General

  • Target

    6bd2d5f2630ce91d3d93d5a686d0ea381b6efa2b25d0dbd0f509a17f7ed3788d.exe

  • Size

    3.8MB

  • Sample

    240107-w3mxqscfa3

  • MD5

    47000b94531ad6b652797c1f2e525752

  • SHA1

    58de952fe5d182294e5e6d5141567b9ce61a331e

  • SHA256

    6bd2d5f2630ce91d3d93d5a686d0ea381b6efa2b25d0dbd0f509a17f7ed3788d

  • SHA512

    eb9795ad340d101c5d1412ed1206ff97ecb75ea79da3a3030e175d6d2926ab47e67944bd5e660b3e0c4f017f9b28f8ec7f7004a35a5c5446edf55dca7ec51dd4

  • SSDEEP

    98304:yktaLYOV0bHarm4/UIL8HCKqq/4bB5jIlEK:yOakOObqtRz0lEK

Malware Config

Extracted

Family

nullmixer

C2

http://sornx.xyz/

Extracted

Family

privateloader

C2

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

Extracted

Family

vidar

Version

40.1

Botnet

706

C2

https://eduarroma.tumblr.com/

Attributes
  • profile_id

    706

Extracted

Family

gozi

Extracted

Family

smokeloader

Version

2020

C2

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32
rc4.i32

Targets

    • Target

      6bd2d5f2630ce91d3d93d5a686d0ea381b6efa2b25d0dbd0f509a17f7ed3788d.exe

    • Size

      3.8MB

    • MD5

      47000b94531ad6b652797c1f2e525752

    • SHA1

      58de952fe5d182294e5e6d5141567b9ce61a331e

    • SHA256

      6bd2d5f2630ce91d3d93d5a686d0ea381b6efa2b25d0dbd0f509a17f7ed3788d

    • SHA512

      eb9795ad340d101c5d1412ed1206ff97ecb75ea79da3a3030e175d6d2926ab47e67944bd5e660b3e0c4f017f9b28f8ec7f7004a35a5c5446edf55dca7ec51dd4

    • SSDEEP

      98304:yktaLYOV0bHarm4/UIL8HCKqq/4bB5jIlEK:yOakOObqtRz0lEK

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks