Overview

overview

10

Static

static

10

7zS850A099...ed.exe

windows7_x64

10

7zS850A099...ed.exe

windows10-2004_x64

10

7zS850A099...1a.exe

windows7_x64

8

7zS850A099...1a.exe

windows10-2004_x64

8

7zS850A099...b7.exe

windows7_x64

10

7zS850A099...b7.exe

windows10-2004_x64

10

7zS850A099...5e.exe

windows7_x64

10

7zS850A099...5e.exe

windows10-2004_x64

1

7zS850A099...a0.exe

windows7_x64

10

7zS850A099...a0.exe

windows10-2004_x64

10

7zS850A099...95.exe

windows7_x64

7

7zS850A099...95.exe

windows10-2004_x64

7

7zS850A099...cb.exe

windows7_x64

10

7zS850A099...cb.exe

windows10-2004_x64

1

7zS850A099...58.exe

windows7_x64

10

7zS850A099...58.exe

windows10-2004_x64

10

7zS850A099...7f.exe

windows7_x64

10

7zS850A099...7f.exe

windows10-2004_x64

10

7zS850A099...32.exe

windows7_x64

10

7zS850A099...32.exe

windows10-2004_x64

10

7zS850A099...c3.exe

windows7_x64

8

7zS850A099...c3.exe

windows10-2004_x64

10

7zS850A099...e9.exe

windows7_x64

6

7zS850A099...e9.exe

windows10-2004_x64

1

7zS850A099...8c.exe

windows7_x64

10

7zS850A099...8c.exe

windows10-2004_x64

1

7zS850A099...8c.exe

windows7_x64

7

7zS850A099...8c.exe

windows10-2004_x64

8

7zS850A099...ll.exe

windows7_x64

10

7zS850A099...ll.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    220119-j26l8sgcbj_pw_infected.zip

  • Size

    6.4MB

  • Sample

    220120-wswrwsbad4

  • MD5

    1384f5282e8bb65c9a3e75b7d9fce5b0

  • SHA1

    16d60806f4c35b942db7e2b9ff0004d4771db020

  • SHA256

    f403e5db7055c16c5608a7c5c5e8d72541f88a83720b84f6ee2a8ed7212f75a8

  • SHA512

    2de310d6b17c0ac135d313d344678600ce3f6a7c0d5c30bf9c45548057ce1c22a656020b1d79267200dc39627ddd98aeeaec217084a8b3ef3db9b6a16cb468eb

Score
10/10
onlyloggerredlinesmokeloadersocelarsvidarmedia17223v2user1aspackv2backdoordiscoveryevasioninfostealerloaderpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

socelars

C2

http://www.kvubgc.com/

http://www.nvdmzf.com/

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://nahbleiben.at/upload/

http://noblecreativeaz.com/upload/

http://tvqaq.cn/upload/

http://recmaster.ru/upload/

http://sovels.ru/upload/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

media17223

C2

92.255.57.115:59426

Extracted

Family

redline

Botnet

v2user1

C2

88.99.35.59:63020

Targets

    • Target

      7zS850A099E/61e74fd2175cb_Tue23956aa60ed.exe

    • Size

      312KB

    • MD5

      e5a07be6c167ccf605ba9e6a0608e141

    • SHA1

      d50547756f224ebaf38efc1b2e5134b6caa272ba

    • SHA256

      449fb91c32af2d722f418ab4ee0747d0b7457ba69496b2d8f894e6045d69e1e4

    • SHA512

      b66a844121bd42707aab3200f5e2a01765bd00ea3b958e09baeca9cd6856005a17474e72a9635184046d92205be3baf6677951fd8eb42ccebe687efb8b30f13b

    Score
    10/10
    persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      7zS850A099E/61e74fd3252fe_Tue23df2ad021a.exe

    • Size

      381KB

    • MD5

      996061fe21353bf63874579cc6c090cc

    • SHA1

      eeaf5d66e0ff5e9ddad02653c5bf6af5275e47e9

    • SHA256

      b9dad89b3de1d7f9a4b73a5d107c74f716a6e2e89d653c48ab47108b37ad699a

    • SHA512

      042ea077acfc0dff8684a5eb304af15177c4e6f54c774471b8091669b1ab16833894ca7a52917f8a6bbeacbb6532db521cea61d70ac4c5c992cb4896083d6c93

    Score
    8/10
    discoverypersistence

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral3behavioral4

    • Target

      7zS850A099E/61e74fd41f841_Tue2365aa82b7.exe

    • Size

      267KB

    • MD5

      9e967a473010b430f5bde8d23b0cb9a6

    • SHA1

      eed882f8ff642d0da9e89371e3ce75c1be317ad2

    • SHA256

      66b03cc7950fb0df8607d07c4bdd45c74d2da333dcdbd97c5192c8b36b5ce039

    • SHA512

      8916a36c24da3ef89066e226179e32ac3714ad72965e42f14fd38c6387c61c82118e519633f3ba628f5d3d5a45d237bdca7d6325d22599b2948503b0f2866fb7

    Score
    10/10
    smokeloaderbackdoortrojanpersistence
    behavioral5behavioral6

    • Target

      7zS850A099E/61e74fd53f766_Tue23ec97445e.exe

    • Size

      160KB

    • MD5

      8f70a0f45532261cb4df2800b141551d

    • SHA1

      521bbc045dfb7bf9fca55058ed2fc03d86cf8d00

    • SHA256

      aa2c0a9e34f9fa4cbf1780d757cc84f32a8bd005142012e91a6888167f80f4d5

    • SHA512

      3ea19ee472f3c7f9b7452fb4769fc3cc7591acff0f155889d08dadbd1f6ae289eaa310e220279318ac1536f99ea88e43ff75836aee47f3b4fbe8aa477cb9d099

    Score
    10/10
    evasionspywarestealertrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral7behavioral8

    • Target

      7zS850A099E/61e74fd78769f_Tue234b6c24d9a0.exe

    • Size

      1.4MB

    • MD5

      435a69af01a985b95e39fb2016300bb8

    • SHA1

      fc4a01fa471de5fcb5199b4dbcba6763a9eedbee

    • SHA256

      d5cdd4249fd1b0aae17942ddb359574b4b22ff14736e79960e704b574806a427

    • SHA512

      ea21ff6f08535ed0365a98314c71f0ffb87f1e8a03cdc812bbaa36174acc2f820d6d46c13504d9313de831693a3220c622e2ae244ffbcfe9befcbc321422b528

    Score
    10/10
    socelarsdiscoveryspywarestealer

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral9behavioral10

    • Target

      7zS850A099E/61e74fd8ef830_Tue23593425095.exe

    • Size

      1.6MB

    • MD5

      c4e681d218d1c9c4efe701b4c7554eb5

    • SHA1

      c3b43d0fbc5ad442067546b9d40c16810bb379da

    • SHA256

      825a970bd11d349ba089e70419036c01ebb8cfd06e4abbec6bf58e9c7566a5e6

    • SHA512

      b8d4ee6093835b0ec398f8884097db0bf1026e581743151241fb1489b061ba463dacf35b9af17f49ddc9d22769e9ebd763d9bfdb7e4d99e47a4e256c493ba3b5

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral11behavioral12

    • Target

      7zS850A099E/61e74fda51500_Tue23260baecb.exe

    • Size

      266KB

    • MD5

      49edc32bbb405b39d7f2b7fe1b8df04f

    • SHA1

      e6dd0214ee693e6b90ba1293c840327894772644

    • SHA256

      5a14c836ca0af97881c91393b48232f81953b304acab8e42abf562cb02971f0a

    • SHA512

      da0c36951c498d43d243fa28a153e90336ca49277f08c3a282914293958876c55ad72b26535575a344d4553fb30f5aa517d386e58960fa10358d56f9dbd3cc54

    Score
    10/10
    smokeloaderbackdoortrojan
    behavioral13behavioral14

    • Target

      7zS850A099E/61e7501ab629f_Tue23c4645058.exe

    • Size

      405KB

    • MD5

      031f38d24ae18e9d3d3b878b9b1d8902

    • SHA1

      b089e0f0d1809873b2d8d86e9c72f9136efa9983

    • SHA256

      23facfbb54ebef4f301cd273be87ce89ae421f2cf2f79ebbc0e5338a54b4c356

    • SHA512

      278dac8cbc45ad9e758da3f368e7f72e01b5e59d79c7176bfdf90a2bf1caf89f29c8852c66bff25c5ae8b4395724f54c8525e83881c1cd1f5b6ccd175852241d

    Score
    10/10
    onlyloggerloaderpersistence

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

      loaderonlylogger

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • OnlyLogger Payload

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    behavioral15behavioral16

    • Target

      7zS850A099E/61e7501b7eabe_Tue2344597f.exe

    • Size

      527KB

    • MD5

      8e0bc14c20fd607593967f164bbf08b5

    • SHA1

      f68dc21b6352302d36cb1953ac0065e30d1ca6b0

    • SHA256

      af8fbb1b23a21d1be75abcbb8d7c8447ec0c3b309fcfb407a91576a06070dcfe

    • SHA512

      71cb5f5cfc5bb858a3ec2b7cf94d1d0652b5b66c505c4016c9d86e19ba86352d5f8f332df11be163c4aa1d3d36fc892bcc5bd5f2fbd6a383cd4e36c9885c7639

    Score
    10/10
    redlinemedia17223discoveryinfostealerspywarestealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Sets service image path in registry

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      7zS850A099E/61e7501c830d6_Tue23bdf4712a32.exe

    • Size

      523KB

    • MD5

      c7f26d8e0ac6d899d6febd75f81f9cc3

    • SHA1

      113fe52d0562fa3b591dffd633f0d3d6db4feee8

    • SHA256

      762433792d60c6c384fca690a8b3b5ef9e2390fd18ad0abdec248229bd5d89bc

    • SHA512

      6848bff0d6e6302598faf274e35cb46c5b076937098a15558a199fded52d65a6486a4ae7cb9f756ea01c5fe4a685759bb6d1bf60fcf794528548830683aaee64

    Score
    10/10
    redlinev2user1discoveryinfostealerspywarestealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Sets service image path in registry

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      7zS850A099E/61e7501db65f3_Tue23c7b395c3.exe

    • Size

      1.6MB

    • MD5

      79400b1fd740d9cb7ec7c2c2e9a7d618

    • SHA1

      8ab8d7dcd469853f61ca27b8afe2ab6e0f2a1bb3

    • SHA256

      556d5c93b2ceb585711ccce22e39e3327f388b893d76a3a7974967fe99a6fa7f

    • SHA512

      3ed024b02d7410d5ddc7bb772a2b3e8a5516a16d1cb5fac9f5d925da84b376b67117daf238fb53c7707e6bb86a0198534ad1e79b6ebed979b505b3faf9ae55ac

    Score
    10/10
    spywarestealerupx

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral21behavioral22

    • Target

      7zS850A099E/61e7502b8389b_Tue233252e9.exe

    • Size

      362KB

    • MD5

      bd97b9bdb9e842a76d084d9aae2157dc

    • SHA1

      05855bb520005e4105f053d40c464cb8c7b2f2d0

    • SHA256

      c739d1ae35aa6c63fb6f07b529bd25f77aad42260ed8a95a69487216fbb2b718

    • SHA512

      3e5112f757f7e54399b14d4a00c695a1268f1cf4534db95fa3e7529c437add41b4cf5429747635c16d8fbe1c0123e4522a8b08867ede9de3b5c73b75987a2c32

    Score
    6/10

    • Legitimate hosting services abused for malware hosting/C2

    behavioral23behavioral24

    • Target

      7zS850A099E/61e7502c4cff3_Tue232cba58c.exe

    • Size

      666KB

    • MD5

      81d975ad4ca267db5d3c50ea5875a563

    • SHA1

      be11fb5a16735249000a48279cd1bd7aa8b06d90

    • SHA256

      c724232309617b23a487c1713f4c90680354928f1d5f67200cdbe15e1421e43a

    • SHA512

      ab822f7a07bbc124ea000afcd27c7c9981ce82d032e80369ba65959c5f83f28e15bec33cd9d5b740b41511bb7c7b15133739ace59f46cc13489d66d9e8e16df3

    Score
    10/10
    redlinediscoveryinfostealerpersistencespywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral25behavioral26

    • Target

      7zS850A099E/61e7502f007f3_Tue23d6fecf8c.exe

    • Size

      116KB

    • MD5

      b8ecec542a07067a193637269973c2e8

    • SHA1

      97178479fd0fc608d6c0fbf243a0bb136d7b0ecb

    • SHA256

      fc6b5ec20b7f2c902e9413c71be5718eb58640d86189306fe4c592af70fe3b7e

    • SHA512

      730d74a72c7af91b10f06ae98235792740bed2afc86eb8ddc15ecaf7c31ec757ac3803697644ac0f60c2e8e0fd875b94299763ac0fed74d392ac828b61689893

    Score
    8/10

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Legitimate hosting services abused for malware hosting/C2

    behavioral27behavioral28

    • Target

      7zS850A099E/setup_install.exe

    • Size

      2.1MB

    • MD5

      981744adcc06328c94eeafac3985c3a2

    • SHA1

      56ca31c1fc829df9621a6e5f6f3b618b52f83cd0

    • SHA256

      c8e6f3389f92c34f03a775bc3203f02952ae6ffc86353cd53d614f60ded53641

    • SHA512

      7411219660642d5cc1ac56a1dca8ebd8a285f31471e9a5d519a7f52c8a2378044f7780f7401b2c796d537fd2bdda60860fe3c78a5e47d7bb94834821585296ea

    Score
    10/10
    onlyloggerredlinesmokeloadermedia17223v2user1backdoorinfostealerloadertrojanupxsocelarsvidarpersistencespywarestealer

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

      loaderonlylogger

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • OnlyLogger Payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral29behavioral30

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

8
T1060

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

11
T1112

Disabling Security Tools

1
T1089

Install Root Certificate

2
T1130

Credential Access

Credentials in Files

10
T1081

Discovery

Query Registry

23
T1012

System Information Discovery

27
T1082

Peripheral Device Discovery

3
T1120

Remote System Discovery

2
T1018

Lateral Movement

Collection

Data from Local System

10
T1005

Exfiltration

Command and Control

Web Service

5
T1102

Impact

Tasks

static1

aspackv2socelars
Score
10/10

behavioral1

Score
10/10

behavioral2

persistence
Score
10/10

behavioral3

discovery
Score
8/10

behavioral4

discoverypersistence
Score
8/10

behavioral5

smokeloaderbackdoortrojan
Score
10/10

behavioral6

smokeloaderbackdoorpersistencetrojan
Score
10/10

behavioral7

evasionspywarestealertrojan
Score
10/10

behavioral8

Score
1/10

behavioral9

socelarsdiscoveryspywarestealer
Score
10/10

behavioral10

socelarsspywarestealer
Score
10/10

behavioral11

Score
7/10

behavioral12

Score
7/10

behavioral13

smokeloaderbackdoortrojan
Score
10/10

behavioral14

Score
1/10

behavioral15

onlyloggerloader
Score
10/10

behavioral16

onlyloggerloaderpersistence
Score
10/10

behavioral17

redlinemedia17223discoveryinfostealerspywarestealer
Score
10/10

behavioral18

redlinemedia17223discoveryinfostealerpersistencespywarestealer
Score
10/10

behavioral19

redlinev2user1discoveryinfostealerspywarestealer
Score
10/10

behavioral20

redlinev2user1discoveryinfostealerpersistencespywarestealer
Score
10/10

behavioral21

spywarestealerupx
Score
8/10

behavioral22

spywarestealerupx
Score
10/10

behavioral23

Score
6/10

behavioral24

Score
1/10

behavioral25

redlinediscoveryinfostealerpersistencespywarestealer
Score
10/10

behavioral26

Score
1/10

behavioral27

Score
7/10

behavioral28

Score
8/10

behavioral29

onlyloggerredlinesmokeloadermedia17223v2user1backdoorinfostealerloadertrojanupx
Score
10/10

behavioral30

onlyloggerredlinesmokeloadersocelarsvidarmedia17223v2user1backdoorinfostealerloaderpersistencespywarestealertrojanupx
Score
10/10