General
-
Target
8ebd8e10033bc4efaa0446f4e474ecea
-
Size
14.6MB
-
Sample
240204-kxcn2adgc2
-
MD5
8ebd8e10033bc4efaa0446f4e474ecea
-
SHA1
bf084f4bcf1652dfd1d538980ea4a40f7ef2db39
-
SHA256
7b1cf1979579775f48e8d20974753453f75963b3094d3b95519d9362e943dbbb
-
SHA512
78a60cd29e384be3688814a603668e7d237bdd8a0f7ae1eceea9bc9609278a5bfe427b9b27d682630b70ca00b3c6914ad9122e4479b554097c0f58c5da9da1f1
-
SSDEEP
393216:ferBv4Pu+dsUk1qoW4Id6UxHG7goXHS7FzvBk0L2SIu7:IBwPlddop49QYBZk0aM7
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
Extracted
redline
1.22
95.211.185.27:42097
Extracted
metasploit
windows/single_exec
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Extracted
ffdroider
http://186.2.171.3
Extracted
gcleaner
194.145.227.161
Extracted
vidar
40.2
933
https://kipriauka.tumblr.com/
-
profile_id
933
Targets
-
-
Target
6c5db6dce13ded4e0e6c7e9a526b063e.exe
-
Size
4.4MB
-
MD5
15f91f6b410dde682ba9afacc7a4d011
-
SHA1
41b04c412ae131c8fcbf314f75a8ae8985468f59
-
SHA256
3f2fe1d2857ba3eba92108104c95c0d4908b5aaa5677ba53c251a16714923a6b
-
SHA512
a5f5bfaabfe4ecd5918fc60c588a3bd55fccfcf39cbdcb8eacace8da2fa85eee7cbb5e9487bc836bddf6cec77c2be7d3ec8916b2dbb34ab04925e093df06a37c
-
SSDEEP
98304:gKfuYZFxltfUmFhK8e4g+ent8Ype+nTDlHn8obcTwMi:gKrz3VAt/pFTzcTw1
Score10/10-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Windows security bypass
-
Modifies Windows Firewall
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver.
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Modifies boot configuration data using bcdedit
-
Drops file in System32 directory
-
-
-
Target
DusBrowserInst.exe
-
Size
127KB
-
MD5
95e6582024b57ff4885652f76a66764b
-
SHA1
3a0ead166d8310503b0ed97e32f50c08ea0e2f25
-
SHA256
b29a251be022532e0e704ccde0bea5f7061f393781089a76713d8bc81e002887
-
SHA512
aa9d591e699a9975a0992e87c05bcad04c3bd931f8a9548d95425bea4c82a6752edb4260bbfc1c521f3b40ca266ee9b28ecaea3855cdb9fe8515b0a4a9c96feb
-
SSDEEP
1536:d0FJfB2gM466KlnVwQ3X2nv3Sqyi673uhOgt5m+XuYnk4aPzYvdwMPoWmPK7n:QJkL46T6n5673uzuYnr+YvRRn
Score6/10-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
IDWCH2.exe
-
Size
739KB
-
MD5
0d5cc91890c411599e994ab4d927350b
-
SHA1
b64c4752537fc05bd460918fe252ef64e72d2651
-
SHA256
b64cc3011b334fe3fdc47852da28f1d865a1f71dd819827a035b9b3adab1a163
-
SHA512
56418a6586f0cc7f985e944811744fdce2ddaea5e238d02b21435768a3738ba7cccc738190b677f0eb66916a24cdcd4b63701df8a35c7a44802ba053ccdf059b
-
SSDEEP
6144:d/QiQXC45m+ksmpk3U9j0IeP2soxvjFEOTb9WmZX/8shzdsY4CpHPhnq/FK:VQi34c6m6UR0IeP2p1hf39Wkv8xwJqdK
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
Litever01.exe
-
Size
593KB
-
MD5
c85b133eae3ca2e8aa788b5b41dd12ca
-
SHA1
46842b223e918590f851dc58feb0333756fc872e
-
SHA256
0fca09eff75cd95e68f6ec7aed7c3f89ae7345a180f94fc5b470e2b24ebbc63a
-
SHA512
a485023b501126130a5c01a6c6348a5d2f28b9f5c89329d8eec6451cd494984eab6d66215fd3b3fb4db7545fc524cd371373859a7dfa3a67e2c0f4e84613bbf2
-
SSDEEP
12288:rmuLlwwQ+nWbz7jf0qncK45KIPwLeRxgPqcpLsZgxdqjc:rmuZwwJWbz7jf0qnIKIP9RxQqcpog
Score10/10-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer
-
-
-
Target
anyname.exe
-
Size
99KB
-
MD5
5d776f9eb3d9ca1e9cf31dda19fb28ba
-
SHA1
03f2cc43b88ac135237063eb4a72d0f5d7a0ef89
-
SHA256
113a6c00df14d47482626ed8b10003715a4a42c86b9686c626921716700d6e41
-
SHA512
c220ca758b27ebcfb8e9d0a1025af64fefba01db3742c4c99273cb0f73c7c873338653d23aeab2be041216f6b07e2a95a66017eb2b850391c1851dc3ed36d00c
-
SSDEEP
1536:LJZJldympVraPfFIdeD4P2ZDNjHSSu9tK66hdwY3VtqRsWEcdWEs8nBshVuwtEBg:LNFc2kDzDZySmI6UwyzqRWZTNtEB6c/
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
app.exe
-
Size
4.4MB
-
MD5
ac5d54f7823c2dcfc4ae1c84c1b35c5f
-
SHA1
e45ff6c476b2b4710e1ec0ed4f85b1925599db6d
-
SHA256
911b4f2268a203dccaf0912403d08865f21b3299c9d7f6d166c7e90fe6a4be5f
-
SHA512
b5be2516e9971bf274e8314d5959dc65d22beb5d69ffcb36c92bf9ff3623b6ebf75d0963b5b73ab8a08512cbdebee78ff090967b21932dbe7d9d62480023fa84
-
SSDEEP
98304:ZcsOAtco1SVicHAeEYyjBKKjG8u5KPEIsIlZaC:NntcoYVic419u5EsOt
Score10/10-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Windows security bypass
-
Modifies boot configuration data using bcdedit
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMon driver.
Roottkits write to WinMon to hide PIDs from being detected.
-
Manipulates WinMonFS driver.
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory
-
-
-
Target
askinstall50.exe
-
Size
1.4MB
-
MD5
237d4aa94739fdee04cd9c86684179d3
-
SHA1
6219d6f61d0b78a60d7f0bdfd20837c0586b0d89
-
SHA256
a08013695327ad7cb9daa90a7687cb03e6142587903b8198e2edac94fd1672de
-
SHA512
c0449b6ab12af1bba5fa58f3bfd0d7e67372c847c6aca98508071b8f0e53c24eb12b7a29b7dd93cf119efac23c00ac3577f19518aa88d3dd5ab40a1e9c6da1d2
-
SSDEEP
24576:/IVFA1pqtg/TnMbX0lwyh0FVmEByA1EwFYyOsFTceoCSPZVjQxYfYnDP2mLSqY:OFA1pvTMbOwa0TmUyMYEh1oCSPnQxYAa
Score10/10-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
-
-
Target
farlab_setup.exe
-
Size
1.7MB
-
MD5
a7703240793e447ec11f535e808d2096
-
SHA1
913af985f540dab68be0cdf999f6d7cb52d5be96
-
SHA256
6a17ebf5da6aa3a1f4813e5f46fdd5d19d026bcfac91f232359f98e43df3c38f
-
SHA512
57bdcdfcfa11f6b5bf4149be0fee0444fcf67ccececf1009b166b17b7dce30da1a472f1890736186f4ef76e02ed23cc0dd2a41dc9bff94218a059832d4b5c69e
-
SSDEEP
49152:C9CKxz5eM8JvooqXrFzYA8hVU2AGm63yjpGIcLJjmyGpf8:MCm5eMOooqhomhjrcLS8
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
inst002.exe
-
Size
213KB
-
MD5
765e53b7873cf667a9ba7e3b4e0f4edf
-
SHA1
1ef4929386dcbdbc0c3b46e391b6ca77bbdec7be
-
SHA256
d3d0b963d898bf3c5413ea1b3a25a11930a033a9533d113afdca78b00256f245
-
SHA512
5c98f8e2892f681073d7bb8b67f42d6369c5052fbaffc189c59317de39ce76294bdddde9fe09ffd10a81963db821d2be7c06924bbe9ad3b5936d64248342f564
-
SSDEEP
3072:7DOjBLxoC9PZUFfYS3azG0CG0jOMrqwsQwEFHO4LjH9YOAVF7NHJuMoVi:7aj1Sf7oQzjOM3SkLjH9YOCSM/
Score10/10-
Detects LgoogLoader payload
-
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
-
-
Target
jamesnew.exe
-
Size
846KB
-
MD5
ea180cb17e71d8e32481aa37cb796cc1
-
SHA1
351b1c6cdbdcd21215e6cb9fc7b76887ddfe7a2a
-
SHA256
8a75fd219504039ceb7841811d75416ca52eb26a9667bbdf621055dad62e8b1a
-
SHA512
7bfe33816e5d6373cdbae1b8fffb620e76defabd1302b8c98650980ac0292b3135cee52d7316b8fe895812e56b2a7cfa2aa983d7e746f4673c37f1b585636cbc
-
SSDEEP
24576:1AHnh+eWsN3skA4RV1Hom2KXMmHaR1K5:kh+ZkldoPK8YaRi
Score3/10 -
-
-
Target
justdezine.exe
-
Size
266KB
-
MD5
af42f93ce8f525564d27ac04797a2803
-
SHA1
f3b2f54a2881dbfb06d2a8c830953d775f2205d0
-
SHA256
c8133af9c1ab5f1087ec298e5b06fab0002903b0dac672ed72530c61a45ccf99
-
SHA512
ac2a12884f0dda0bd93e45f6e02a7eed8bd44befd39c9b9456a97b7faa201af9a67817f45529e250bd609df0dbb65ddf797b7aec784cc9d48bd3f8614d2950f8
-
SSDEEP
6144:9X8FtebHKT22Jm+xOYFpqsbDewhSCEuRPq:W/ebH32JFFP3uCTRy
Score10/10-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself
-
Executes dropped EXE
-
-
-
Target
md3_3kvm.exe
-
Size
924KB
-
MD5
53b01ccd65893036e6e73376605da1e2
-
SHA1
12c7162ea3ce90ec064ce61251897c8bec3fd115
-
SHA256
de95d03777407422fac23d6c1f0740e131a0d38c5ef19aca742c7bcf1a994fd7
-
SHA512
e5d1dd0ac1a53df261179d58817e71f4b263179ba1f1599da3b654ae9550dc608afc5a12057fb533aab0abb2eb406e3a7331e10a6f2b91254f062a777299e067
-
SSDEEP
24576:pP7A681d48vGlldFtqFbDNaYaPCQFXVDXE4IfmDWQ:pzF8I8vGbdFtabDNUPCQFXVDXvdDWQ
Score10/10-
FFDroider
Stealer targeting social media platform users first seen in April 2022.
-
FFDroider payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled
-
-
-
Target
mixseven.exe
-
Size
313KB
-
MD5
e2b46439ae09a3b7a4250d848c7b7265
-
SHA1
b1dd7e352c779651fcce756e0a4a6d78ac08c87a
-
SHA256
e0c8cc8c66b2d57aa27efa5eb8be1331934645b12bfbe26c5fdab271f1c94bc4
-
SHA512
e5d419bd44b94b521ae8e63d90b3c3621288063dbfc908d50826e857abb61b512fd4a677f4d8e281b54c3cc105c8b8dc49459a4eaae42e4b4fc935fda0d1df31
-
SSDEEP
6144:keKv6F664O2/Oex5YpKQsR0POMAwmNoTUHvRwWLJNVst+SOTx1:5w64J/OjpAR8pfTUPRwaqtI
Score10/10-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger payload
-
-
-
Target
redcloud.exe
-
Size
173KB
-
MD5
16bf4653dfc06b85e7d34cb5cfe62717
-
SHA1
35ca16cdb661f6978815efc8c8a2ae0fbddcb733
-
SHA256
6038860aefedc84fdafe7d693ea6fa63147be5e3a43dd96e20adf377811c5d30
-
SHA512
0717f23056515b18f627496c309c22bfc76da5b61f2730a320fa8584ad0fb5ed47a8695ad255bc8635cdd379d2313cb141466e86ae0b639c33772fe2177fa35f
-
SSDEEP
1536:8t9pmEJnCKOAD3dOlbi2JKnJbpNjbuqGd0AMuyq+d0+7dDjElG6qTaoigQwY8ls:CTnCK1DtCbi2AHhG0Ajyjd0iY428ls
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
-
-
Target
vguuu.exe
-
Size
1.3MB
-
MD5
652050d5745a5303a8ff54662e77902c
-
SHA1
740d12548b306b4ed1953ecdbf90fa7255b2fda7
-
SHA256
4759a108a1a33d66992db0371dd760ef6edb0a6a773ccf4263e0efeb2c76a80e
-
SHA512
6913129d8faad2c97cff339e9206eab990a7c31ec70d3c77169f51113fed52e612c696d40a3209e248bfe6eafa3f1b998ac654675810fed1f671308023e267e2
-
SSDEEP
24576:HAFnWzNUe3a9nvOvk+/QBNFjmDWTe2c6Ek:yWzmeK9n2FQbFBTq4
Score6/10-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1