General
-
Target
40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe
-
Size
4MB
-
Sample
220806-wsk1dsbhe2
-
MD5
0b3c9a8b248dc3fbb73be5dd742e640d
-
SHA1
457a463a66466eb8f00ad1559fcc4889b0ef494c
-
SHA256
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
-
SHA512
4f6be42c3e0cf005d56e5d292646a228ed1f2222d393dae7445efe1dab120e88cb0d395b5c49c44ff2b39950af11e69e702063135c3d57ad3eba14869a612064
Malware Config
Extracted
privateloader
http://45.133.1.107/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
51.178.186.149
Extracted
raccoon
2f2ad1a1aa093c5a9d17040c8efd5650a99640b5
-
url4cnc
http://telegatt.top/oh12manymarty
http://telegka.top/oh12manymarty
http://telegin.top/oh12manymarty
https://t.me/oh12manymarty
Extracted
redline
fucker2
135.181.129.119:4805
-
auth_value
b69102cdbd4afe2d3159f88fb6dac731
Extracted
redline
media18
91.121.67.60:2151
-
auth_value
e37d5065561884bb54c8ed1baa6de446
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
Extracted
redline
Chris
194.104.136.5:46013
-
auth_value
9491a1c5e11eb6097e68a4fa8627fda8
Targets
-
-
Target
40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe
-
Size
4MB
-
MD5
0b3c9a8b248dc3fbb73be5dd742e640d
-
SHA1
457a463a66466eb8f00ad1559fcc4889b0ef494c
-
SHA256
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
-
SHA512
4f6be42c3e0cf005d56e5d292646a228ed1f2222d393dae7445efe1dab120e88cb0d395b5c49c44ff2b39950af11e69e702063135c3d57ad3eba14869a612064
Score10/10-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars payload
-
OnlyLogger payload
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix
Collection
Data from Local System
1Command and Control
Credential Access
Credentials in Files
1Discovery
Query Registry
3System Information Discovery
3Peripheral Device Discovery
1Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation