General

  • Target

    setup_x86_x64_install.exe

  • Size

    15.4MB

  • Sample

    211126-q5a33afhh4

  • MD5

    9df64048442f3e2359167b4557bef2c8

  • SHA1

    619693bf13e6915e1a7f6fa81f171f386916fa99

  • SHA256

    e57501a7f031ba3ac01f8d4d322b5b26cb6d7d25e9ad148054b16aa644f2d31e

  • SHA512

    d5b825ef7b64b02fc0f9db844b5e2fbfd1bbcba618ffd94c7489539401e73338b5116c59ab8f80b350844a4f740e1b3ed8daa886892f351e5186ddabec9c329d

Malware Config

Extracted

Family

socelars

C2

http://www.ecgbg.com/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

C2

http://membro.at/upload/

http://jeevanpunetha.com/upload/

http://misipu.cn/upload/

http://zavodooo.ru/upload/

http://targiko.ru/upload/

http://vues3d.com/upload/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

user01new

C2

49.12.219.50:4846

Extracted

Family

redline

Botnet

media24n

C2

65.108.69.168:16278

Extracted

Family

vidar

Version

48.7

Botnet

933

C2

https://mstdn.social/@anapa

https://mastodon.social/@mniami

Attributes
  • profile_id

    933

Targets

    • Target

      setup_x86_x64_install.exe

    • Size

      15.4MB

    • MD5

      9df64048442f3e2359167b4557bef2c8

    • SHA1

      619693bf13e6915e1a7f6fa81f171f386916fa99

    • SHA256

      e57501a7f031ba3ac01f8d4d322b5b26cb6d7d25e9ad148054b16aa644f2d31e

    • SHA512

      d5b825ef7b64b02fc0f9db844b5e2fbfd1bbcba618ffd94c7489539401e73338b5116c59ab8f80b350844a4f740e1b3ed8daa886892f351e5186ddabec9c329d

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks