Overview

overview

10

Static

static

3

42909ef96f...e6.exe

windows7-x64

10

42909ef96f...e6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    42909ef96fc66ee4ad2b1182f06ecbe6

  • Size

    3.8MB

  • Sample

    240105-c72f5shec3

  • MD5

    42909ef96fc66ee4ad2b1182f06ecbe6

  • SHA1

    9ccde9b068c6dca4172df09853e8b9aa9dcded94

  • SHA256

    4cafb22334d394a75bf299e8b582791b939af7d462c79b4423948a34f364481b

  • SHA512

    e54ef137f1a12fa1c77090ade5e6fd5c404f84a5c3d0b9227fe95eb72d30e6d03fd0431c265569f7b08dc5f416973081264aa3d634399f30ad273da8f4559f9a

  • SSDEEP

    98304:Ub9fEIQBU9HIJ0tyFximjgX7dJw1mLPKZ4ygx2EjufaWte:UpfEIvdIJ0WxHjm5JwSiZ3rEAaH

Score
10/10
ffdroiderredlinesectopratsmokeloadersocelarspub2backdoorevasioninfostealerratstealertrojanvmprotect

Malware Config

Extracted

Family

ffdroider

C2

http://128.1.32.84

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/
rc4.i32
rc4.i32

Extracted

Family

redline

C2

92.119.112.202:13340

Targets

    • Target

      42909ef96fc66ee4ad2b1182f06ecbe6

    • Size

      3.8MB

    • MD5

      42909ef96fc66ee4ad2b1182f06ecbe6

    • SHA1

      9ccde9b068c6dca4172df09853e8b9aa9dcded94

    • SHA256

      4cafb22334d394a75bf299e8b582791b939af7d462c79b4423948a34f364481b

    • SHA512

      e54ef137f1a12fa1c77090ade5e6fd5c404f84a5c3d0b9227fe95eb72d30e6d03fd0431c265569f7b08dc5f416973081264aa3d634399f30ad273da8f4559f9a

    • SSDEEP

      98304:Ub9fEIQBU9HIJ0tyFximjgX7dJw1mLPKZ4ygx2EjufaWte:UpfEIvdIJ0WxHjm5JwSiZ3rEAaH

    Score
    10/10
    ffdroiderredlinesectopratsmokeloadersocelarspub2backdoorevasioninfostealerratstealertrojanvmprotect

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • FFDroider payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks