General

  • Target

    password_is_7364857387____sketchup-pro-20.zip

  • Size

    10.5MB

  • Sample

    211125-1t62gaghhp

  • MD5

    c0a29eed1efa12f97b9019720e43fa19

  • SHA1

    3bfad68c32d0b43c157d68eee466ffaa2405c87b

  • SHA256

    2fa123bb89814a5aee72cac76db7c3e5c390708ea7334a002d806af1349ee192

  • SHA512

    46dfb833a04f2f722210022a32f6f3590b7e35b72f0d4aed95d55389b8db865414ca5f2b14331deb87ee9006f8bd915a49dbe4008b05cc2b0c3ec29ead0a8862

Malware Config

Extracted

Family

socelars

C2

http://www.ecgbg.com/

Extracted

Family

redline

Botnet

media25p

C2

65.108.69.168:16278

Extracted

Family

redline

Botnet

user01new

C2

49.12.219.50:4846

Targets

    • Target

      setup_x86_x64_install.exe

    • Size

      10.5MB

    • MD5

      7dbcda13214a7877ddd5e58fdec24aed

    • SHA1

      8feba771d98a710e47f3450cb2c7717c2de86fbe

    • SHA256

      25f17e53e15c109c0c329c3f51ce2256357b549044409007f5c7e858edcf0d28

    • SHA512

      78debe045bb8b138946e58a277e45d6c1ec838291935dccd3a3264e467bf81c6aa204bf37dab80296cb8fea22360e723228e2bfa7dae19a128f373ccd0ebee24

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks