Resubmissions

14-07-2024 08:22

240714-j929savhlh 10

14-07-2024 07:28

240714-ja5kvstfnd 10

General

  • Target

    44de9a092646de93067a5ae63cdb87de_JaffaCakes118

  • Size

    4.9MB

  • Sample

    240714-j929savhlh

  • MD5

    44de9a092646de93067a5ae63cdb87de

  • SHA1

    5db8c09d48e6e7602184634c1585d48f651d1197

  • SHA256

    ced645d2249adc41f7340e1f9f76f576e336dc9c7c8affdb5b1e005faf528bd7

  • SHA512

    2efd29a015b7d0986a879e47f2d93ef89f023f2f792404d253b241ceb2f8b7944f14e825f5eb1529ed7096506fb10fcde22d2e992553a8fe069dfa764a8a285a

  • SSDEEP

    98304:FzzOsPu6locsuuFpSClTfqWrtCazwzs+CVGIOlmS23nlODn373muvk:pOSnlRvuOAmUwoQil4LWu8

Malware Config

Extracted

Family

vidar

Version

41.1

Botnet

933

C2

https://mas.to/@bardak1ho

Attributes
  • profile_id

    933

Extracted

Family

gcleaner

C2

gcl-page.biz

194.145.227.161

Targets

    • Target

      44de9a092646de93067a5ae63cdb87de_JaffaCakes118

    • Size

      4.9MB

    • MD5

      44de9a092646de93067a5ae63cdb87de

    • SHA1

      5db8c09d48e6e7602184634c1585d48f651d1197

    • SHA256

      ced645d2249adc41f7340e1f9f76f576e336dc9c7c8affdb5b1e005faf528bd7

    • SHA512

      2efd29a015b7d0986a879e47f2d93ef89f023f2f792404d253b241ceb2f8b7944f14e825f5eb1529ed7096506fb10fcde22d2e992553a8fe069dfa764a8a285a

    • SSDEEP

      98304:FzzOsPu6locsuuFpSClTfqWrtCazwzs+CVGIOlmS23nlODn373muvk:pOSnlRvuOAmUwoQil4LWu8

    • Detect Fabookie payload

    • Detects LgoogLoader payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • LgoogLoader

      A downloader capable of dropping and executing other malware families.

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • OnlyLogger payload

    • Vidar Stealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks