Sun038db98f99bf9a.exe
Sun038db98f99bf9a.exe
172KB
211031-y4wblsgdc5
7c3cf9ce3ffb1e5dd48896fdc9080bab
34b4976f8f83c1e0a9d277d2a103a61616178728
b3049882301853eed2aa8c5ac99010dd84292d7e092eb6f4311fa535716f5d83
52ec2ec50a2d4ca4f29e6b611176e37fee8693a7c34ec2197ec2ad250d525f607c3d4d70534520d1f5c16fd3f9231d261b00f8c3746d033eab1ed36cdde07473
Extracted
Family | xloader |
Version | 2.5 |
Campaign | s0iw |
C2 |
http://www.kyiejenner.com/s0iw/ |
Decoy |
ortopediamodelo.com orimshirts.store universecatholicweekly.info yvettechan.com sersaudavelsempre.online face-booking.net europeanretailgroup.com umofan.com roemahbajumuslim.online joyrosecuisine.net 3dmaker.house megdb.xyz stereoshopie.info gv5rm.com tdc-trust.com mcglobal.club choral.works onlineconsultantgroup.com friscopaintandbody.com midwestii.com weespiel.com babyshell.be gwynora.com talkthered.com f-punk.com frankmatlock.com clique-solicite.net clientloyaltysystem.com worldbyduco.com kampfsport-erfurt.com adndpanel.xyz rocknfamily.net ambr-creative.com wwwks8829.com thuexegiarehcmgoviet.com brentmurrell.art wolf-yachts.com tenpobiz.com binnamall.com crestamarti.quest terry-hitchcock.com ocreverseteam.com taxwarehouse2.xyz megawholesalesystem.com epstein-advisory.com enewlaunches.com iphone13.community pianostands.com newspaper.clinic alamdave.com |
Extracted
Family | raccoon |
Botnet | 8dec62c1db2959619dca43e02fa46ad7bd606400 |
Attributes |
url4cnc http://telegin.top/capibar http://ttmirror.top/capibar http://teletele.top/capibar http://telegalive.top/capibar http://toptelete.top/capibar http://telegraf.top/capibar https://t.me/capibar |
rc4.plain |
|
rc4.plain |
|
Extracted
Family | vidar |
Version | 41.6 |
Botnet | 937 |
C2 |
https://mas.to/@lilocc |
Attributes |
profile_id 937 |
Extracted
Family | smokeloader |
Version | 2020 |
C2 |
http://brandyjaggers.com/upload/ http://andbal.com/upload/ http://alotofquotes.com/upload/ http://szpnc.cn/upload/ http://uggeboots.com/upload/ http://100klv.com/upload/ http://rapmusic.at/upload/ |
rc4.i32 |
|
rc4.i32 |
|
Sun038db98f99bf9a.exe
7c3cf9ce3ffb1e5dd48896fdc9080bab
172KB
34b4976f8f83c1e0a9d277d2a103a61616178728
b3049882301853eed2aa8c5ac99010dd84292d7e092eb6f4311fa535716f5d83
52ec2ec50a2d4ca4f29e6b611176e37fee8693a7c34ec2197ec2ad250d525f607c3d4d70534520d1f5c16fd3f9231d261b00f8c3746d033eab1ed36cdde07473
Tags
Signatures
-
Modifies Windows Defender Real-time Protection settings
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Description
Simple but powerful infostealer which was very active in 2019.
Tags
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
Xloader
Description
Xloader is a rebranded version of Formbook malware.
Tags
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags
TTPs
-
Vidar Stealer
Tags
-
Xloader Payload
Tags
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks BIOS information in registry
Description
BIOS information is often read in order to detect sandboxing environments.
TTPs
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Themida packer
Description
Detects Themida, an advanced Windows software protection system.
Tags
-
Accesses 2FA software files, possible credential harvesting
Tags
TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting
Tags
TTPs
-
Adds Run key to start application
Tags
TTPs
-
Checks installed software on the system
Description
Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags
TTPs
-
Checks whether UAC is enabled
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext