General

  • Target

    99a5a29c95597fef93d118f82cc445b3.bin

  • Size

    3MB

  • Sample

    230123-sk2fmadh24

  • MD5

    227e7d2e263b479cfcb6b01482024321

  • SHA1

    96907cedafb5faa53ae0d8a74b060926f32dfcbe

  • SHA256

    eb3ef143c3bd7e1a853f20e97c5bed051ad1ee328114d135385116e2bf7340e3

  • SHA512

    4a317d5c981f4d06fc1005c4b10ae42f83d5b92e2658f6d50141515e60780f19e40b595fed832048f8789ae983d2b21e64f455a61c0f52986cacef2a85f2f00a

  • SSDEEP

    98304:SUIbGRV09/aE/03PjvSYX5n9JJ5NF7hJJ6cmtc:h30CPjvSY71Fkc

Malware Config

Extracted

Family

nullmixer

C2

http://sokiran.xyz/

Extracted

Family

vidar

Version

39.6

Botnet

933

C2

https://sslamlssa1.tumblr.com/

Attributes
  • profile_id

    933

Targets

    • Target

      20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020.exe

    • Size

      3MB

    • MD5

      99a5a29c95597fef93d118f82cc445b3

    • SHA1

      5824b137ecf83e2bcf517dbdbbfa1574f706babe

    • SHA256

      20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020

    • SHA512

      65bd2f2f882916d3358d276dcb325215a7df0512bd77d7637d35800ff80f1f403d29b9ee31f2784c7a75ccf51045fb265f0540d67e755aa1c12c65084e8878c2

    • SSDEEP

      98304:JpZ8EIo0stDjwrDZfmOuqNmdv2fOtvKqee6kFoaD:JpPDttDM3Znuq6veCvmQ

    • Detect Fabookie payload

    • Detects Smokeloader packer

    • Fabookie

      Fabookie is facebook account info stealer.

    • Modifies Windows Defender Real-time Protection settings

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Nirsoft

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Privilege Escalation

                Tasks