General

  • Target

    0CC82EBA0F92824807ACFEC362E96C2933CB894E9A220.exe

  • Size

    4MB

  • Sample

    221026-aawtaaecdq

  • MD5

    d336c845a72545aaa9757225350301ab

  • SHA1

    6836aa4bd01e4f303809573cd18ce4413ae1409c

  • SHA256

    0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26

  • SHA512

    0a4dda6378fb0f527895454b99b51db07ad5b7dd768014db94fdb169053ad3f9bc1281ba6c716019902b1fbd8d912fad09f1443bbbd181ff55d824bee1f5f158

  • SSDEEP

    98304:JD2A81+n4kOkU7XN59PjXSEtnb03Q9VjZpRBozYBRqq2Y:JKv1+n4aUzFOEtwg9p1WY

Malware Config

Extracted

Family

nullmixer

C2

http://mooorni.xyz/

Extracted

Family

privateloader

C2

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.efxety.top/

Extracted

Family

redline

Botnet

media18

C2

91.121.67.60:2151

Attributes
auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

redline

Botnet

fucker2

C2

135.181.129.119:4805

Attributes
auth_value
b69102cdbd4afe2d3159f88fb6dac731

Extracted

Family

raccoon

Botnet

2f2ad1a1aa093c5a9d17040c8efd5650a99640b5

Attributes
url4cnc
http://telegatt.top/oh12manymarty
http://telegka.top/oh12manymarty
http://telegin.top/oh12manymarty
https://t.me/oh12manymarty
rc4.plain
rc4.plain

Targets

    • Target

      0CC82EBA0F92824807ACFEC362E96C2933CB894E9A220.exe

    • Size

      4MB

    • MD5

      d336c845a72545aaa9757225350301ab

    • SHA1

      6836aa4bd01e4f303809573cd18ce4413ae1409c

    • SHA256

      0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26

    • SHA512

      0a4dda6378fb0f527895454b99b51db07ad5b7dd768014db94fdb169053ad3f9bc1281ba6c716019902b1fbd8d912fad09f1443bbbd181ff55d824bee1f5f158

    • SSDEEP

      98304:JD2A81+n4kOkU7XN59PjXSEtnb03Q9VjZpRBozYBRqq2Y:JKv1+n4aUzFOEtwg9p1WY

    • Detects Smokeloader packer

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars payload

    • OnlyLogger payload

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Persistence

                Privilege Escalation

                  Tasks