Overview

overview

10

Static

static

a939f94e21...53.exe

windows7_x64

10

a939f94e21...53.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a939f94e21313abc147331a7aeea1c53.exe

  • Size

    11.2MB

  • Sample

    220619-nyfc4agha9

  • MD5

    a939f94e21313abc147331a7aeea1c53

  • SHA1

    d0b849ee969baf2ffce1f5066e34ff7bc96a307b

  • SHA256

    84c4fe56c2361a095ea3a1cb743b434b4ea995429ddc3171af6501c92b478828

  • SHA512

    f8f9f544ea6a64ceace1c199145cf1d2e009c5768628d3dd50950a584deaf9ddf7a9e4c591998efa3062d7d4580b74f7a50ea53e528655ac16dd2f6e314e1b7f

Score
10/10
nymaimrecordbreakersocelarsagilenetstealersuricatathemidatrojanvmprotect

Malware Config

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/eurfrsa613/

Extracted

Family

nymaim

C2

37.0.8.39

31.210.20.149

212.192.241.16

Extracted

Family

recordbreaker

C2

http://5.42.199.87/

Targets

    • Target

      a939f94e21313abc147331a7aeea1c53.exe

    • Size

      11.2MB

    • MD5

      a939f94e21313abc147331a7aeea1c53

    • SHA1

      d0b849ee969baf2ffce1f5066e34ff7bc96a307b

    • SHA256

      84c4fe56c2361a095ea3a1cb743b434b4ea995429ddc3171af6501c92b478828

    • SHA512

      f8f9f544ea6a64ceace1c199145cf1d2e009c5768628d3dd50950a584deaf9ddf7a9e4c591998efa3062d7d4580b74f7a50ea53e528655ac16dd2f6e314e1b7f

    Score
    10/10
    socelarsagilenetstealerthemidavmprotectnymaimrecordbreakersuricatatrojan

    • NyMaim

      NyMaim is a malware with various capabilities written in C++ and first seen in 2013.

      trojannymaim

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RecordBreaker

      RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.

      stealerrecordbreaker

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • suricata: ET MALWARE Generic Stealer Config Download Request

      suricata: ET MALWARE Generic Stealer Config Download Request

      suricata

    • suricata: ET MALWARE Recordbreaker Stealer CnC Checkin

      suricata: ET MALWARE Recordbreaker Stealer CnC Checkin

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • suricata: ET MALWARE Win32/RecordBreaker CnC Checkin

      suricata: ET MALWARE Win32/RecordBreaker CnC Checkin

      suricata

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks