General
-
Target
166f2bc8f7949c714210d8b0aad0e30f
-
Size
2.5MB
-
Sample
231230-mxrt3aegh6
-
MD5
166f2bc8f7949c714210d8b0aad0e30f
-
SHA1
3a17e35120b1b6d9af676331288f7763b2a38252
-
SHA256
568b3a7273ccbb1436e42dd90f0541d7dc0da2a97944381ad0b31d7d437c4908
-
SHA512
144f45e98c9fede9067aabcc2a3af50603ce4cb519a06bfb94f6b93d47a6c5c70231278af240c9e7532b7b04c7c1670747b650f8e4e1f056401058784c7d8da6
-
SSDEEP
49152:xcBFuWMmtRozSLa2D5nPv2UdgCn8mhTRxtVxOmD2hiiAjIoUpD9ywFbG0J1k8ji:xu6KzlV6ozTFODDFoQRywFbG0J1kOi
Static task
static1
Malware Config
Extracted
nullmixer
http://sornx.xyz/
Extracted
privateloader
http://37.0.10.214/proxies.txt
http://37.0.10.244/server.txt
http://wfsdragon.ru/api/setStats.php
37.0.10.237
Extracted
vidar
40.1
706
https://eduarroma.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Extracted
gozi
Targets
-
-
Target
166f2bc8f7949c714210d8b0aad0e30f
-
Size
2.5MB
-
MD5
166f2bc8f7949c714210d8b0aad0e30f
-
SHA1
3a17e35120b1b6d9af676331288f7763b2a38252
-
SHA256
568b3a7273ccbb1436e42dd90f0541d7dc0da2a97944381ad0b31d7d437c4908
-
SHA512
144f45e98c9fede9067aabcc2a3af50603ce4cb519a06bfb94f6b93d47a6c5c70231278af240c9e7532b7b04c7c1670747b650f8e4e1f056401058784c7d8da6
-
SSDEEP
49152:xcBFuWMmtRozSLa2D5nPv2UdgCn8mhTRxtVxOmD2hiiAjIoUpD9ywFbG0J1k8ji:xu6KzlV6ozTFODDFoQRywFbG0J1kOi
-
Modifies firewall policy service
-
Modifies security service
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Vidar Stealer
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points
-
Sets file execution options in registry
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Drops desktop.ini file(s)
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Modify Registry
9Subvert Trust Controls
1Install Root Certificate
1