59716B314BA0D53B7E8DE32A73AF01B7B383834BF038C.exe

General
Target

59716B314BA0D53B7E8DE32A73AF01B7B383834BF038C.exe

Size

7MB

Sample

211114-qv8xcagdg5

Score
10 /10
MD5

d1448a7cd7fcf240c520f3838fe18976

SHA1

9c48ef300ab266e6c1d6d05e3baa5247b8eb2ecb

SHA256

59716b314ba0d53b7e8de32a73af01b7b383834bf038c3bcaa8f7d07afc8b280

SHA512

61e21e57c90e8b605a8dd7df4fc65bf9d55840d953facf7ce738f311d4f10decb5c08e1e849205190d3f11148be2af835688152f95c0765fea17fe1e805f05e5

Malware Config

Extracted

Family socelars
C2

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

Extracted

Family smokeloader
Version 2020
C2

http://gmpeople.com/upload/

http://mile48.com/upload/

http://lecanardstsornin.com/upload/

http://m3600.com/upload/

http://camasirx.com/upload/

rc4.i32
rc4.i32

Extracted

Family redline
Botnet jamesoldd
C2

65.108.20.195:6774

Extracted

Family redline
Botnet ANI
C2

45.142.215.47:27643

Extracted

Family vidar
Version 48.4
Botnet 937
C2

https://koyu.space/@qmashton

Attributes
profile_id
937
Targets
Target

59716B314BA0D53B7E8DE32A73AF01B7B383834BF038C.exe

MD5

d1448a7cd7fcf240c520f3838fe18976

Filesize

7MB

Score
10/10
SHA1

9c48ef300ab266e6c1d6d05e3baa5247b8eb2ecb

SHA256

59716b314ba0d53b7e8de32a73af01b7b383834bf038c3bcaa8f7d07afc8b280

SHA512

61e21e57c90e8b605a8dd7df4fc65bf9d55840d953facf7ce738f311d4f10decb5c08e1e849205190d3f11148be2af835688152f95c0765fea17fe1e805f05e5

Tags

Signatures

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • Vidar Stealer

    Tags

  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Description

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation