Thu18b818b5afea12f2.exe
General
Target
Size
Sample
Thu18b818b5afea12f2.exe
729KB
211104-zrp5hahfd6
Score
10 /10
MD5
SHA1
SHA256
SHA512
93147832f4525e82c2689696eb7181a3
117e20a1c49a747790926aed5aa5df3fddf53176
d2b9dc534706dae318f52ff894176f2cf187b5d71d53e24f9ad9ef74efac06dc
47a44831f228fbe99466faa9345872e6fafcab27a6f8536410c440266357dbdceff8fc6cecc2445635281882139b3e6a5396a1c3a42f5e4958b159a466ec1adc
Malware Config
Extracted
| Family | socelars |
| C2 |
http://www.hhgenice.top/ |
Extracted
| Family | redline |
| C2 |
138.197.79.250:11642 |
Extracted
| Family | redline |
| Botnet | udptest |
| C2 |
193.56.146.64:65441 |
Extracted
| Family | redline |
| Botnet | albert1488 |
| C2 |
138.124.186.108:11542 |
Extracted
| Family | vidar |
| Version | 47.9 |
| Botnet | 937 |
| C2 |
https://mas.to/@kirpich |
| Attributes |
profile_id 937 |
Extracted
| Family | smokeloader |
| Version | 2020 |
| C2 |
http://misha.at/upload/ http://roohaniinfra.com/upload/ http://0axqpcc.cn/upload/ http://mayak-lombard.ru/upload/ http://mebel-lass.ru/upload/ http://dishakhan.com/upload/ |
| rc4.i32 |
|
| rc4.i32 |
|
Extracted
| Family | raccoon |
| Botnet | 8dec62c1db2959619dca43e02fa46ad7bd606400 |
| Attributes |
url4cnc http://telegin.top/capibar http://ttmirror.top/capibar http://teletele.top/capibar http://telegalive.top/capibar http://toptelete.top/capibar http://telegraf.top/capibar https://t.me/capibar |
| rc4.plain |
|
| rc4.plain |
|
Targets
Target
MD5
Filesize
Thu18b818b5afea12f2.exe
93147832f4525e82c2689696eb7181a3
729KB
Score
10/10
SHA1
SHA256
SHA512
117e20a1c49a747790926aed5aa5df3fddf53176
d2b9dc534706dae318f52ff894176f2cf187b5d71d53e24f9ad9ef74efac06dc
47a44831f228fbe99466faa9345872e6fafcab27a6f8536410c440266357dbdceff8fc6cecc2445635281882139b3e6a5396a1c3a42f5e4958b159a466ec1adc
Tags
Signatures
-
Modifies Windows Defender Real-time Protection settings
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Description
Simple but powerful infostealer which was very active in 2019.
Tags
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
rl_trojan
Description
redline stealer.
Tags
-
Vidar Stealer
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
Tags
TTPs
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Themida packer
Description
Detects Themida, an advanced Windows software protection system.
Tags
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
Related Tasks
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Tasks