General

  • Target

    virussign.com_20241117_LimitedFree.zip

  • Size

    31.1MB

  • Sample

    241117-vn1plsvblc

  • MD5

    bfc2999b29b852cbf97de11290116c93

  • SHA1

    1b62ac8a846efb68ea1275b20c245ca5df597e2c

  • SHA256

    79651e8616f701122275edd7444d7f62478bc2a786d204ec2c59e9f01a5d417b

  • SHA512

    d4ed417241039a3837822a01c9b85d7857cc6e10b404fc1f0a0f08ec08525de805382ec1f4be8c53009fb37c52bde0055cd7f24a876721cd3e1729121ebbf215

  • SSDEEP

    786432:6GVKoV8yuSCrLsVszCN7jCAuMhzHOOhJ/BcI:9VKoW7rLsVsU7j1nhzHOOhJ/BcI

Malware Config

Extracted

Family

redline

Botnet

zima

C2

176.113.115.145:4125

Attributes
  • auth_value

    2ef701d510c0d27e8a8e3270281678b1

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Targets

    • Target

      virussign.com_b1d2087d1d88f80870106373da2011b0.vir

    • Size

      872KB

    • MD5

      b1d2087d1d88f80870106373da2011b0

    • SHA1

      8b6c761cd06d8e8e025ce85d48f3e9dffb9b7bba

    • SHA256

      1427b7aebb298e1f9e488982e3c6d22f53e23c185c0a33bfc6478679e72fdcbc

    • SHA512

      86177f6c5c14caae72c1bb999f53567d519767bae056f6610e07ff76c034dbbffe06d9fae909bdb187828d7ed7d081568afe9fe718520333e86035bbbf1954af

    • SSDEEP

      24576:RHDDHFh2kkkkK4kXkkkkkkkkhLX3a20R0v50+Y:NDxbazR0v

    • Adds autorun key to be loaded by Explorer.exe on startup

    • Berbew

      Berbew is a backdoor written in C++.

    • Berbew family

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      virussign.com_b4a073dab1d51b27d63f81649310ab60.vir

    • Size

      468KB

    • MD5

      b4a073dab1d51b27d63f81649310ab60

    • SHA1

      86dee899d11513345890ac7a1a21c00ae1748376

    • SHA256

      c63c4e473b61d00146f93f17884e433eaa77dc9268e511c6ea391f1865f9d60e

    • SHA512

      360a9e4ea0f4ebf3cd64920fefce623c72ae38a3d363c6743de1817627bf8665156a28f3e71a41a5502bd360fd9342a34cfba0938c5ddf40b6c3ef640abc4f02

    • SSDEEP

      3072:4belogxaIU57tbYZPAcfmbfD/n2DnsIHHQmyeQVqAf5Fkki3uPulp:4b4oCc7tCPdfmbfradwf5C73uP

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      virussign.com_b793dc2ed636fdaee1a701e05fde1640.vir

    • Size

      2.6MB

    • MD5

      b793dc2ed636fdaee1a701e05fde1640

    • SHA1

      23741caf22809c1bfb9b9d803a070f45b95dfa26

    • SHA256

      4e243bfc150e3df8b0b6c3f274c51e21a61c58b261c4ee963ff3cc1b000b55c9

    • SHA512

      d4f0e7a3aea5cb7216cb7fa0a290845fcf92413c83edd3de3302ffda45a52ee3a28c7faa6da9391be03f7818441b68b96c1c95548e28dc1419eb79f469b92e94

    • SSDEEP

      49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bS:sxX7QnxrloE5dpUpJb

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Target

      virussign.com_ba1f70e629bc3e70fba35036be583ce0.vir

    • Size

      468KB

    • MD5

      ba1f70e629bc3e70fba35036be583ce0

    • SHA1

      5777344c00bc8da674c3ec28bb4b3870a506dca8

    • SHA256

      31792fa6ebc508394aecbdec49f7df51b638478a9d86dc36b1b07bcd16c2e00e

    • SHA512

      3bfbe448c5d3709c2cf2c79bdc51e1b6b373a08992e830b682e3921bf51477334f8a2a14bd1961d5372837042f05d974fed73b2a10a89c4e30fe1af05444ffa8

    • SSDEEP

      3072:4belogxaIU57tbYZPzcfmbfD/n2DjsIH9QmyeQVqAf5+kOi3uxulE:4b4oCc7tCP4fmbfHa7wf5P13ux

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      virussign.com_bcab6f30045483fd648d1924aba88b00.vir

    • Size

      52KB

    • MD5

      bcab6f30045483fd648d1924aba88b00

    • SHA1

      e9bff6e0d6859df746a003132c25936832fc8072

    • SHA256

      ca5a471acdfaaa050e6a790b58543ebbdef104050ba16b0234405cb5382adef0

    • SHA512

      80b8c15e71f0081c133da08df052081d66ebe3121d730fb0fb590a2a900facc228b8f8639eaf07886757972b60665ebbdd8f8b408479005e7465cca9279043ef

    • SSDEEP

      1536:1xzQub4dB1O+FTpvLI/fBju0ofLsj/MAdKZ:vQZ5FTpDI/5mfLs/MRZ

    • Adds autorun key to be loaded by Explorer.exe on startup

    • Berbew

      Berbew is a backdoor written in C++.

    • Berbew family

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      virussign.com_bf4239be7de1ad8dddc78d1aff0d6090.vir

    • Size

      468KB

    • MD5

      bf4239be7de1ad8dddc78d1aff0d6090

    • SHA1

      87505e3bfa1893eeb43070969a288c3d83fcbae5

    • SHA256

      aafd95539aa218c88c493fdfd1ad05642fbe46c2f7896d35ed8173d133bc1e50

    • SHA512

      754da815b1baba9cecca5060007a7cd5a568af41b4aa8c2baace00d76820d183ca242c19c8f237ec1b86b4b9269d4f8999acd173823831f351c8518f875474d7

    • SSDEEP

      3072:vlnhogBkrq8Upb/qPz59XfoqfhK588XhmHexViz2gi4WC+NHalZ:vlhonTUp2P19XfmV702gLl+NH

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      virussign.com_c251643a9964695966b3f7a545401440.vir

    • Size

      468KB

    • MD5

      c251643a9964695966b3f7a545401440

    • SHA1

      932ae0dfb6049425a5d6a38f533afabf55907d03

    • SHA256

      d80bf5ab9b5db38e92d57e5899ffa68d64fbf7c06189194405392d0451f431f7

    • SHA512

      fd3cf249b12d6304fdd2e4ab5b8c9292b14348d79267deb1d639ebb75d6693a0f989212a4dc274ff72c0327e7993717a91d06ecf51563dbc6ff0ce2c723a7cdd

    • SSDEEP

      3072:loAoogIIgd5KtbY3Pztjcf8/GCfv43pnrjHeLT+a/NEKxD7U5pl+:lobo5bKtQPJjcfBZup/Nrl7U5

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      virussign.com_c3fa4d199e50171575cfa553fd205a10.vir

    • Size

      83KB

    • MD5

      c3fa4d199e50171575cfa553fd205a10

    • SHA1

      8bbb0225d1d81fc16ed74ebd010605d61d201e17

    • SHA256

      ae19e02b8b99b3ba9035ff2e990be900768a46c70fa48710a8c61cc878e186ea

    • SHA512

      97f4d61dc3631b68f403dffbf05239d30a7561a8ec322c442e32965dbe77257656b3c51a29a5c9658028070e88f2deb52105c569ae091dabf434e5d459d365e3

    • SSDEEP

      1536:LJaPJpAz869DUxWB+i4OQ4NR2Kk+aSnfZaG8fcaOCzGquSE0cF+jK:LJ0TAz6Mte4A+aaZx8EnCGVuj

    Score
    5/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      virussign.com_c527d92958bc1247a6471765e5449c60.vir

    • Size

      2.6MB

    • MD5

      c527d92958bc1247a6471765e5449c60

    • SHA1

      84fba87a0998698d3b6040dcfb83667a3eb2109b

    • SHA256

      e9b4211e90f2c15e783c73a5998e3284b75b4afe70dae956e6dab0eb17732125

    • SHA512

      1fdcac718581fa8fbdf15b3d3cdb0c2cf06f6a9a56facab47cf1841578264a1a6014cc51c07488939005852a569ae8c4c45b61b54e0b99d4d1f0bc78c1daa8da

    • SSDEEP

      49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bSq:sxX7QnxrloE5dpUpUbV

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Target

      virussign.com_c7d033cce29ec681f70bfb5f2ec867c0.vir

    • Size

      1024KB

    • MD5

      c7d033cce29ec681f70bfb5f2ec867c0

    • SHA1

      91b13955ad9e9c77d8310f10ab92146ad09525b3

    • SHA256

      34157d74d915d474a6c888fc9de5441d0b08e39b5a24eda20988139100ad7703

    • SHA512

      7c623a430ec44501d190a298fbe5f2d8e90245e5549fe6d7d89f6d8d75f3200b19d0793c4a7ca286c68d3fe234d88068b6ee32f21a63f9e6e667e3cf48e159e3

    • SSDEEP

      24576:fym0BmmvFimm0Xcr6VDsEqacjgqANXcolMZ5nNxvM0oL8v8WQ:eiTWVDBzcjgBNXcolMZ5nNxvM0oLoQ

    • Adds autorun key to be loaded by Explorer.exe on startup

    • Berbew

      Berbew is a backdoor written in C++.

    • Berbew family

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      virussign.com_ca6b0e41f6273b8c6a022729b7a7efd0.vir

    • Size

      54KB

    • MD5

      ca6b0e41f6273b8c6a022729b7a7efd0

    • SHA1

      5e0d21098a203223ee7572808364085cba6bcd5d

    • SHA256

      993b235bdbbc30ac6f56f1f38c8193d9bf510dbb2f35379dea5f02dae33908ce

    • SHA512

      2b04e49c6ef1fd2e206a660b285abf953c4675aaaccf7a1d972063cb88eb40eff30484efc9d57ca73e91b5ee04c29d9a1c7549bb7d061f7861005c53ff3c2dca

    • SSDEEP

      1536:DqMA6C1VqaqhtgVRNToV7TtRu8rM0wYVFl2g5u58dO0xXHQEyYfdhNhFO5h3xhIN:+MA6C1VqaqhtgVRNToV7TtRu8rM0wYVb

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      virussign.com_ccf2dfc7e36c604f207bf823231b57b0.vir

    • Size

      90KB

    • MD5

      ccf2dfc7e36c604f207bf823231b57b0

    • SHA1

      764fd98b97131b972ef6e117b7bf829c0fb9e2e8

    • SHA256

      aba02a27aed406ac007c2006a0429c197299fe7cfb1be22abc2ce69478986267

    • SHA512

      2da0316deee82434c2b7bac9326ee77b64ff7c4f1fd9c64790b6733398dd597c1a12ddfb2d6843e2cdbc8c38f451a1c2c0c5bab91b1266dd073bd0ae2bc3611a

    • SSDEEP

      1536:82PzLifjNdvaZS7BoTtdUhi5ort73O34NkGTXDfOOQ/4BrGTI5Yxj:DbgNdvaZSKaiOrt7+AT7U/4kT0Yxj

    • Adds autorun key to be loaded by Explorer.exe on startup

    • Berbew

      Berbew is a backdoor written in C++.

    • Berbew family

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      virussign.com_cf449b9fd99f5da93cbb91c84e64e710.vir

    • Size

      7KB

    • MD5

      cf449b9fd99f5da93cbb91c84e64e710

    • SHA1

      3cdef0031a939b31cb4b9a6ad1bf9ca88a155751

    • SHA256

      087300bc42aa885c126aa1771a2f80691399efae7543a8f493f5059548163957

    • SHA512

      24bbe2217b79f6e920d75ca986bce35c9daad0558205324f6470292629ac3431a2f2f0a85567bd87d022ac00625dac1d2e46e004fd2a8e9e4403e3e53073705f

    • SSDEEP

      96:Ge32tdsBxRlRIWb9pXc1eG6PcGma1JIwIdzwzc:GjdsXyWb9pkeG7yJIwczw

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Target

      virussign.com_d2157a5e0405795aa865f9264e231ee0.vir

    • Size

      468KB

    • MD5

      d2157a5e0405795aa865f9264e231ee0

    • SHA1

      edaf7c0ec10f3772b0b505ef68b39ab2c4c4e845

    • SHA256

      8c1ca0e54f6fe46c514ed01eb31308e9272d796fbf78007278bc5e617096aa2f

    • SHA512

      9551cfecec41cbd0973a9ed5d5cb41f0cf2f36ae5f0364c3aea0924ad81097fc236bacc5c5def4cf3bc10cac8a427bcf1c22021d9866a030b265dc3faefa5d09

    • SSDEEP

      3072:McG1ogIOhd5UEbYVPvtNcf8+nynzwgpwTmHeKftKraa88Rgu9Alb:McwoybUE2PFNcfDcenraL4gu9

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      virussign.com_d4dd384ae38fed77098536c5b075c320.vir

    • Size

      2.6MB

    • MD5

      d4dd384ae38fed77098536c5b075c320

    • SHA1

      ed8690d654532965db51c6145dab0c7454284a7b

    • SHA256

      687a990253af6ef1eb5a4d36b657237874f0dbafa795e2d74b7ca6ea5bd56ac9

    • SHA512

      353e67dfac140206f4d97f38d66fe6dab74dfca0734cf63117dc02beb81f0906860907ac6113b5fe6c7f20d77a9d4a0977f3f4d71d09f69efe531492513a91d4

    • SSDEEP

      49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bSq:sxX7QnxrloE5dpUpgbV

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Target

      virussign.com_d7c1eea17ae01e04b622ede80b6732c0.vir

    • Size

      468KB

    • MD5

      d7c1eea17ae01e04b622ede80b6732c0

    • SHA1

      4f693d86d4b77962bf66dbe56f3cc77d18e0c158

    • SHA256

      039b6823caa5f077f5c48a0d76e51d9301739f709b6d13cd65428928fab925be

    • SHA512

      e44d9d1202fb862b0e63de37bff3d4cb263d9d3b41048e1c0d74c67052c1522354242aba45c06d9606e9945b7606ed4bdf4b29880765e8ae382dbbe9a4237fd1

    • SSDEEP

      3072:FsokogIDIEB5tCI+PKwjbfD/ECL6ICpD2mHeu2iREZc5i6qY/7lv:FsHoe05tOPHjbf7KccEZgpqY/

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks

static1

pdflinkzimaminerupxredlinexmrig
Score
10/10

behavioral1

berbewbackdoordiscoverypersistence
Score
10/10

behavioral2

berbewbackdoordiscoverypersistence
Score
10/10

behavioral3

discovery
Score
7/10

behavioral4

discovery
Score
7/10

behavioral5

discoverypersistencespywarestealer
Score
7/10

behavioral6

discoverypersistencespywarestealer
Score
7/10

behavioral7

discovery
Score
7/10

behavioral8

discovery
Score
7/10

behavioral9

berbewbackdoordiscoverypersistence
Score
10/10

behavioral10

berbewbackdoordiscoverypersistence
Score
10/10

behavioral11

discovery
Score
7/10

behavioral12

discovery
Score
7/10

behavioral13

discovery
Score
7/10

behavioral14

discovery
Score
7/10

behavioral15

discoveryupx
Score
5/10

behavioral16

discoveryupx
Score
5/10

behavioral17

discoverypersistencespywarestealer
Score
7/10

behavioral18

discoverypersistencespywarestealer
Score
7/10

behavioral19

berbewbackdoordiscoverypersistence
Score
10/10

behavioral20

berbewbackdoordiscoverypersistence
Score
10/10

behavioral21

discoverypersistence
Score
7/10

behavioral22

discoverypersistence
Score
7/10

behavioral23

berbewbackdoordiscoverypersistence
Score
10/10

behavioral24

berbewbackdoordiscoverypersistence
Score
10/10

behavioral25

discoverypersistence
Score
7/10

behavioral26

discovery
Score
7/10

behavioral27

discovery
Score
7/10

behavioral28

discovery
Score
7/10

behavioral29

discoverypersistencespywarestealer
Score
7/10

behavioral30

discoverypersistencespywarestealer
Score
7/10

behavioral31

discovery
Score
7/10

behavioral32

discovery
Score
7/10