Overview

overview

10

Static

static

3

907c04f162...67.exe

windows7-x64

907c04f162...67.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    907c04f16270389290fb6d00bd18ea67

  • Size

    3.3MB

  • Sample

    240204-3vlg9sfggn

  • MD5

    907c04f16270389290fb6d00bd18ea67

  • SHA1

    5ca9cd02f6c55101a75e18f64643ec1d39a3379f

  • SHA256

    b1a60a4b2d86c694a9fdd4274351c5bbce691d7a14e7d5cf1cdf45a9ae30816d

  • SHA512

    425a0829245aad894a44caae9d5ae61e50dcd83b01aadf5746c377864fe9ed331066a6503b5fe562e836b1ebfd0a40644319fb284e946a98a4a7f48cd5ab1e6c

  • SSDEEP

    98304:yeEbhGh49Kw335mXXkH4Ilq1HFp3LPPgjxPdIwn:y19Gh4b+kH41BPgjpdIwn

Score
10/10
ffdroidernullmixerprivateloadersmokeloadervidar706pub5aspackv2backdoordropperevasionloaderspywarestealertrojanvmprotect

Malware Config

Extracted

Family

nullmixer

C2

http://watira.xyz/

Extracted

Family

ffdroider

C2

http://186.2.171.3

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

vidar

Version

40

Botnet

706

C2

https://lenak513.tumblr.com/

Attributes
  • profile_id

    706

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/
rc4.i32
rc4.i32

Targets

    • Target

      907c04f16270389290fb6d00bd18ea67

    • Size

      3.3MB

    • MD5

      907c04f16270389290fb6d00bd18ea67

    • SHA1

      5ca9cd02f6c55101a75e18f64643ec1d39a3379f

    • SHA256

      b1a60a4b2d86c694a9fdd4274351c5bbce691d7a14e7d5cf1cdf45a9ae30816d

    • SHA512

      425a0829245aad894a44caae9d5ae61e50dcd83b01aadf5746c377864fe9ed331066a6503b5fe562e836b1ebfd0a40644319fb284e946a98a4a7f48cd5ab1e6c

    • SSDEEP

      98304:yeEbhGh49Kw335mXXkH4Ilq1HFp3LPPgjxPdIwn:y19Gh4b+kH41BPgjpdIwn

    Score
    10/10
    ffdroidernullmixerprivateloadersmokeloadervidar706pub5aspackv2backdoordropperevasionloaderspywarestealertrojanvmprotect

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • FFDroider payload

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      setup_installer.exe

    • Size

      3.3MB

    • MD5

      fa04e7c2943d243ae6869dfe1ad3e646

    • SHA1

      ef61eabbe9e617926c403a515ebc1ed758d49197

    • SHA256

      4c5cdcb4918de652d38d104fa9a6251ea9aa61176908fa67b0bf95067fbec7be

    • SHA512

      3410afc7e2c5ed2627b2349c025bc551e1cd03652c2594b6ea8e583f6a1b1068559e4c208e2e90c43909525d9a0170ca696058b40362e835dc5f79e15679438c

    • SSDEEP

      98304:xJCvLUBsgS1HuEky/c4/T3egUPD+NhO0VJR6J:xiLUCgOuEky//r3QP10VLK

    Score
    10/10
    ffdroidernullmixerprivateloadersmokeloadervidar706pub5aspackv2backdoordropperloaderspywarestealertrojanvmprotectevasion

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • FFDroider payload

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks