Resubmissions

11-07-2024 05:43

240711-gej4lstgrf 10

06-09-2021 14:13

210906-rjpvrsedbm 10

08-07-2021 11:08

210708-4gztl3mwl6 10

08-07-2021 08:02

210708-klfb4qeda6 10

07-07-2021 09:39

210707-nem57xyvf2 10

06-07-2021 17:51

210706-7pcrmjy3fa 10

06-07-2021 13:45

210706-eybelwcq86 10

General

  • Target

    60d529d298fda60d_setupInstall.rar

  • Size

    75.6MB

  • Sample

    240711-gej4lstgrf

  • MD5

    a550717538ccd830a11b2b1f4f6eaa34

  • SHA1

    702ddf3dfa759b0a0021cf6f0280af53a7093765

  • SHA256

    b244fb7a7b39c836a9629262eaa80865cfbaf37aaea1b1d4b880d8a864f865a4

  • SHA512

    a8cddb3f2121c664e76963d053b41ff70f1866adc0fbb3e2e240ddfeb68a67f2ca3929e514a804b856aa9526a22915ce71e20795b996712016925b43e6df7804

  • SSDEEP

    1572864:iC4f0C4fkC4f3C4f3C4fiC4fmC4f+C4fUC4f3C4ftC4fxC4fXC4fUC4fiC4fbC4m:ih0hkh3h3hihmh+hUh3hthxhXhUhihbM

Malware Config

Extracted

Family

nullmixer

C2

http://motiwa.xyz/

Extracted

Family

redline

Botnet

ServAni

C2

87.251.71.195:82

Targets

    • Target

      setup_installer.exe

    • Size

      3.1MB

    • MD5

      22b4d432a671c3f71aa1e32065f81161

    • SHA1

      9a18ff96ad8bf0f3133057c8047c10d0d205735e

    • SHA256

      4c61aeec3fa5cbd6e8cd19272d28a1e07a8ac96e3fd8b2343791ed2521dd3028

    • SHA512

      c0af739ec9a93978c8c25ad05a2c0826a8320a9ac007bbd36f6846053bc8d434e23a6edf19d1666767fd7ad404532983604fd7774cf18940f7541616700be523

    • SSDEEP

      98304:x4mtX5BNf3HFKR6VNHuZA5r5OCvLUBsKeSAWqPO:x4mtJBVlKwVNHuZA5tLUCKiU

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Modifies Windows Defender Real-time Protection settings

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Nirsoft

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      setup_x86_x64_install.exe

    • Size

      3.2MB

    • MD5

      3ae1c212119919e5fce71247286f8e0e

    • SHA1

      97c1890ab73c539056f95eafede319df774e9d38

    • SHA256

      30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e

    • SHA512

      5bb28a775c10b8b68b8c448d64287ca732d0af5577ecc4348a89934358440bb4ff6958115f14ecbabb0446d234d6f621afa3419daa4aec6c03c0af9b6a3b1558

    • SSDEEP

      98304:JzW3xr+nE8OUSnhyL/34PVR3dSqJcppIrTF9UqGbmZ1:J6x6YUSnqoLt/cLS59UJmv

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Modifies Windows Defender Real-time Protection settings

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Nirsoft

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks