Overview

overview

10

Static

static

3

718b508950...dc.exe

windows7-x64

10

718b508950...dc.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    718b5089505fed92d1a44dc0dbeb36dc

  • Size

    2.8MB

  • Sample

    240124-fy2x4abga5

  • MD5

    718b5089505fed92d1a44dc0dbeb36dc

  • SHA1

    f4afe14c1b392514350f4495c44f998d3f19128f

  • SHA256

    df872b0b7c336241db1a1ff9e83100d6ffb2b898a46c0c7b37a47dcbd002b056

  • SHA512

    4c9d292125343b5b7edfe0051454fff957c040fd822e9b9d32f6a94d654dae778ca6fcb1e269adcb83363b3ade2893ae2ae63558f2906185ed67298c841bc807

  • SSDEEP

    49152:xcBszOxu3gCpbwOXh+1b4yFjErlsV6SP5iWyZ9KFFdZyZmj9MJ0yEwJ84vLRaBtf:xSizpbwOxKb4y8sVwWyZ0aZw9zCvLUBN

Score
10/10
nullmixerprivateloaderriseprosmokeloadervidar706pub5aspackv2backdoordropperevasionloaderstealertrojan

Malware Config

Extracted

Family

nullmixer

C2

http://watira.xyz/

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

vidar

Version

39.7

Botnet

706

C2

https://shpak125.tumblr.com/

Attributes
  • profile_id

    706

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/
rc4.i32
rc4.i32

Targets

    • Target

      718b5089505fed92d1a44dc0dbeb36dc

    • Size

      2.8MB

    • MD5

      718b5089505fed92d1a44dc0dbeb36dc

    • SHA1

      f4afe14c1b392514350f4495c44f998d3f19128f

    • SHA256

      df872b0b7c336241db1a1ff9e83100d6ffb2b898a46c0c7b37a47dcbd002b056

    • SHA512

      4c9d292125343b5b7edfe0051454fff957c040fd822e9b9d32f6a94d654dae778ca6fcb1e269adcb83363b3ade2893ae2ae63558f2906185ed67298c841bc807

    • SSDEEP

      49152:xcBszOxu3gCpbwOXh+1b4yFjErlsV6SP5iWyZ9KFFdZyZmj9MJ0yEwJ84vLRaBtf:xSizpbwOxKb4y8sVwWyZ0aZw9zCvLUBN

    Score
    10/10
    nullmixerprivateloaderriseprosmokeloadervidar706pub5aspackv2backdoordropperevasionloaderstealertrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks