McMcbrad
Level 20
- Oct 16, 2020
- 969
I was browsing several dark, wrongly labelled as “ethic” forums and hackers seem to consider every credentials stealer a RAT. It’s possible they named it IceRat, when in reality it’s a downloader and installs backdoor/info-stealer. They may be just lost in translation or just couldn’t be bothered maintaining a classification of what they offer.
Update: I’ve just seen the 1.exe...
@struppigel I’ve pointed you to an ocean of malware
I believe I saw in the forum somewhere that you work @ GData (if I didn’t read something wrong). If you keep browsing these domains, GData will have to develop streaming updates functionality to release all detections that will be coming
Again we can see malware with fairly old creation dates, detected by no more than 5 AVs...
BTW this is also downloaded by klient.exe, which I executed in Sandboxie.
This looks like a variant of ClipBanker and also another version of klip.exe.
However, this klip.exe is not the klip.exe we were originally on. This is the first historical version I discovered (Aug 2019), located here:
app.any.run
www.hybrid-analysis.com
MD5: 05268896B3233F1B25702480DA337852
SHA-256: 793b19c7f819d8770af7338e79d3067d028d2179667d92249a2d0c68d8641e2d
There is another instance of RealtekSb.exe VirusTotal ||||||||||||| RealtekSb.exe (MD5: C94EBCABD3353BC7737407202E58A365) - Interactive analysis - ANY.RUN||||||
saved in
"C:\Users\admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe" |||||| MD5: c94ebcabd3353bc7737407202e58a365
Metadata:
Company: Microsoft Corporation
Description: Windows Logon Application (Looks like spoofing winlogon is a common thing, as klip.exe downloads winlogin.exe. The usage of login instead of logon brings 1 less indicator to behavioural blockers that this file is malware)
Version: 10.0.18362.418 (WinBuild.160101.0800)
Creation Time: 2019-11-19 19:43:02 (NEWER VERSION)
First Submission: 2019-11-25 18:01:13
Last Submission: 2020-01-07 12:07:20
Last Analysis: 2020-08-26 20:31:19
There is another RealtekSb.exe dropper here: VirusTotal |||||||||| http://51.255.203.164/Media_Virement/f11963eda9f219cc00cb5a7d201e7d19fbc3d341.exe - Interactive analysis - ANY.RUN |||| saved in
"C:\Users\admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe" |||| MD5: 82055391ce934d24fad1829cfd823488
Creation Time: 2019-04-05 19:15:25 (OLD VERSION)
First Submission: 2020-01-01 02:07:10
Last Submission: 2020-01-01 02:07:10
Last Analysis: 2020-01-09 05:41:44
Third version can be seen here: https://www.joesandbox.com/analysis/299402/0/html ||||| MD5: F7958823D5A3C0A2DF7974ADDE4028D0
Creation Time: 2019-09-16 23:26:01 (Created in between the other 2 versions)
Signature Date: 2020-07-25 02:59:00
First Submission: 2020-06-25 16:02:22 (Discovered a lot later)
Last Submission: 2020-06-25 16:02:22
Last Analysis: 2020-07-25 00:26:44
Related to RacoonStealer
IP analyses: VirusTotal
Again linked to AzoruIt
And contacting one more IP: VirusTotal
The analysed sample VVV.exe VirusTotal
contacts various servers in UA (suprise, surprise, US and NL again)
hxxp://ygdomain.xyz/ is one of the URLs which is an active malware repository.
It hosts amongst others, the winrings0x64 driver as well as xmrig_cuda.dll, which is probably hardware accelerator for coinminers.
hxxp://1a3c1a2b.xyz/ hosts the same content.
The offending IP address behind the second one, 51.255.203.164 was involved in coinmining malware.
I am sure they are related. URLhaus | 51.255.203.164 VirusTotal
Upon relationship inspection I saw this:
I’ve been analysing relations since morning today and I just keep seeing myfile.exe, and bild.exe, so I became suspicious and decided to check them out.
bild.exe has been distributed by several other IPs/domains:
31.204.154.75 VirusTotal
95.81.0.83 VirusTotal
Analysing relations of myfile.exe MD5: e05680e8f026f7effaafc7844961f666 VirusTotal
bild.exe appears again:
I found a historical version, abusing the WMI here: bild.exe (MD5: 6C8B8901F21D071914807F9B551C6818) - Interactive analysis - ANY.RUN
It's ransomware VirusTotal
www.bleepingcomputer.com
User says:
One more version here: Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'bild.exe'
#Bild.exe is a very common and rather specific name. It seems to have a typo, just like browes.exe (instead of browse.exe or browser.exe).
Contacted/resolved IPs: VirusTotal <--- 31.204.154.75 (Netherlands)
In an earlier post today, I mentioned 37.48.72.4 (Netherlands), which distributed a sample klipper.exe (http://giftm.zzz.com.ua/klipper.exe) as early as 2018.
myfile.exe appears again. It is a version of baldr stealer and the original file name is baldr.exe. Same group distributing klip.exe has distributed baldr stealer. They've also distributed GoGoogle Ransomware.
app.any.run
Update: I’ve just seen the 1.exe...
@struppigel I’ve pointed you to an ocean of malware

I believe I saw in the forum somewhere that you work @ GData (if I didn’t read something wrong). If you keep browsing these domains, GData will have to develop streaming updates functionality to release all detections that will be coming

Again we can see malware with fairly old creation dates, detected by no more than 5 AVs...
BTW this is also downloaded by klient.exe, which I executed in Sandboxie.
This looks like a variant of ClipBanker and also another version of klip.exe.
However, this klip.exe is not the klip.exe we were originally on. This is the first historical version I discovered (Aug 2019), located here:

http://invalid666.zzz.com.ua/klip.exe - Interactive analysis - ANY.RUN
Interactive malware hunting service. Any environments ready for live testing most type of threats. Without install. Without waiting.
Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'klip_old.bin.exe'
Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
SHA-256: 793b19c7f819d8770af7338e79d3067d028d2179667d92249a2d0c68d8641e2d
There is another instance of RealtekSb.exe VirusTotal ||||||||||||| RealtekSb.exe (MD5: C94EBCABD3353BC7737407202E58A365) - Interactive analysis - ANY.RUN||||||
saved in
"C:\Users\admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe" |||||| MD5: c94ebcabd3353bc7737407202e58a365
Metadata:
Company: Microsoft Corporation
Description: Windows Logon Application (Looks like spoofing winlogon is a common thing, as klip.exe downloads winlogin.exe. The usage of login instead of logon brings 1 less indicator to behavioural blockers that this file is malware)
Version: 10.0.18362.418 (WinBuild.160101.0800)
Creation Time: 2019-11-19 19:43:02 (NEWER VERSION)
First Submission: 2019-11-25 18:01:13
Last Submission: 2020-01-07 12:07:20
Last Analysis: 2020-08-26 20:31:19
There is another RealtekSb.exe dropper here: VirusTotal |||||||||| http://51.255.203.164/Media_Virement/f11963eda9f219cc00cb5a7d201e7d19fbc3d341.exe - Interactive analysis - ANY.RUN |||| saved in
"C:\Users\admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe" |||| MD5: 82055391ce934d24fad1829cfd823488
Creation Time: 2019-04-05 19:15:25 (OLD VERSION)
First Submission: 2020-01-01 02:07:10
Last Submission: 2020-01-01 02:07:10
Last Analysis: 2020-01-09 05:41:44
Third version can be seen here: https://www.joesandbox.com/analysis/299402/0/html ||||| MD5: F7958823D5A3C0A2DF7974ADDE4028D0
Creation Time: 2019-09-16 23:26:01 (Created in between the other 2 versions)
Signature Date: 2020-07-25 02:59:00
First Submission: 2020-06-25 16:02:22 (Discovered a lot later)
Last Submission: 2020-06-25 16:02:22
Last Analysis: 2020-07-25 00:26:44
Related to RacoonStealer
IP analyses: VirusTotal
Again linked to AzoruIt
And contacting one more IP: VirusTotal
The analysed sample VVV.exe VirusTotal
contacts various servers in UA (suprise, surprise, US and NL again)
hxxp://ygdomain.xyz/ is one of the URLs which is an active malware repository.
It hosts amongst others, the winrings0x64 driver as well as xmrig_cuda.dll, which is probably hardware accelerator for coinminers.
hxxp://1a3c1a2b.xyz/ hosts the same content.
The offending IP address behind the second one, 51.255.203.164 was involved in coinmining malware.
I am sure they are related. URLhaus | 51.255.203.164 VirusTotal
Upon relationship inspection I saw this:
I’ve been analysing relations since morning today and I just keep seeing myfile.exe, and bild.exe, so I became suspicious and decided to check them out.
bild.exe has been distributed by several other IPs/domains:
31.204.154.75 VirusTotal
95.81.0.83 VirusTotal
Analysing relations of myfile.exe MD5: e05680e8f026f7effaafc7844961f666 VirusTotal
bild.exe appears again:
I found a historical version, abusing the WMI here: bild.exe (MD5: 6C8B8901F21D071914807F9B551C6818) - Interactive analysis - ANY.RUN
It's ransomware VirusTotal

ID Ransomware - Identify What Ransomware Encrypted Your Files - Page 58 - Ransomware Help & Tech Support
Page 58 of 69 - ID Ransomware - Identify What Ransomware Encrypted Your Files - posted in Ransomware Help & Tech Support: What kind of ransomware is _ID_2125590033_Bossi_tosi@protonmail.com.google, havent found a ransom note. These infections are created to alert victims that their data has...
There is another version here, loader dropping update.exe, which can also be seen in relations above: bild.exe (MD5: 55E4CBAD055F48E5705B3C97D18FF2D6) - Interactive analysis - ANY.RUN |||| VirusTotalBrowsing thru the machine and can't find anything but found a file called bild.exe that exists on all folders containing encrypted files.
One more version here: Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'bild.exe'
#Bild.exe is a very common and rather specific name. It seems to have a typo, just like browes.exe (instead of browse.exe or browser.exe).
Contacted/resolved IPs: VirusTotal <--- 31.204.154.75 (Netherlands)
In an earlier post today, I mentioned 37.48.72.4 (Netherlands), which distributed a sample klipper.exe (http://giftm.zzz.com.ua/klipper.exe) as early as 2018.
myfile.exe appears again. It is a version of baldr stealer and the original file name is baldr.exe. Same group distributing klip.exe has distributed baldr stealer. They've also distributed GoGoogle Ransomware.

Baldr.exe (MD5: 1E51951D7E2D3115CA7F62C6D5530ED1) - Interactive analysis - ANY.RUN
Interactive malware hunting service. Any environments ready for live testing most type of threats. Without install. Without waiting.
Last edited: