General

  • Target

    b937942f7bcaf8fa54418e1a83e6c61fbbeec6da0fa5f50978d8a6c06447c86a

  • Size

    294KB

  • Sample

    220908-xsswnsfcg8

  • MD5

    582d22029015a45bcd36cc3b66834e03

  • SHA1

    22fcdc2c63ef7143ac17f9c88b997e933132e930

  • SHA256

    b937942f7bcaf8fa54418e1a83e6c61fbbeec6da0fa5f50978d8a6c06447c86a

  • SHA512

    caeba3b98bae3ec9a7e69a16633b63751c787387cb90ee6e9adfbb2d54a2e33f4af829845a614d33c17dd903592fd25af59bc3837c5efd0891fcb80028e8961d

  • SSDEEP

    6144:GehWYdtt5tMrJzP+l3THZUHjyekoYQtSYio3/xp2Fqe:GAdFtM9Lu3TH2uDohZ3Qq

Malware Config

Extracted

Family

redline

Botnet

mario_new

C2

176.122.23.55:11768

Attributes
  • auth_value

    eeee8d5fcc3ba3a42094ef260c5bdcb4

Extracted

Family

redline

Botnet

1337

C2

78.153.144.6:2510

Attributes
  • auth_value

    b0447922bcbc2eda83260a9e7a638f45

Extracted

Family

socelars

C2

https://hueduy.s3.eu-west-1.amazonaws.com/dhfry901/

Extracted

Family

redline

Botnet

nam5

C2

103.89.90.61:34589

Attributes
  • auth_value

    f23be8e9063fe5d0c6fc3ee8e7d565bd

Extracted

Family

raccoon

Botnet

567d5bff28c2a18132d2f88511f07435

C2

http://116.203.167.5/

http://195.201.248.58/

rc4.plain

Targets

    • Target

      b937942f7bcaf8fa54418e1a83e6c61fbbeec6da0fa5f50978d8a6c06447c86a

    • Size

      294KB

    • MD5

      582d22029015a45bcd36cc3b66834e03

    • SHA1

      22fcdc2c63ef7143ac17f9c88b997e933132e930

    • SHA256

      b937942f7bcaf8fa54418e1a83e6c61fbbeec6da0fa5f50978d8a6c06447c86a

    • SHA512

      caeba3b98bae3ec9a7e69a16633b63751c787387cb90ee6e9adfbb2d54a2e33f4af829845a614d33c17dd903592fd25af59bc3837c5efd0891fcb80028e8961d

    • SSDEEP

      6144:GehWYdtt5tMrJzP+l3THZUHjyekoYQtSYio3/xp2Fqe:GAdFtM9Lu3TH2uDohZ3Qq

    • Detects Smokeloader packer

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks