Sun038aa349e3318e.exe
General
Target
Size
Sample
Sun038aa349e3318e.exe
172KB
211031-y4wmdagdc7
Score
10 /10
MD5
SHA1
SHA256
SHA512
24766cc32519b05db878cf9108faeec4
c553780cb609ec91212bcdd25d25dde9c8ef5016
d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530
5b911d6bbb119b04f24ff21bd720d9a7d6f02d49a4cd0f533f0dc0d48b107244f5a8f028982b566d2b999420b30d047908df0c20e29acdc57b63df20c785bec3
Malware Config
Extracted
| Family | xloader |
| Version | 2.5 |
| Campaign | s0iw |
| C2 |
http://www.kyiejenner.com/s0iw/ |
| Decoy |
ortopediamodelo.com orimshirts.store universecatholicweekly.info yvettechan.com sersaudavelsempre.online face-booking.net europeanretailgroup.com umofan.com roemahbajumuslim.online joyrosecuisine.net 3dmaker.house megdb.xyz stereoshopie.info gv5rm.com tdc-trust.com mcglobal.club choral.works onlineconsultantgroup.com friscopaintandbody.com midwestii.com weespiel.com babyshell.be gwynora.com talkthered.com f-punk.com frankmatlock.com clique-solicite.net clientloyaltysystem.com worldbyduco.com kampfsport-erfurt.com adndpanel.xyz rocknfamily.net ambr-creative.com wwwks8829.com thuexegiarehcmgoviet.com brentmurrell.art wolf-yachts.com tenpobiz.com binnamall.com crestamarti.quest terry-hitchcock.com ocreverseteam.com taxwarehouse2.xyz megawholesalesystem.com epstein-advisory.com enewlaunches.com iphone13.community pianostands.com newspaper.clinic alamdave.com |
Extracted
| Family | redline |
| C2 |
45.9.20.149:10844 |
Extracted
| Family | redline |
| Botnet | dfd3 |
| C2 |
91.206.14.151:16764 |
Extracted
| Family | vidar |
| Version | 41.6 |
| Botnet | 937 |
| C2 |
https://mas.to/@lilocc |
| Attributes |
profile_id 937 |
Extracted
| Family | vidar |
| Version | 41.6 |
| Botnet | 921 |
| C2 |
https://mas.to/@lilocc |
| Attributes |
profile_id 921 |
Extracted
| Family | raccoon |
| Botnet | 8dec62c1db2959619dca43e02fa46ad7bd606400 |
| Attributes |
url4cnc http://telegin.top/capibar http://ttmirror.top/capibar http://teletele.top/capibar http://telegalive.top/capibar http://toptelete.top/capibar http://telegraf.top/capibar https://t.me/capibar |
| rc4.plain |
|
| rc4.plain |
|
Targets
Target
MD5
Filesize
Sun038aa349e3318e.exe
24766cc32519b05db878cf9108faeec4
172KB
Score
10/10
SHA1
SHA256
SHA512
c553780cb609ec91212bcdd25d25dde9c8ef5016
d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530
5b911d6bbb119b04f24ff21bd720d9a7d6f02d49a4cd0f533f0dc0d48b107244f5a8f028982b566d2b999420b30d047908df0c20e29acdc57b63df20c785bec3
Tags
Signatures
-
Modifies Windows Defender Real-time Protection settings
-
Raccoon
Description
Simple but powerful infostealer which was very active in 2019.
Tags
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
Xloader
Description
Xloader is a rebranded version of Formbook malware.
Tags
-
Nirsoft
-
Vidar Stealer
Tags
-
Xloader Payload
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Themida packer
Description
Detects Themida, an advanced Windows software protection system.
Tags
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
Related Tasks
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Tasks