Malware sandboxing report by Hatching Triage

Resubmissions

30-09-2022 07:48

220930-jnfhwsdgdj 10

27-09-2022 04:51

220927-fha5faced3 10

Sharing

Copy URL

Twitter E-mail

General

Target

f2ec0aaf1cd2359465bd42b1951d1c59267137ddba96c85f28c981d622ecf093
Size

6MB
Sample

220927-fha5faced3
MD5

4ec312d77817d8fb90403ff87b88d5e3
SHA1

d9f81255166d88ad38da03ead3f1b151d85da55a
SHA256

f2ec0aaf1cd2359465bd42b1951d1c59267137ddba96c85f28c981d622ecf093
SHA512

e3edf26a5b1997b063a245b84d9677140fafa5f8a5c85ace4c7b769512200f9091e3c31fe14b2ead76ddcaa3bd095dcd02aecdf47592c31e74fde4b152f6924b
SSDEEP

196608:x9Dxi4+sS8B8FSkbc7O/3RNAcTZ1W/fFr/lmqDduTbhXdn5+:x9DosS8B0SkQM34uZ1W/JzDdA/E

Score

10^/10

Malware Config

Extracted

Family

nullmixer

http://hornygl.xyz/

Extracted

Family

socelars

http://www.anquyebt.com/

Extracted

Family

redline

Botnet

media272257

92.255.57.115:11841

Attributes

auth_value
97416ad232ecb7973253e42825ae9b81

Targets

- Target
  
  f2ec0aaf1cd2359465bd42b1951d1c59267137ddba96c85f28c981d622ecf093
- Size
  
  6MB
- MD5
  
  4ec312d77817d8fb90403ff87b88d5e3
- SHA1
  
  d9f81255166d88ad38da03ead3f1b151d85da55a
- SHA256
  
  f2ec0aaf1cd2359465bd42b1951d1c59267137ddba96c85f28c981d622ecf093
- SHA512
  
  e3edf26a5b1997b063a245b84d9677140fafa5f8a5c85ace4c7b769512200f9091e3c31fe14b2ead76ddcaa3bd095dcd02aecdf47592c31e74fde4b152f6924b
- SSDEEP
  
  196608:x9Dxi4+sS8B8FSkbc7O/3RNAcTZ1W/fFr/lmqDduTbhXdn5+:x9DosS8B0SkQM34uZ1W/JzDdA/E
Score

10^/10

fabookie nullmixer onlylogger redline smokeloader socelars media272257 aspackv2 backdoor discovery dropper infostealer loader persistence spyware stealer trojan upx
- Detect Fabookie payload
- Detects Smokeloader packer
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- OnlyLogger payload
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Data from Local System

T1005

Command and Control

Credential Access

Credentials in Files

T1081

Defense Evasion

Web Service

T1102

Modify Registry

T1112

Install Root Certificate

T1130

Discovery

Query Registry

T1012

Process Discovery

T1057

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Detect Fabookie payload

Detects Smokeloader packer

Fabookie

NullMixer

OnlyLogger

RedLine

RedLine payload

SmokeLoader

Socelars

Socelars payload

NirSoft WebBrowserPassView

Nirsoft

OnlyLogger payload

ASPack v2.12-2.42

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2