Analysis

  • max time kernel
    1s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2023 02:19

General

  • Target

    0b6b2968e8f090b22bc47abab70c4dd0.exe

  • Size

    5.7MB

  • MD5

    0b6b2968e8f090b22bc47abab70c4dd0

  • SHA1

    216f0ada991deb26c4607dd142ea5f0176484cc0

  • SHA256

    cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1

  • SHA512

    8598904d81f4ee2a31e9c3a9e2634b69b1a2cd61f92f679c2fa52ee302eef1524045adfd4fb3f5176218c5a53ace6263ac8a1c19952a9083b3339484e0468037

  • SSDEEP

    98304:yfa/a9mJY8p/79aJYpiPSnfCyg0+UA/bJMfcvPA5L2wvpvnSALNl5UL5nXSCC333:ymY+/BdsKnar0SWmIL2EqSNl5klZoZ

Malware Config

Extracted

Family

nullmixer

C2

http://marisana.xyz/

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

vidar

Version

40

Botnet

706

C2

https://lenak513.tumblr.com/

Attributes
  • profile_id

    706

Signatures

  • Detect ZGRat V1 1 IoCs
  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Vidar Stealer 3 IoCs
  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b6b2968e8f090b22bc47abab70c4dd0.exe
    "C:\Users\Admin\AppData\Local\Temp\0b6b2968e8f090b22bc47abab70c4dd0.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      PID:1968
      • C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\setup_install.exe"
        3⤵
          PID:2196
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c 79d822fc709e78.exe
            4⤵
              PID:3812
              • C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\79d822fc709e78.exe
                79d822fc709e78.exe
                5⤵
                  PID:544
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 552
                4⤵
                • Program crash
                PID:3216
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c b001a8f56.exe
                4⤵
                  PID:2324
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c 2d7080268fee447.exe
                  4⤵
                    PID:4152
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c f9a302645.exe
                    4⤵
                      PID:3376
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c 3d0c613fcb2403.exe
                      4⤵
                        PID:1304
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c e9e6055abb695524.exe
                        4⤵
                          PID:4944
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c 20383e5a9a4c5112.exe
                          4⤵
                            PID:3784
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c 27ce46284501.exe
                            4⤵
                              PID:2648
                      • C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\27ce46284501.exe
                        27ce46284501.exe
                        1⤵
                          PID:2728
                        • C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\b001a8f56.exe
                          b001a8f56.exe
                          1⤵
                            PID:3548
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2196 -ip 2196
                            1⤵
                              PID:3240
                            • C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\e9e6055abb695524.exe
                              "C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\e9e6055abb695524.exe" -a
                              1⤵
                                PID:5004
                              • C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\2d7080268fee447.exe
                                2d7080268fee447.exe
                                1⤵
                                  PID:4536
                                • C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\f9a302645.exe
                                  f9a302645.exe
                                  1⤵
                                    PID:1180
                                  • C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\3d0c613fcb2403.exe
                                    3d0c613fcb2403.exe
                                    1⤵
                                      PID:1976
                                    • C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\e9e6055abb695524.exe
                                      e9e6055abb695524.exe
                                      1⤵
                                        PID:1184
                                      • C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\20383e5a9a4c5112.exe
                                        20383e5a9a4c5112.exe
                                        1⤵
                                          PID:3552
                                        • C:\Windows\system32\WerFaultSecure.exe
                                          "C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 4940 -i 4940 -h 504 -j 508 -s 520 -d 4364
                                          1⤵
                                            PID:5040

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\libcurl.dll

                                            Filesize

                                            218KB

                                            MD5

                                            d09be1f47fd6b827c81a4812b4f7296f

                                            SHA1

                                            028ae3596c0790e6d7f9f2f3c8e9591527d267f7

                                            SHA256

                                            0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

                                            SHA512

                                            857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

                                          • C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\libcurlpp.dll

                                            Filesize

                                            54KB

                                            MD5

                                            e6e578373c2e416289a8da55f1dc5e8e

                                            SHA1

                                            b601a229b66ec3d19c2369b36216c6f6eb1c063e

                                            SHA256

                                            43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

                                            SHA512

                                            9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

                                          • C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\libgcc_s_dw2-1.dll

                                            Filesize

                                            32KB

                                            MD5

                                            51b67160269ef5a1e6c0ab2ed6426ef6

                                            SHA1

                                            5b958a2c248a7f83110b50aa097b43db9ed8e26d

                                            SHA256

                                            21ebbc581c060da3ed032643250b13fede7d593b99783aef44b6b5f554a45511

                                            SHA512

                                            10a6cc16cfb098e3cb32f0d96311f33dc9a1ac46155170b8f5eada41a36cbfa6fe6b00ff65211eda18b3965d86d127407f1cf4ad84f816b34b2345c496bb738e

                                          • C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\libwinpthread-1.dll

                                            Filesize

                                            69KB

                                            MD5

                                            1e0d62c34ff2e649ebc5c372065732ee

                                            SHA1

                                            fcfaa36ba456159b26140a43e80fbd7e9d9af2de

                                            SHA256

                                            509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

                                            SHA512

                                            3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

                                          • C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\setup_install.exe

                                            Filesize

                                            365KB

                                            MD5

                                            86b49d73977a0c16444827b7e707a04f

                                            SHA1

                                            3e346786cbb339548eb7c7688bb0716d8353f291

                                            SHA256

                                            3ccd8d12972f120f4fce32210dd6afe793536bef049bfece303851d457540827

                                            SHA512

                                            7de58669a50e5bc1eb41ec1aebe229adbf3aedd37434cb22f4bc34488ef39dae89ffe3b138a1d051cd7c9f4366458e8e8632f48494a8c70583a1b168696a1996

                                          • C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\setup_install.exe

                                            MD5

                                            d41d8cd98f00b204e9800998ecf8427e

                                            SHA1

                                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                                            SHA256

                                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                            SHA512

                                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                          • C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\setup_install.exe

                                            Filesize

                                            410KB

                                            MD5

                                            e34a32d947191b4349114f21025d9a6b

                                            SHA1

                                            a1a3484c1b893126a0b8de6340bf28c18fd0e953

                                            SHA256

                                            ebec2c8424f0f8490551e81162a364e7b395e32a3705b1d18ddbf46c195d1105

                                            SHA512

                                            872d9e6d9fdb67099b852dfd2168bf3476f50e2186dac2d053d8d853a65694fd5f0f587cb3ca7766254321f8d4588409e565b974c772fb5b7b99ec6a94e78649

                                          • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

                                            Filesize

                                            1024KB

                                            MD5

                                            e66948ebeb735a7c04f31d7c15c52218

                                            SHA1

                                            4f9303fb1f681c5ca43c3c528555c5aa0ee3776b

                                            SHA256

                                            1a218c13da3233bc4fe428496f708c41b0e4a324a142d06a0892b401ad778f74

                                            SHA512

                                            868675c16a843bd5d5951d21af5db3835a99fde040af287a9c8f171ed5507a4c15d5408511ab8a8dbcee4cd09a5343e9d8ff3ebce1dd9789a335e2434079100c

                                          • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

                                            Filesize

                                            898KB

                                            MD5

                                            027a4c327eb70a6d215ac25ad2db2190

                                            SHA1

                                            bca81908c676bba1f5d1ae8275dc2e2c2e1e2d7f

                                            SHA256

                                            7e237e4568b58a061a8c1a1f22f32fa449d856c8904502c59c834bda39bec9f6

                                            SHA512

                                            c869bfa136a45974e958fd89cdc59789e6a59b67f29f2c9d851487e01276eb9559f1385417439b870447286aeaa3a10c38fec00cb2624ff6a3c4e4fc71cd7ffc

                                          • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

                                            Filesize

                                            1.5MB

                                            MD5

                                            626f9d0d6499c9e1016ec4245fdbfee4

                                            SHA1

                                            c45e1ae57da311a76f1dd0e1cfe6b3e27e5dc9db

                                            SHA256

                                            2612ca965f952e5ac4d1237e5abb6f59fe7271a6f269390040fef18ad3ecf68d

                                            SHA512

                                            20b7f9fa8119ba2f222257cbe7a609c38dba06b3ba428c5a4d2613504a12dde9861d7a41fe876098060f378290a1f403f4e4828daa09def215dc03cf361468d5

                                          • memory/1180-126-0x0000000000400000-0x00000000032F8000-memory.dmp

                                            Filesize

                                            47.0MB

                                          • memory/1180-133-0x00000000001C0000-0x00000000001C9000-memory.dmp

                                            Filesize

                                            36KB

                                          • memory/1180-124-0x0000000003560000-0x0000000003660000-memory.dmp

                                            Filesize

                                            1024KB

                                          • memory/2196-46-0x0000000001610000-0x000000000169F000-memory.dmp

                                            Filesize

                                            572KB

                                          • memory/2196-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                            Filesize

                                            1.5MB

                                          • memory/2196-42-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                            Filesize

                                            152KB

                                          • memory/2196-44-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                            Filesize

                                            572KB

                                          • memory/2196-47-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                            Filesize

                                            572KB

                                          • memory/2196-48-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                            Filesize

                                            1.5MB

                                          • memory/2196-49-0x0000000064940000-0x0000000064959000-memory.dmp

                                            Filesize

                                            100KB

                                          • memory/2196-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                            Filesize

                                            1.5MB

                                          • memory/2196-52-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                            Filesize

                                            1.5MB

                                          • memory/2196-55-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                            Filesize

                                            152KB

                                          • memory/2196-54-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                            Filesize

                                            152KB

                                          • memory/2196-51-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                            Filesize

                                            1.5MB

                                          • memory/2196-45-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                            Filesize

                                            572KB

                                          • memory/2196-130-0x0000000000400000-0x0000000000C7F000-memory.dmp

                                            Filesize

                                            8.5MB

                                          • memory/2196-131-0x0000000064940000-0x0000000064959000-memory.dmp

                                            Filesize

                                            100KB

                                          • memory/2196-134-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                            Filesize

                                            572KB

                                          • memory/2196-132-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                            Filesize

                                            152KB

                                          • memory/2196-135-0x000000006EB40000-0x000000006EB63000-memory.dmp

                                            Filesize

                                            140KB

                                          • memory/2196-43-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                            Filesize

                                            572KB

                                          • memory/2196-136-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                            Filesize

                                            1.5MB

                                          • memory/2728-128-0x0000000005DA0000-0x0000000005EAA000-memory.dmp

                                            Filesize

                                            1.0MB

                                          • memory/2728-120-0x0000000005B10000-0x0000000005B4C000-memory.dmp

                                            Filesize

                                            240KB

                                          • memory/2728-108-0x0000000076F40000-0x0000000077030000-memory.dmp

                                            Filesize

                                            960KB

                                          • memory/2728-145-0x0000000076F40000-0x0000000077030000-memory.dmp

                                            Filesize

                                            960KB

                                          • memory/2728-146-0x0000000076F40000-0x0000000077030000-memory.dmp

                                            Filesize

                                            960KB

                                          • memory/2728-140-0x0000000076F40000-0x0000000077030000-memory.dmp

                                            Filesize

                                            960KB

                                          • memory/2728-101-0x00000000009C0000-0x00000000011E6000-memory.dmp

                                            Filesize

                                            8.1MB

                                          • memory/2728-103-0x0000000076F40000-0x0000000077030000-memory.dmp

                                            Filesize

                                            960KB

                                          • memory/2728-106-0x0000000076F40000-0x0000000077030000-memory.dmp

                                            Filesize

                                            960KB

                                          • memory/2728-115-0x00000000062B0000-0x00000000068C8000-memory.dmp

                                            Filesize

                                            6.1MB

                                          • memory/2728-109-0x0000000076F40000-0x0000000077030000-memory.dmp

                                            Filesize

                                            960KB

                                          • memory/2728-117-0x0000000076F40000-0x0000000077030000-memory.dmp

                                            Filesize

                                            960KB

                                          • memory/2728-121-0x00000000771C4000-0x00000000771C6000-memory.dmp

                                            Filesize

                                            8KB

                                          • memory/2728-125-0x0000000005B50000-0x0000000005B9C000-memory.dmp

                                            Filesize

                                            304KB

                                          • memory/2728-112-0x00000000009C0000-0x00000000011E6000-memory.dmp

                                            Filesize

                                            8.1MB

                                          • memory/2728-113-0x0000000076F40000-0x0000000077030000-memory.dmp

                                            Filesize

                                            960KB

                                          • memory/2728-118-0x0000000005AB0000-0x0000000005AC2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2728-111-0x0000000076F40000-0x0000000077030000-memory.dmp

                                            Filesize

                                            960KB

                                          • memory/2728-119-0x0000000076F40000-0x0000000077030000-memory.dmp

                                            Filesize

                                            960KB

                                          • memory/3548-129-0x0000000000400000-0x000000000334B000-memory.dmp

                                            Filesize

                                            47.3MB

                                          • memory/3548-123-0x0000000003420000-0x00000000034BD000-memory.dmp

                                            Filesize

                                            628KB

                                          • memory/3548-127-0x0000000003540000-0x0000000003640000-memory.dmp

                                            Filesize

                                            1024KB

                                          • memory/3552-104-0x0000000002860000-0x0000000002882000-memory.dmp

                                            Filesize

                                            136KB

                                          • memory/3552-138-0x00007FFD90940000-0x00007FFD91401000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/3552-110-0x0000000002880000-0x0000000002886000-memory.dmp

                                            Filesize

                                            24KB

                                          • memory/3552-122-0x000000001B3E0000-0x000000001B3F0000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/3552-83-0x00000000007D0000-0x00000000007FE000-memory.dmp

                                            Filesize

                                            184KB

                                          • memory/3552-100-0x0000000002850000-0x0000000002856000-memory.dmp

                                            Filesize

                                            24KB

                                          • memory/3552-91-0x00007FFD90940000-0x00007FFD91401000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/4536-114-0x00007FFD90940000-0x00007FFD91401000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/4536-139-0x000000001B570000-0x000000001B580000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/4536-88-0x00000000008F0000-0x00000000008F8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/4536-102-0x000000001B570000-0x000000001B580000-memory.dmp

                                            Filesize

                                            64KB