General

  • Target

    PASSWORD_IS_951951____Malwarebytes-An.zip

  • Size

    6.2MB

  • Sample

    220102-t6k67shacm

  • MD5

    37ec8ebfaf3c465f043d0b737288c42b

  • SHA1

    887c6e4ae59853e88fdb73977ae66923295ea80b

  • SHA256

    1d2485347ec36e5c599826453861346e63dbe817bfa7ddf6dfdd750d0a6c699c

  • SHA512

    c1c0e5eb6e217aa16970656daa1dd595d143b72422b268c25ef758296914dab17be1e2570a6d83d06aba2c669b6c997dbcfb2b0861a60d2d82d591bec1ed5d30

Malware Config

Extracted

Family

socelars

C2

http://www.chosenncrowned.com/

Extracted

Family

smokeloader

Version

2020

C2

http://melchen-testet.at/upload/

http://zjymf.com/upload/

http://pbxbmu70275.cn/upload/

http://mnenenravitsya.ru/upload/

http://pitersprav.ru/upload/

rc4.i32
rc4.i32

Targets

    • Target

      setup_installx86-x64.exe

    • Size

      6.2MB

    • MD5

      60af070c7517f3724bced298606d8859

    • SHA1

      eed29462ae903ab22ab3f6980bc72098aa22a0aa

    • SHA256

      b3cba6f497f226456bcc8915644968fdea7f4729bc3eaec3a4808e200319049f

    • SHA512

      65490918398c29b20c8899915fa5516476589676ec322ff4683ea325f0e1c2b79b23af946da1be23d00a3dafc62a5450c24e867cea95cee2df331d1535b78dc1

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • XMRig Miner Payload

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks