General
-
Target
b938dc291cb3fb3c927a5e683e191633.bin
-
Size
4.2MB
-
Sample
230116-18fg3aac8z
-
MD5
728a0af10ce0b0b2b3ca9219c2f5e82d
-
SHA1
d6bef079eb7dc53353fdcc95f013b1dabab6a445
-
SHA256
35794aedc3c64761d4e13da7f7513001bb12388542ee100c3eb9fe3dba84a484
-
SHA512
e0df0723eacbc9ba5aa14f8be3e89945f1519ea37570054e775d2aacd0d446a1ff86dea49182ebf149712d6ea7fc7d45ed0708bfb1e1c1821d1bc7497f939628
-
SSDEEP
98304:VbWcoAjSA5qkvj6x9xg/ZLN2KXmZSkOlyVgCJUX:VbWc5q1Ng/ZLNV2ZSkuRC4
Malware Config
Extracted
nullmixer
http://hsiens.xyz/
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
Extracted
gcleaner
gcl-page.biz
194.145.227.161
Extracted
redline
jamesoldd
65.108.20.195:6774
Extracted
redline
ANI
45.142.215.47:27643
Extracted
privateloader
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
-
payload_url
https://cdn.discordapp.com/attachments/1003879548242374749/1003976870611669043/NiceProcessX64.bmp
https://cdn.discordapp.com/attachments/1003879548242374749/1003976754358124554/NiceProcessX32.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
Extracted
redline
Andriii_ff
185.244.181.112:33056
-
auth_value
0318e100e6da39f286482d897715196b
Extracted
redline
@new@2023
77.73.133.62:22344
-
auth_value
8284279aedaed026a9b7cb9c1c0be4e4
Extracted
redline
puls
62.204.41.211:4065
-
auth_value
7cc67b888152f8a80db488ff6fde5a74
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.210.137.6:47909
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Extracted
redline
1
librchichelpai.shop:81
rniwondunuifac.shop:81
-
auth_value
b6c86adb7106e9ee7247628f59e06830
Extracted
redline
1111223333
82.115.223.9:15486
-
auth_value
64ab100c5a9f497dd18f093d7dc8818c
Extracted
raccoon
64b445f2d85b7aeb3d5c7b23112d6ac3
http://45.15.156.209/
Targets
-
-
Target
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e.exe
-
Size
4.2MB
-
MD5
b938dc291cb3fb3c927a5e683e191633
-
SHA1
44c9f5abfbf5176ae16d68fbe48c5e079efc7547
-
SHA256
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
-
SHA512
1f14f73cf0312884ec69addfdeb798e0b5544cc4769a8db1bdf31ae7bc618c097419f46b35b58832c5b7a6ecfe709c279daaa91c88a9fb2d4948213ef1290293
-
SSDEEP
98304:xmCvLUBsgYn1HcgtJodtEz1eDX0q0zMYtLw6alsaJN0+S6ICa/50:xPLUCgYnig7odtEpeDkdMIjalsaHJS6B
Score10/10-
Detect Fabookie payload
-
Detects Smokeloader packer
-
Fabookie
Fabookie is facebook account info stealer.
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Modifies Windows Defender Real-time Protection settings
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars payload
-
OnlyLogger payload
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-