Overview

overview

10

Static

static

3

174723af9c...1e.exe

windows7-x64

10

174723af9c...1e.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    64b0e33dd3dca744e0ac48b70b17ccaae8e71619

  • Size

    6.9MB

  • Sample

    241104-1trlsa1jbk

  • MD5

    3fbac86ed0aa4fe2aab4e62748550746

  • SHA1

    64b0e33dd3dca744e0ac48b70b17ccaae8e71619

  • SHA256

    2fc7d93dc85c813ecf2157ef43e53845ad46343b17ec0648f55101a8330005d6

  • SHA512

    25437b69fefcfc4f988130abf6334ab52d871f3f608684cf59a6cc005cb4b642e68b8180ea20a569bcca8aa0aa3558c070be2643a3b279a90054de23fa4fb8af

  • SSDEEP

    196608:XwoExAku0xtgpFdLzOiM58cgv0iTFiWSk:XwoSAD0tUzOiQV/qFiWSk

Score
10/10
fabookiegcleanernullmixeronlyloggerredlinesmokeloadersocelarsmedia262231pub3aspackv2backdoordiscoverydropperexecutioninfostealerloaderpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

socelars

C2

http://www.anquyebt.com/

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

redline

Botnet

media262231

C2

92.255.57.115:11841

Attributes
  • auth_value

    5e0e6c3491655e18f0126b2b32773d57

Extracted

Family

nullmixer

C2

http://hornygl.xyz/

Extracted

Family

gcleaner

C2

appwebstat.biz

ads-memory.biz

Targets

    • Target

      174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e

    • Size

      6.9MB

    • MD5

      2db59bc805ebb1b8b1a947b15684e899

    • SHA1

      97e2beaa6bcddf9b27a1175352a85fc769d88597

    • SHA256

      174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e

    • SHA512

      e3849f480698c82229f49914d0cfb3dd2d836e492f2eaea3f26170a12d08cc591aaf17efb0798d75456997ef846d5180653549268925afcdefdb4bbd17229e46

    • SSDEEP

      196608:JFyORANUm677HoE/IEyu9vAhzsN4MlPbuumo8YG:J4OS+m67c+IkhAhI/lPbuldb

    Score
    10/10
    fabookiegcleanernullmixeronlyloggerredlinesmokeloadersocelarsmedia262231pub3aspackv2backdoordiscoverydropperexecutioninfostealerloaderpersistencespywarestealertrojanupx

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Gcleaner family

      gcleaner

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

      loaderonlylogger

    • Onlylogger family

      onlylogger

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Smokeloader family

      smokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • OnlyLogger payload

    • Blocklisted process makes network request

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      setup_installer.exe

    • Size

      6.9MB

    • MD5

      d3e22d7fcc478eaf4b9e03a8a5038c12

    • SHA1

      bfa29d4c2535b479102cd37c4a7f4245961daeb3

    • SHA256

      6d7f35c19fef11f48a274dcf38e942635e6946eca4ecd3c39dd38de8e0cbf656

    • SHA512

      83bc2bd9f2b5fe85a5eabdb6aab5c6ba64ac590b005780cee51d7c01f565a416b674fa9ff1b439325f9e50604fe130c3911c43c50da0254f0309beca742a1956

    • SSDEEP

      196608:xkYTPwdk38Jcv2PH7iFO4SzNWRDLR2/oyRZ156yoJ2YWc:xkYTodk30cvIHV4ShYL8oIZ18TP

    Score
    10/10
    fabookiegcleanernullmixeronlyloggerredlinesmokeloadersocelarsmedia262231pub3aspackv2backdoordiscoverydropperexecutioninfostealerloaderpersistencespywarestealertrojanupx

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Gcleaner family

      gcleaner

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

      loaderonlylogger

    • Onlylogger family

      onlylogger

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Smokeloader family

      smokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • OnlyLogger payload

    • Blocklisted process makes network request

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks