General

  • Target

    96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.zip

  • Size

    9.7MB

  • Sample

    220331-saf2yadef7

  • MD5

    40c8505ae953230b7df57cd41ff9b958

  • SHA1

    561cf900de177b402c608af14fdcae6bd23c728f

  • SHA256

    6d42b89a86c2e85f79f6652889209d14c641cde35d7a8c43fc7ea6a657f80957

  • SHA512

    1442b879b609a6b220cf297970a1d52ac1cf43ee06e4cbbbf0c877b873b2fbf432653ca013ec1ebbbfa3a21ae7919b62ca194eb55ab15eee96f909413e9bebf2

Malware Config

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/jhvre24/

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://gerer.at/upload/

http://pass-finger.com/upload/

http://meet-ru.ru/upload/

http://elroisolutions.com/upload/

http://gebzetuning.com/upload/

http://les-pub.com/upload/

http://mordo.ru/upload/

http://pkodev.net/upload/

http://autocarsjames.com/upload/

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

116.203.252.195:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    true

  • install_file

    svs.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

redline

Botnet

same

C2

116.202.106.111:9582

Attributes
  • auth_value

    6fcb28e68ce71e9cfc2aae3ba5e92f33

Targets

    • Target

      96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a

    • Size

      9.7MB

    • MD5

      ac5ac3dc9105407cdcea292bbb1e2282

    • SHA1

      91ba4cf7e046e1ec164ea4e7ac930daa8aefb1e6

    • SHA256

      96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a

    • SHA512

      dd3bbe1e448b7de46e6fa085d28404075d8c4b01bceddc7d558bcb7c2c7ce9941eac0bd3b064ee2e04eac422dbd04ca3678caa4c1decb1c85507069963dbd525

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Async RAT payload

    • OnlyLogger Payload

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks