General

  • Target

    PASSWORD_IS_951951____Adobe-Photoshop.zip

  • Size

    6.0MB

  • Sample

    220102-tvs3nsaeh7

  • MD5

    c81158e1c5c1af3b4b303e844b07fe60

  • SHA1

    7134a0abd2627c15c0ebe2c826cfb246a04b3ab8

  • SHA256

    6d4efaca37803b329b9da5e664ace2fcbac0499caf8b3cc943c5171659bdf0df

  • SHA512

    a6576461af8dfe167cab0fe2b599dc6fbfea1e5eebf5b00d0aa77742d1bb706cd2a21c122da45e1920cdd78899609a1d2ff436d4ed703ef3bed3ffb4d0d361bb

Malware Config

Extracted

Family

socelars

C2

http://www.chosenncrowned.com/

Extracted

Family

smokeloader

Version

2020

C2

http://melchen-testet.at/upload/

http://zjymf.com/upload/

http://pbxbmu70275.cn/upload/

http://mnenenravitsya.ru/upload/

http://pitersprav.ru/upload/

rc4.i32
rc4.i32

Targets

    • Target

      setup_installx86-x64.exe

    • Size

      6.0MB

    • MD5

      cdc1b6ca6d726dd90b8b81069b161dc5

    • SHA1

      959efe3bfcdcd25ade7b61ed1a9ce82fc3b06e03

    • SHA256

      4655fd6c7db476942abbf6f7b897c8a97a3d27fa662e18562bc34dd26c2b60ad

    • SHA512

      f0aa00f174b33f1ea6bb6961619314641e8e47cbdfb5562ff66eac77f5cbb38e63a46749700d16b738b055f7e9089a4fd0744a780e3ace3f8b0522f36d83a9fe

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • XMRig Miner Payload

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks