General

  • Target

    abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48

  • Size

    4.2MB

  • Sample

    220312-ajprbsdbb5

  • MD5

    29cba808ae55db40ce2d822c17c15edd

  • SHA1

    389f5a4b43e542be9212804ecd077d80c3bd62c1

  • SHA256

    abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48

  • SHA512

    24d742c7919a733f4b07185982020a09188fd97a27f4c0a0d819665bac573da89fb3db31e343c9e89edf284c27d30ea4fa1012a491bba83a54926b6adeb87151

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://62.204.41.71/cs/SkyDrive.oo

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://62.204.41.71/cs/Fax.oo

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://62.204.41.71/cs/RED.oo

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://62.204.41.71/Offer/Offer.oo

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.wygexde.xyz/

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

#2

C2

shurinedn.xyz:80

Extracted

Family

raccoon

Botnet

5e952d9d2bbe82643afb1857a7befd7377f3a063

Attributes
  • url4cnc

    http://185.3.95.153/sbjoahera

    http://185.163.204.22/sbjoahera

    https://t.me/sbjoahera

rc4.plain
rc4.plain

Extracted

Family

tofsee

C2

patmushta.info

ovicrush.cn

Extracted

Family

redline

Botnet

ISTALL1

C2

86.107.197.196:63065

Attributes
  • auth_value

    5fe37244c13b89671311b4f994adce81

Targets

    • Target

      abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48

    • Size

      4.2MB

    • MD5

      29cba808ae55db40ce2d822c17c15edd

    • SHA1

      389f5a4b43e542be9212804ecd077d80c3bd62c1

    • SHA256

      abe12a319f2aed2a1f0cea9fd173d70846c738df6139833d92e28220d2f9ed48

    • SHA512

      24d742c7919a733f4b07185982020a09188fd97a27f4c0a0d819665bac573da89fb3db31e343c9e89edf284c27d30ea4fa1012a491bba83a54926b6adeb87151

    • Modifies Windows Defender Real-time Protection settings

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • OnlyLogger Payload

    • Vidar Stealer

    • Blocklisted process makes network request

    • Creates new service(s)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

New Service

1
T1050

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Hidden Files and Directories

1
T1158

Privilege Escalation

New Service

1
T1050

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

1
T1089

Hidden Files and Directories

1
T1158

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Tasks