Description
Stealer targeting social media platform users first seen in April 2022.
e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe
General
Target
Size
Sample
e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe
9MB
220521-b7beaadcf2
Score
10 /10
MD5
SHA1
SHA256
SHA512
93e23e5bed552c0500856641d19729a8
7e14cdf808dcd21d766a4054935c87c89c037445
e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555
3996d6144bd7dab401df7f95d4623ba91502619446d7c877c2ecb601f23433c9447168e959a90458e0fae3d9d39a03c25642f611dbc3114917cad48aca2594ff
Malware Config
Extracted
| Family | socelars |
| C2 |
http://www.iyiqian.com/ http://www.xxhufdc.top/ http://www.uefhkice.xyz/ http://www.znsjis.top/ |
Extracted
| Family | redline |
| Botnet | UDP |
| C2 |
45.9.20.20:13441 |
Extracted
| Family | metasploit |
| Version | windows/single_exec |
Extracted
| Family | smokeloader |
| Version | 2020 |
| C2 |
http://govsurplusstore.com/upload/ http://best-forsale.com/upload/ http://chmxnautoparts.com/upload/ http://kwazone.com/upload/ http://monsutiur4.com/ http://nusurionuy5ff.at/ http://moroitomo4.net/ http://susuerulianita1.net/ http://cucumbetuturel4.com/ http://nunuslushau.com/ http://linislominyt11.at/ http://luxulixionus.net/ http://lilisjjoer44.com/ http://nikogminut88.at/ http://limo00ruling.org/ http://mini55tunul.com/ http://samnutu11nuli.com/ http://nikogkojam.org/ |
| rc4.i32 |
|
| rc4.i32 |
|
| rc4.i32 |
|
| rc4.i32 |
|
Extracted
| Family | redline |
| Botnet | ruz |
| C2 |
91.211.251.186:41933 |
| Attributes |
auth_value b5178f81ea8830c13e88c402dccf09f0 |
Extracted
| Family | redline |
| Botnet | meta |
| C2 |
193.106.191.197:23196 |
| Attributes |
auth_value 43584b1cb8d44c3baa5916166c3b2b3e |
Extracted
| Family | redline |
| Botnet | test1 |
| C2 |
185.215.113.75:80 |
| Attributes |
auth_value 7ab4a4e2eae9eb7ae10f64f68df53bb3 |
Extracted
| Family | redline |
| Botnet | Ruzki |
| C2 |
193.233.48.58:38989 |
| Attributes |
auth_value 80c38cc7772c328c028b0e4f42a3fac6 |
Extracted
| Family | tofsee |
| C2 |
niflheimr.cn jotunheim.name |
Targets
Target
MD5
Filesize
e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe
93e23e5bed552c0500856641d19729a8
9MB
Score
10/10
SHA1
SHA256
SHA512
7e14cdf808dcd21d766a4054935c87c89c037445
e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555
3996d6144bd7dab401df7f95d4623ba91502619446d7c877c2ecb601f23433c9447168e959a90458e0fae3d9d39a03c25642f611dbc3114917cad48aca2594ff
Tags
Signatures
-
FFDroider
-
FFDroider Payload
-
Glupteba
Description
Glupteba is a modular loader written in Golang with various components.
Tags
-
Glupteba Payload
-
MetaSploit
Description
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
Tags
-
Modifies Windows Defender Real-time Protection settings
Tags
TTPs
-
OnlyLogger
Description
A tiny loader that uses IPLogger to get its payload.
Tags
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Tofsee
Description
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
Tags
-
Windows security bypass
Tags
TTPs
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Description
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Tags
-
suricata: ET MALWARE Win32/FFDroider CnC Activity M2
Description
suricata: ET MALWARE Win32/FFDroider CnC Activity M2
Tags
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
Description
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
OnlyLogger Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
Tags
TTPs
-
UPX packed file
Description
Detects executables packed with UPX/modified UPX open source packer.
Tags
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Windows security modification
Tags
TTPs
-
Adds Run key to start application
Tags
TTPs
-
Checks installed software on the system
Description
Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags
TTPs
-
Checks whether UAC is enabled
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
Related Tasks
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Privilege Escalation
Tasks