General

  • Target

    06863cb5bb52bd84799a527045ab9e296882c2f04e462c5c297da8dc3dadd497.zip

  • Size

    9.6MB

  • Sample

    220331-x584esghd6

  • MD5

    6bb8159211be5fe4079acb4d4c23edaa

  • SHA1

    ec567d6d11faff719850b54fd96e837567cb0f6d

  • SHA256

    dd65b3d3254770a4a448222db48773c39bcd730126d6c65a1b9210ab3445020e

  • SHA512

    d791f7101e75719ca0dce338e36843d40098bc9194f0d0c93cfbb2f7be34b67b5165a952ec0d5af7de11b5e240ef2bc87d27c325360e82cd9d4c32deb20b4ff4

Malware Config

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/jhvre24/

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32
rc4.i32

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

116.203.252.195:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    true

  • install_file

    svs.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

redline

Botnet

same

C2

116.202.106.111:9582

Attributes
  • auth_value

    6fcb28e68ce71e9cfc2aae3ba5e92f33

Targets

    • Target

      06863cb5bb52bd84799a527045ab9e296882c2f04e462c5c297da8dc3dadd497

    • Size

      9.6MB

    • MD5

      c869a2a9d6adbde8402790f7a884d8c9

    • SHA1

      d5452604cb3819e95fd5b29361305ef2357079a2

    • SHA256

      06863cb5bb52bd84799a527045ab9e296882c2f04e462c5c297da8dc3dadd497

    • SHA512

      81e64fa0b7115c5e296cb2bb3d68142f16b9be5956bb5e3fa7c7264c0160e5b54c92d7c8ec9832cf69d82f7738eca52d756d46cd97fac99faa706db538cef700

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Async RAT payload

    • OnlyLogger Payload

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks