Resubmissions

06-09-2022 14:31

220906-rv2npsedc2 10

06-09-2022 13:58

220906-q94wyadhg2 10

06-09-2022 13:49

220906-q4saysdgf9 10

05-09-2022 12:24

220905-plkbysbee8 10

05-09-2022 12:20

220905-phwwksbdh7 10

General

  • Target

    7941776127.zip

  • Size

    3.3MB

  • Sample

    220906-q94wyadhg2

  • MD5

    71d20daf4fc6d30f3cf6ade946408c6a

  • SHA1

    05472a57674619cc98773ac04cbb867371598d38

  • SHA256

    784cfe043155d4043af8d48fd8b348ddee2b7f9883425133f2891ed114506c80

  • SHA512

    3af6614b9b883d8819bcc24ff5947d123b4c5b6ef5d5b74ecc2f1540d06c69c8c30efb098ed5e28540b2de0d4a9099daccfee64dca87a79f0c2736d43dc050f5

  • SSDEEP

    49152:iyEdPI+keUCigapF2lyyLzpLKCq8tO84e6KVcPXYAjlMgCxm+30rvJfocTg83Lbq:GxrkVf2lRzpC8k8mY0lMgsqfpTye0

Malware Config

Extracted

Family

privateloader

C2

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

Extracted

Family

redline

Botnet

she

C2

135.181.129.119:4805

Attributes
  • auth_value

    b69102cdbd4afe2d3159f88fb6dac731

Extracted

Family

redline

Botnet

ANI

C2

45.142.215.47:27643

Attributes
  • auth_value

    9491a1c5e11eb6097e68a4fa8627fda8

Extracted

Family

redline

Botnet

media12

C2

91.121.67.60:2151

Attributes
  • auth_value

    e37d5065561884bb54c8ed1baa6de446

Targets

    • Target

      01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68

    • Size

      3.3MB

    • MD5

      b5b1415b3890d0108ac53acd595497b9

    • SHA1

      876eb8e34ecb3c1fea20e2c6b710346676ad2de2

    • SHA256

      01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68

    • SHA512

      fe58023cba73deac0229cd45b73227e5d1c1f6760f3f053dbcdb4f388d6234940985f57ab8ffc73c4e8eff4bf3a2ef956cd44bdcdd66c44c1cc1ea86e335e4d0

    • SSDEEP

      49152:xcB4EwJ84vLRaBtIl9mVHZ7PhEKQ9F6ZGZ9kLvlEEXArNC6XlruK1JJecwJpVz+K:xKCvLUBsg575Uwg9CvD969D1zecwlTWM

    • Detects Smokeloader packer

    • Modifies Windows Defender Real-time Protection settings

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • OnlyLogger payload

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Tasks