General
-
Target
aad837c26c32c147e23e49abac741d0b
-
Size
3.3MB
-
Sample
240228-dmex3saa24
-
MD5
aad837c26c32c147e23e49abac741d0b
-
SHA1
01bbb437ad2fe657624988076fc078084205b170
-
SHA256
e98c43697773e717610341e0a6f514f165dae8744e0376aef6dfd4054aa50bf9
-
SHA512
c404f88976277b1de6e61df76e7445a2794aceb2c3e612ef5fce8432dff74d85476ace10c0fcf1a378d8cf8a651d3bdaa3751f9fdd63f6a1fe6890fae4697d26
-
SSDEEP
98304:yT2BTGbKnq/c2JBNGgDW7UPc1gOv9ApdY9yXRisu:yaBpnE5GMW7UPqvip29D
Malware Config
Extracted
nullmixer
http://watira.xyz/
Extracted
ffdroider
http://186.2.171.3
Extracted
vidar
40
706
https://lenak513.tumblr.com/
-
profile_id
706
Extracted
smokeloader
pub5
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Targets
-
-
Target
aad837c26c32c147e23e49abac741d0b
-
Size
3.3MB
-
MD5
aad837c26c32c147e23e49abac741d0b
-
SHA1
01bbb437ad2fe657624988076fc078084205b170
-
SHA256
e98c43697773e717610341e0a6f514f165dae8744e0376aef6dfd4054aa50bf9
-
SHA512
c404f88976277b1de6e61df76e7445a2794aceb2c3e612ef5fce8432dff74d85476ace10c0fcf1a378d8cf8a651d3bdaa3751f9fdd63f6a1fe6890fae4697d26
-
SSDEEP
98304:yT2BTGbKnq/c2JBNGgDW7UPc1gOv9ApdY9yXRisu:yaBpnE5GMW7UPqvip29D
Score10/10-
FFDroider
Stealer targeting social media platform users first seen in April 2022.
-
FFDroider payload
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
setup_installer.exe
-
Size
3.3MB
-
MD5
57c53637861a01384db30fad33bc9459
-
SHA1
52ac6fef11da2c17aca7677ceb46459b72ef74a8
-
SHA256
787c2734ffd8d3faa404896595d75ef6806edfbfd1f059e4a242dcba086f67a4
-
SHA512
be649443e3c4eaf133aefbef2bc710398496e1a6abfa2d8a52655136a992578f1a330fdbd117cbd73e9d4ef0a77216a35bbff8a6254907063ecf1543fdd0fb2f
-
SSDEEP
98304:xACvLUBsgwwNrduGKFcTJ/sdQNiaJAH39hU:x9LUCgpDKFcNkdpMAHNhU
Score10/10-
FFDroider
Stealer targeting social media platform users first seen in April 2022.
-
FFDroider payload
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-