0974e2b5f30

    • SHA256

      8eb41b097a51665e2a51b7d055260ea06b5224123450a147080de0a0ebcb4fff

    • SHA512

      ad4bef13d8b816dc81b42e0a2983cedd8c1b66bb15ffff93d908dd8bb78621c2ec690c44dc01bffb3a378159c42c7552ebd27bdb889eb13351a85a26d61fbac6

    • SSDEEP

      196608:91O0G+ffRqHIxpuBM9lsB1veokOefmev7+RND:3OL+ffRqoxpAQi0POcmez+LD

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Indirect Command Execution

      Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Target

      932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef

    • Size

      2.4MB

    • MD5

      989cb0bfa4cc0bd8e8302f47add8e368

    • SHA1

      515b82386397ec822edbce6f24a6c4b9d13b0344

    • SHA256

      932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef

    • SHA512

      9211bb8622c7dee790db4847a9095bfd8dc48d324a400f374ab42ce65c1e2295cc6392a16e031282f6b3fa29a1881487016c9b817e05d65420d7db41f4548583

    • SSDEEP

      24576:pu4wFHPSaD/zXFRRhOnYQb6VOOmWC9+HW0MigJS3Cd+XHKrQD2YR:

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    • Target

      9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde

    • Size

      6.3MB

    • MD5

      ded964e022a37d93d434091ec75f9881

    • SHA1

      e89a551ac1f19dc3838e21157667e2f98d84d06b

    • SHA256

      9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde

    • SHA512

      13f0873cc797eeb7a4a1606ea3dc95f0d1f96bf1dfad286ee3959f0b885426214c24c1ea2422a46191f78063b75200d7ad9065d5654a7758086a9e41f7cf75af

    • SSDEEP

      196608:91OEVXHF+E/eq7QuIUVUMxVuAK1X84eu/k9RD13q:3OEVV+tq7Q7U62AAi84VkF13q

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Indirect Command Execution

      Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Target

      9e147a3bb22a10fe3f032dda125b871c7892065a68acd85de372e4622ec2a753

    • Size

      1.8MB

    • MD5

      6df29a5803a4576a90b6d9cc44b622bc

    • SHA1

      7bed517810e102847d8679aaa3a1caf7ae1a6064

    • SHA256

      9e147a3bb22a10fe3f032dda125b871c7892065a68acd85de372e4622ec2a753

    • SHA512

      38267fca5b28db2e85663bfe075307cfd66e8fd6c30303ad9840a1c04ab287232d700fbca506d837c2c927f46b738999a3de40747dd064ddf3a9dd025cf882a2

    • SSDEEP

      24576:hQTh2cyxiz583hZprjumLzu2O7K8HzxemmF2ZvgsnJQ9q12BL7TLhn5c0ANTyKmz:15Q831o2cHtemmFoDQ9q12BLTh+0u+b

    Score
    8/10
    • Blocklisted process makes network request

    • Target

      bccfdc8e1ac04a684732b0011d6b512118d3b6fb5a249803cd2e87427a965296

    • Size

      1.7MB

    • MD5

      e9118e77017247f6e5d4046ce9dad8b6

    • SHA1

      8204f61940dc697bf1d96e5a1625629ead242275

    • SHA256

      bccfdc8e1ac04a684732b0011d6b512118d3b6fb5a249803cd2e87427a965296

    • SHA512

      027a2e262975982f0de9a6be165b77edb037beca0ecfa38a3c4f63aae07416aa688767fd50cf0bf1a5c492d9ee6d04c72aefb3a90ae31a7de1ce088964f5bdaa

    • SSDEEP

      49152:H6M6Zsl+0dOuD2rmHiSCYK64SDq2zPrBLNTyCrxw:H6pZskpuD+gGYa+zBL05

    Score
    8/10
    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Target

      bf5a9bb619ac4bdad9a043f41b3980bf442f3965564ce612ced3cb2352311fd7

    • Size

      44KB

    • MD5

      caef853daea33a8898555fee1d45e093

    • SHA1

      f32005ded199e821ef77d501f8368a9dcc89c20c

    • SHA256

      bf5a9bb619ac4bdad9a043f41b3980bf442f3965564ce612ced3cb2352311fd7

    • SHA512

      b9e37d92c74d9b0677c1c7f8ca2e68fbda5d04b2ca206f6b5401d32073c798a827c6cf449ccecf9c6b58ed15b3ca18b4ba0b5c53c0566ca194affc5eb411a92b

    • SSDEEP

      768:8jYeM17XpwE3sKfkCbJokUP/W1CqpBoa8PP:feW71D6xP/WIquPP

    Score
    3/10
    • Target

      d0017384df7b41aba785a35c92082d1460af89204cfae22e6173eaebe16b270a

    • Size

      95.4MB

    • MD5

      6d08fd7ee7d279585077bff3b77c9cf1

    • SHA1

      09918a40856f17990378fcf280d3ce399d1bbdde

    • SHA256

      d0017384df7b41aba785a35c92082d1460af89204cfae22e6173eaebe16b270a

    • SHA512

      9673687f67aecefaeeb24104cea85632a89ca4533fe668a14a99cc05ff2fd0e399b8ff62c1716f933884bc160639ca9245fcfaf70dbc32cd8180e55808cf7e01

    • SSDEEP

      96:wCuMxH2gn9Qr393iMMQGjHJvVkOoEV35quW/2viMffthpl4WUl4hbFnU:wCNn9Y95MLkOoEVFNviMfftl2

    Score
    3/10
    • Target

      d72aa8fe30b132afe13a9be90142550b530d9687aff41954bbd3503115f37489

    • Size

      87KB

    • MD5

      769df9e877f419beb20a34515a4b211f

    • SHA1

      8de6ec68b339a3f8761703b20a3cfe1c4370f532

    • SHA256

      d72aa8fe30b132afe13a9be90142550b530d9687aff41954bbd3503115f37489

    • SHA512

      ef19bd14aac3260be66a30ff21fedf181ece14fb67e76546fa41b6462f2514645c0c2cd0a6244be1b03af71459114c66f28bc588eabaab3d340071a80aa8d8ea

    • SSDEEP

      1536:VpQKRk5UqXbkb2bM5XiE6cuR0Zng71jahYQeEmus8jcd3WWn7q:r6rkb2b6S3cuREn0ahZeEmr3WWn7q

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52

    • Size

      6.8MB

    • MD5

      6cb87a9fc7dc1f2a5410fd428f5460f0

    • SHA1

      2885b2d28a333d7bd9d6488ba2bf7312fc811e3a

    • SHA256

      fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52

    • SHA512

      4c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269

    • SSDEEP

      98304:HX5r8kh/RFaW1k9FP0+NCOx2SSGso5pOmaD6Ce2b3V9Sk9Q5uR018Kv/YAFvGF1p:HX53h/bk9PbEAXaDBl9rv0JHFeFOb

    Score
    3/10
    • Target

      fd5b0792ea3837a3eb0b86a47e08d4ec52dda7f1fbe677326fbe31ac534d7340

    • Size

      425KB

    • MD5

      8f0d398959a95fb00ffa81becc6bc147

    • SHA1

      3b7ed126288b9d5dc1a6fa990f6ee9ad6c132c19

    • SHA256

      fd5b0792ea3837a3eb0b86a47e08d4ec52dda7f1fbe677326fbe31ac534d7340

    • SHA512

      f578db36b7993f446fa6ee6757a2bee1679d405bbccbe4af31c373df08d1242ac92d7567fa209569af59cd91917b508e422ef7cd174b578ede934f78f4348354

    • SSDEEP

      6144:O7IX9J9oLlR33beYHpfWvK817NeEkhjAY96stDxgRnlBFMjkymwMGeigavwVfque:O+doLn37FWi87e0vjR2QyMGTZz

MITRE ATT&CK Enterprise v15

Tasks

static1

vmprotect
Score
7/10

behavioral1

spywarestealervmprotect
Score
7/10

behavioral2

raccoonbd3a3a503834ef8e836d8a99d1ecff54discoverystealer
Score
10/10

behavioral3

discoverypersistence
Score
7/10

behavioral4

Score
1/10

behavioral5

redlinelogsdiller cloud (tg: @mr_golds)discoveryinfostealer
Score
10/10

behavioral6

redlinenam6.1discoveryinfostealer
Score
10/10

behavioral7

discovery
Score
3/10

behavioral8

privateloaderdiscoveryevasionloadertrojan
Score
10/10

behavioral9

defense_evasiondiscoveryexecutionspywarestealer
Score
8/10

behavioral10

Score
7/10

behavioral11

defense_evasiondiscoveryexecutionspywarestealer
Score
8/10

behavioral12

discovery
Score
8/10

behavioral13

discovery
Score
8/10

behavioral14

discovery
Score
3/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
7/10

behavioral17

discovery
Score
3/10

behavioral18

vidar1703discoverystealer
Score
10/10