Overview

overview

10

Static

static

10

Details.exe

windows10-2004-x64

10

File.exe

windows10-2004-x64

10

Files.exe

windows10-2004-x64

6

Folder.exe

windows10-2004-x64

10

FoxSBrowser.exe

windows10-2004-x64

6

Graphics.exe

windows10-2004-x64

10

Install.exe

windows10-2004-x64

10

Updbdate.exe

windows10-2004-x64

1

md9_1sjm.exe

windows10-2004-x64

10

pub2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Trojans.zip

  • Size

    9.1MB

  • Sample

    230713-3ztdnsce3w

  • MD5

    46e03b10392341881ac9e5421ac88d1c

  • SHA1

    b0d49814b98d7613dc1458546b6b0a23299eb342

  • SHA256

    72073e22e81da454b5ec4028c5ed91e31dd1874b1479d105582a08b1f3b1ee69

  • SHA512

    8ab08f030058e6565aff1b7ab55fe3bfc48de6742e8dd6050f872e230e88fd10b81f33e16486d66dcf9716d65f59464363c81fb1e5d5234cf52acce73df679be

  • SSDEEP

    196608:ecPw5g4R3ZDbW1JnqGqxInYKKIPnJX8eEq9cUJ8DV35gJp:ecPm9Nb8JnqGHYKVJJEq9DJyVeX

Score
10/10
fabookieffdroidergcleanergluptebametasploitonlyloggerprivateloadersmokeloadersocelarspub2backdoordiscoverydropperevasionloadermainpersistencerootkitspywarestealertrojan

Malware Config

Extracted

Family

privateloader

C2

http://45.133.1.182/proxies.txt

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php
Attributes
  • payload_url

    https://cdn.discordapp.com/attachments/1003879548242374749/1003976870611669043/NiceProcessX64.bmp

    https://cdn.discordapp.com/attachments/1003879548242374749/1003976754358124554/NiceProcessX32.bmp

    https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp

    https://c.xyzgamec.com/userdown/2202/random.exe

    http://193.56.146.76/Proxytest.exe

    http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

    http://privacy-tools-for-you-780.com/downloads/toolspab3.exe

    http://luminati-china.xyz/aman/casper2.exe

    https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe

    http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe

    https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp

    https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp

    https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp

    http://185.215.113.208/ferrari.exe

    https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp

    https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp

    https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp

    https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp

    https://c.xyzgamec.com/userdown/2202/random.exe

    http://mnbuiy.pw/adsli/note8876.exe

    http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

    http://luminati-china.xyz/aman/casper2.exe

    https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe

    http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe

    https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe

    https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe

    https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe

    https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe

    https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.znsjis.top/

Extracted

Family

gcleaner

C2

194.145.227.161

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

smokeloader

Version

2020

C2

http://govsurplusstore.com/upload/

http://best-forsale.com/upload/

http://chmxnautoparts.com/upload/

http://kwazone.com/upload/
rc4.i32
rc4.i32

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

ffdroider

C2

http://186.2.171.3

Targets

    • Target

      Details.exe

    • Size

      224KB

    • MD5

      913fcca8aa37351d548fcb1ef3af9f10

    • SHA1

      8955832408079abc33723d48135f792c9930b598

    • SHA256

      2f59e661904f9a4c62123f024eb7968cdc234f826bab077914ad8896ebf001c9

    • SHA512

      0283e875dfbc7b04eb5ce5a82e66fb99e945626ed7e2ed4f2bc90e54e4ef99c065e2f98464f0aec24c921bae020ff3a6f1b3a01bfd8bdcea8459113670519c2b

    • SSDEEP

      3072:DN3DZu+fTKenK9dnujf3Ypy0m1EPDy31JevM0pxY75okNX:pzUX9dM3Qy0QFgvxDk

    Score
    10/10
    ffdroidergcleanergluptebametasploitonlyloggerprivateloadersmokeloadersocelarspub2backdoordropperevasionloadermainstealertrojan

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • FFDroider payload

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

      loaderonlylogger

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • OnlyLogger payload

    • Modifies Windows Firewall

      evasion

    • Loads dropped DLL

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral1

    • Target

      File.exe

    • Size

      426KB

    • MD5

      ece476206e52016ed4e0553d05b05160

    • SHA1

      baa0dc4ed3e9d63384961ad9a1e7b43e8681a3c5

    • SHA256

      ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b

    • SHA512

      2b51d406c684a21ad4d53d8f6c18cbc774cf4eacae94f48868e7ac64db1878792840fc3eea9bb27f47849b85382604492400e60b0f9536cf93ca78d7be7c3b3a

    • SSDEEP

      12288:nTD0nFWEutqchgPoxntMRWru3Yo6T9XP+b9:n/0igPoxntMQru3YLRWb9

    Score
    10/10
    privateloaderevasionloadermainspywarestealertrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral2

    • Target

      Files.exe

    • Size

      1.3MB

    • MD5

      37db6db82813ddc8eeb42c58553da2de

    • SHA1

      9425c1937873bb86beb57021ed5e315f516a2bed

    • SHA256

      65302460bbdccb8268bc6c23434bcd7d710d0e800fe11d87a1597fdedfc2a9c7

    • SHA512

      0658f3b15a4084ae292a6c0640f4e88fe095a2b2471633ca97c78998ee664631156e9cea1bee3d5ac5428ca600c52495437468770fbda6143e11651e797298c9

    • SSDEEP

      24576:HAFnWzNUe3a9nvOvk+/QBNFjmDWTe2c6Ek:yWzmeK9n2FQbFBTq4

    Score
    6/10

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3

    • Target

      Folder.exe

    • Size

      712KB

    • MD5

      b89068659ca07ab9b39f1c580a6f9d39

    • SHA1

      7e3e246fcf920d1ada06900889d099784fe06aa5

    • SHA256

      9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

    • SHA512

      940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

    • SSDEEP

      12288:CcXL9SLN+NH0khUZY+vcvw1rU8QYewwB9gL1xBajJZcaFZ:Cc72Q2ZYuYoel9gLHBa9Zcar

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral4

    • Target

      FoxSBrowser.exe

    • Size

      153KB

    • MD5

      849b899acdc4478c116340b86683a493

    • SHA1

      e43f78a9b9b884e4230d009fafceb46711125534

    • SHA256

      5f5eed76da09dc92090a6501de1f2a6cc7fb0c92e32053163b28f380f3b06631

    • SHA512

      bdff9dbac1de6e1af7807a233c4e8c36ae8c45e0b277d78b636124b6ffe0df6ed16c78f2f3222eeb383501b2f3eec90c8736da540017b8b35592fa49eb3f720c

    • SSDEEP

      1536:azRfCxFfxpR+ICC9B6AAt4xVOG2WzYQttH2mzv+V+c:azRAxj+IW4xg/WzHCmzv+V+c

    Score
    6/10

    • Legitimate hosting services abused for malware hosting/C2

    behavioral5

    • Target

      Graphics.exe

    • Size

      4.5MB

    • MD5

      7c20b40b1abca9c0c50111529f4a06fa

    • SHA1

      5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

    • SHA256

      5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

    • SHA512

      f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

    • SSDEEP

      98304:8zqCY0K37zUdYo77HKAJuGl+9aEWHoEYDs8cO0LT7HrxNJ/n/P5wWi:8m39Lz6/3HKoS9aLoQOsTfZJm

    Score
    10/10
    gluptebametasploitbackdoordiscoverydropperevasionloaderpersistencerootkittrojan

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies Windows Firewall

      evasion

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

      rootkitevasion

    • Drops file in System32 directory

    behavioral6

    • Target

      Install.exe

    • Size

      1.4MB

    • MD5

      deeb8730435a83cb41ca5679429cb235

    • SHA1

      c4eb99a6c3310e9b36c31b9572d57a210985b67d

    • SHA256

      002f4696f089281a8c82f3156063cee84249d1715055e721a47618f2efecf150

    • SHA512

      4235fa18fcc183ef02a1832790af466f7fdeda69435ebc561cb11209e049e890917b2c72be38fa8e1039493ae20fdbbe93776895b27a021d498f81d3e00c7379

    • SSDEEP

      24576:EIVFA1pqtg/TnMbX0lwyh0FVmEBy/1kwFYyOscM5cPtSixJeQHYf7v:lFA1pvTMbOwa0TmzSMYElePtSiWQHYDv

    Score
    10/10
    socelarsspywarestealer

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral7

    • Target

      Updbdate.exe

    • Size

      359KB

    • MD5

      3d09b651baa310515bb5df3c04506961

    • SHA1

      e1e1cff9e8a5d4093dbdabb0b83c886601141575

    • SHA256

      2599fed90469c6c2250883f90d1c9d20fe41755b9da670a306a884797dbd7df6

    • SHA512

      8f8499c73297be7c1743361dfcb352a3ce93aca4e81c0355f1814f9eedf92d22b40104d32eb4dbd776ccc9051613eee9b8ff57178c6240a787815e0dc8dc6889

    • SSDEEP

      6144:yfnsUf4f1/YBlP+QJ68GS9SYPPrOiwub+chZ3Bsjwvlg:yfnsUfq1/APGAsaOlub+0Blg

    Score
    1/10
    behavioral8

    • Target

      md9_1sjm.exe

    • Size

      2.1MB

    • MD5

      3b3d48102a0d45a941f98d8aabe2dc43

    • SHA1

      0dae4fd9d74f24452b2544e0f166bf7db2365240

    • SHA256

      f4fdf9842d2221eb8910e6829b8467d867e346b7f73e2c3040f16eb77630b8f0

    • SHA512

      65ae273b5ea434b268bbd8d38fe325cf62ed3316950796fa90defbc8a74c55fba0a99100f2ae674206335a08e8ea827d01eeccf26adf84ebfeebb0f17cfb7ba8

    • SSDEEP

      49152:wjs8vwLUm1R8Bjiu3bzz23YrpujbsTSB6/6Pp372TMZY:wo8vW1R8Bh3bu3GaBg6ZRY

    Score
    10/10
    ffdroiderevasionspywarestealertrojan

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • FFDroider payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral9

    • Target

      pub2.exe

    • Size

      285KB

    • MD5

      f9d940ab072678a0226ea5e6bd98ebfa

    • SHA1

      853c784c330cbf88ab4f5f21d23fa259027c2079

    • SHA256

      0be77f05a9c4d30f2ec4f5636179f0e2f85e3f5441f5854a0872de4f63aceffd

    • SHA512

      6766488893d9975ce44e1cdba427f0e65adba47dec26f6d16708be4efeb7f431da9a76647e8ec2ecd00bfb8d5d7e37c5a168b9de3cca45cc8c9b144bc650a1ef

    • SSDEEP

      3072:WldDqIdHGqbHQec51/b3RAM7RANA9S20kewWKuD/ZXt4huVesqC89XPolIcvbm5:AdGU7HQv1/bBAYdSjZ9ousI+Yh

    Score
    10/10
    smokeloaderpub2backdoortrojan
    behavioral10

MITRE ATT&CK Enterprise v6

Tasks