General
-
Target
i864x__setup__622bbc23f088c.exe
-
Size
6.4MB
-
Sample
231210-gntpeacdbj
-
MD5
42c477e367dca72c9794c8c1564dcfd8
-
SHA1
224b760e32e56b7047f35c76ba9959b9f406c804
-
SHA256
feba9bf42249bc45378ea0c07e476dc7bbf2ec9665db5981757d37b75ebab3ca
-
SHA512
f77555ef2492ac1ad9dc0b0dae7c74364f8e42daadcbb564435b105dacc316e9817ee1a30987adf55870833fe1e219776411cc8d5f4aa5a6c9dc046aa861bb4e
-
SSDEEP
98304:Jwx9fEv5FCXtNsTY7LE8evqRCUPedFR6fbt8hXMDKRbHRjai4vOaAKqtXV0dQysj:JmgTCXtm+q8be+WRbRazeFBbg2GKQ0
Malware Config
Extracted
nullmixer
http://622bbbd57a53e.com/
Extracted
socelars
https://sa-us-bucket.s3.us-east-2.amazonaws.com/asdhjk/
Extracted
smokeloader
pub5
Extracted
smokeloader
pub3
Extracted
gcleaner
appwebstat.biz
ads-memory.biz
Extracted
redline
media1120112
92.255.57.154:11841
-
auth_value
2948163485fe8e04db7acc17e8a19406
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Targets
-
-
Target
i864x__setup__622bbc23f088c.exe
-
Size
6.4MB
-
MD5
42c477e367dca72c9794c8c1564dcfd8
-
SHA1
224b760e32e56b7047f35c76ba9959b9f406c804
-
SHA256
feba9bf42249bc45378ea0c07e476dc7bbf2ec9665db5981757d37b75ebab3ca
-
SHA512
f77555ef2492ac1ad9dc0b0dae7c74364f8e42daadcbb564435b105dacc316e9817ee1a30987adf55870833fe1e219776411cc8d5f4aa5a6c9dc046aa861bb4e
-
SSDEEP
98304:Jwx9fEv5FCXtNsTY7LE8evqRCUPedFR6fbt8hXMDKRbHRjai4vOaAKqtXV0dQysj:JmgTCXtm+q8be+WRbRazeFBbg2GKQ0
Score10/10-
Detect Fabookie payload
-
Fabookie
Fabookie is facebook account info stealer.
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars payload
-
OnlyLogger payload
-
Blocklisted process makes network request
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-