Overview

overview

10

Static

static

10

Divided Threats.zip

windows10-2004-x64

10

Resubmissions

07-11-2023 02:17

231107-cqv8sshh7z 10

07-11-2023 02:13

231107-cnqwasbe42 10

07-11-2023 02:00

231107-cfgbwshg4s 10

07-11-2023 01:50

231107-b9b4lahf6t 10

07-11-2023 01:35

231107-bz5yxsbb62 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Divided Threats.zip

  • Size

    198.9MB

  • Sample

    231107-cqv8sshh7z

  • MD5

    f6fed4cd5f732c98e95cb2d633b6b88f

  • SHA1

    bd61e60312f1e0ec86b24196f44e8f9275de6cf1

  • SHA256

    42f6ed3f3f25e52787a9e43dec53306eb63e581d87882f3fbc4756685714e39a

  • SHA512

    0bf8b62091061100fb81e8a328e738bce4e3ba733a2a47f808b4b3e44f519441883c72752f654c217b7c354c99894515ed8db92c647587a415d1dfc4d96d68f8

  • SSDEEP

    3145728:BHVJkRpdd5SZKO1E2AH57+eBlBtqVJncR6nl4DpAlAR8bpwBZkzxQxqi:9AddkHedtqbAYob0I+1C

Score
10/10
gcleanernullmixeronlyloggerprivateloaderraccoonsmokeloadersnakekeyloggersocelarsstealczgrat5ba094fed1175cc7d1abb03fa165c23cbackdoordropperloaderstealertrojanupxvmprotect

Malware Config

Extracted

Family

raccoon

Botnet

5ba094fed1175cc7d1abb03fa165c23c

C2

http://79.137.207.53/

Attributes
  • user_agent

    901785252112

xor.plain

Extracted

Family

privateloader

C2

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

http://45.133.1.182/proxies.txt

45.133.1.60
Attributes
  • payload_url

    https://vipsofts.xyz/files/mega.bmp

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

Extracted

Family

stealc

C2

http://robertjohnson.top

http://91.215.85.189
Attributes
  • url_path

    /e9c345fc99a4e67e.php

rc4.plain
rc4.plain

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Extracted

Family

gcleaner

C2

ppp-gl.biz

45.9.20.13

Extracted

Family

nullmixer

C2

http://hsiens.xyz/

Targets

    • Target

      Divided Threats.zip

    • Size

      198.9MB

    • MD5

      f6fed4cd5f732c98e95cb2d633b6b88f

    • SHA1

      bd61e60312f1e0ec86b24196f44e8f9275de6cf1

    • SHA256

      42f6ed3f3f25e52787a9e43dec53306eb63e581d87882f3fbc4756685714e39a

    • SHA512

      0bf8b62091061100fb81e8a328e738bce4e3ba733a2a47f808b4b3e44f519441883c72752f654c217b7c354c99894515ed8db92c647587a415d1dfc4d96d68f8

    • SSDEEP

      3145728:BHVJkRpdd5SZKO1E2AH57+eBlBtqVJncR6nl4DpAlAR8bpwBZkzxQxqi:9AddkHedtqbAYob0I+1C

    Score
    10/10
    gcleanernullmixeronlyloggersmokeloaderstealcbackdoordropperloaderstealertrojan

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

      loaderonlylogger

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • OnlyLogger payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

5
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks