General

  • Target

    setup_installx86-x64.exe

  • Size

    6.0MB

  • Sample

    211231-v4x9eshba7

  • MD5

    16c78fbe573738c14c8e5396360b217e

  • SHA1

    e96d30b8d1dc3cd2c561e8a35f9fab3d5b635e39

  • SHA256

    718db5fd7b0ad0b3c34d2502ecd8d1521f67caba93245966ce2a9e58f4a7f254

  • SHA512

    2eb61a8b3c070400f9529d02be4afd3776af73e982514f0ab45446a25e89d89210fb5fcb1e47f5b6a6771c2647ff52caaaf04f28d5961439b58b520caf9379a1

Malware Config

Extracted

Family

socelars

C2

http://www.chosenncrowned.com/

Extracted

Family

smokeloader

Version

2020

C2

http://melchen-testet.at/upload/

http://zjymf.com/upload/

http://pbxbmu70275.cn/upload/

http://mnenenravitsya.ru/upload/

http://pitersprav.ru/upload/

rc4.i32
rc4.i32

Targets

    • Target

      setup_installx86-x64.exe

    • Size

      6.0MB

    • MD5

      16c78fbe573738c14c8e5396360b217e

    • SHA1

      e96d30b8d1dc3cd2c561e8a35f9fab3d5b635e39

    • SHA256

      718db5fd7b0ad0b3c34d2502ecd8d1521f67caba93245966ce2a9e58f4a7f254

    • SHA512

      2eb61a8b3c070400f9529d02be4afd3776af73e982514f0ab45446a25e89d89210fb5fcb1e47f5b6a6771c2647ff52caaaf04f28d5961439b58b520caf9379a1

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • XMRig Miner Payload

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks