General

  • Target

    Setup Virus.zip

  • Size

    11.6MB

  • Sample

    240518-vlk65sdh66

  • MD5

    8d8a2662e70140591f58f7120ad05423

  • SHA1

    e15457e8cca388657a6b7e850e31764088e9b298

  • SHA256

    272501aa281816ae02b8b7ceb2ed9a8b98eb61a4f89a44d7d3f10d372ec25027

  • SHA512

    b4d11526fb6c25511bbe622fd06abc148a6c9f23d210fb2746def38f92a4c77afe2c6f4b073c79e806883b9ae36d0f0e0147a15dad76abe2a1f573c32148afb3

  • SSDEEP

    196608:f96AvVCgQgRDCJNYvWc83PP/eOlalZlyzti053ct2D6FbBeqpE4:l6AvINGu/Zf3FlmZcztiEd63N

Malware Config

Extracted

Family

privateloader

C2

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

Extracted

Family

nullmixer

C2

http://hsiens.xyz/

Extracted

Family

socelars

C2

http://www.yarchworkshop.com/

Extracted

Family

redline

Botnet

media13n

C2

65.108.69.168:13293

Attributes
  • auth_value

    3cb0518973facc842139b0ea346245a8

Extracted

Family

redline

Botnet

v2user1

C2

159.69.246.184:13127

Attributes
  • auth_value

    0cd1ad671efa88aa6b92a97334b72134

Targets

    • Target

      a389e28415f923aeba3d6a0db83a098e.exe

    • Size

      4.2MB

    • MD5

      894f8165e6092fae4e34107475aee96d

    • SHA1

      2aca9e58fe5dcc7fcd5bb9fcacd65c5f572c014a

    • SHA256

      4e92d1047bd80cc6ae21344c207a09c4de026cb7d8249a9ce4a8be190b003cdb

    • SHA512

      b5d9fa1cc79cd09a5d6cfff8f01144e261eb58169e8c97c56fff120dbe6154b53d578d78d1d6e958b873715e07737bc8018559a1dd5e33ec3322686888643734

    • SSDEEP

      98304:yNlkiDfEWZksmiYs64VOccf1notv27bth:yN6iDT6smiFFOxnYvWz

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • CryptBot payload

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Target

      setup_installer.exe

    • Size

      4.1MB

    • MD5

      09c8df8640a8e73a7ce0584e8ed299c3

    • SHA1

      bc5cdfcb5320bc112db2b863af110ceca1fdf85c

    • SHA256

      bab08164f7128f3ac0418df028c40a65684a0fb4b060403d6981a8c7ab318134

    • SHA512

      88b9e4568d2baa80d9b83d2c078e9eeb7f55d2489193dae8c8aa6199f6ab0558c18f13ad27e3c612fe5b921ed241696229a52f2ab2fbef0e636cdc73d81a3361

    • SSDEEP

      98304:xIIDN+vE/OCGZHY5hTSxtz7vawD+P+ar0oSlOHmY8boVBvOk9:xIG+RJ6T2tzGUk+blOGY8boVlb9

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • CryptBot payload

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      ba9a29ad7fce149a79d17560cbdcbd8e.exe

    • Size

      7.5MB

    • MD5

      a02815a96aefaea2375fbeae1daf7719

    • SHA1

      dce0a61acb78eb19a64236216c753fe56b15319f

    • SHA256

      1c5cf831daab60f538f725dcf73f44ee1379a97dc228185f4ccbdefcac678a3d

    • SHA512

      26a2348efc2ac44b42ae4a0bb5e51497b815691344a92bcf69e4e77309eba484eb00c6336b8a36da0449ebd853c3ef9c47d521dc52c33e53f1626a4357194ed0

    • SSDEEP

      196608:Ji237DvW856Tr3SnDC6JPW3sZG1/ruOL2Z:JFrDD5krinDCc3GfK

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars payload

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      setup_installer.exe

    • Size

      7.4MB

    • MD5

      518b3e947e8a892d8b9c49800bfc2877

    • SHA1

      73a8bb6a190613d55530a8fcab924975a192fb46

    • SHA256

      4eb8c045243cb7746a602550b8e99e57be42ae93b5d39cbe3b2c3939d481590b

    • SHA512

      9d75f45b4fe7ec6227fba508376dd52809198312b5afedb1abc85dd84b49ca9174f661703c7f6caea28d58fc20303ccf88d436f6a645288d69809d5594a2e4d9

    • SSDEEP

      196608:xDLUCg7/GX8TfhtpVsN8KzUJ1RHEwUIhL/JOdtS:xfdg7/GXKfhDVsN8Ko1S8hboE

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars payload

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

4
T1059

PowerShell

4
T1059.001

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

5
T1552

Credentials In Files

5
T1552.001

Discovery

System Information Discovery

7
T1082

Query Registry

4
T1012

Remote System Discovery

2
T1018

Collection

Data from Local System

5
T1005

Command and Control

Web Service

3
T1102

Tasks