General

  • Target

    9909b41bb1abc4453e3fb3b2fbb6e64c336fa4ef228547301fdf7f9923cc32d6

  • Size

    294KB

  • Sample

    220908-w2ngwafcb2

  • MD5

    04dda88af1a9878c6ff787eccdf71b35

  • SHA1

    fe59945ddeb5d9fabe341e3b3717acc8ed59ba2f

  • SHA256

    9909b41bb1abc4453e3fb3b2fbb6e64c336fa4ef228547301fdf7f9923cc32d6

  • SHA512

    c6a2376340f85e3b52734928ff5fea8c35e70e625f48b5a7aaa132b2b0dd168522be9f0b8a3f8af7e6f68fc8c0c56530fb364c0588ddbb0f22bdf1db0be6ac3a

  • SSDEEP

    6144:Uahql9QO8eOrlpfY32/ppCqCx1aZPyddl9YfdYygz0:U99MeOZ1S2/pw7oZaLrUdYygA

Malware Config

Extracted

Family

redline

Botnet

mario_new

C2

176.122.23.55:11768

Attributes
  • auth_value

    eeee8d5fcc3ba3a42094ef260c5bdcb4

Extracted

Family

redline

Botnet

1337

C2

78.153.144.6:2510

Attributes
  • auth_value

    b0447922bcbc2eda83260a9e7a638f45

Extracted

Family

redline

Botnet

nam5

C2

103.89.90.61:34589

Attributes
  • auth_value

    f23be8e9063fe5d0c6fc3ee8e7d565bd

Extracted

Family

socelars

C2

https://hueduy.s3.eu-west-1.amazonaws.com/dhfry901/

Extracted

Family

raccoon

Botnet

567d5bff28c2a18132d2f88511f07435

C2

http://116.203.167.5/

http://195.201.248.58/

rc4.plain

Targets

    • Target

      9909b41bb1abc4453e3fb3b2fbb6e64c336fa4ef228547301fdf7f9923cc32d6

    • Size

      294KB

    • MD5

      04dda88af1a9878c6ff787eccdf71b35

    • SHA1

      fe59945ddeb5d9fabe341e3b3717acc8ed59ba2f

    • SHA256

      9909b41bb1abc4453e3fb3b2fbb6e64c336fa4ef228547301fdf7f9923cc32d6

    • SHA512

      c6a2376340f85e3b52734928ff5fea8c35e70e625f48b5a7aaa132b2b0dd168522be9f0b8a3f8af7e6f68fc8c0c56530fb364c0588ddbb0f22bdf1db0be6ac3a

    • SSDEEP

      6144:Uahql9QO8eOrlpfY32/ppCqCx1aZPyddl9YfdYygz0:U99MeOZ1S2/pw7oZaLrUdYygA

    • Detects Smokeloader packer

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks