Overview

overview

10

Static

static

3

96e965e922...35.exe

windows7-x64

10

96e965e922...35.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c6516c7a85b6edc568ca129e647ea741f0a2d7bd0eadfeb7b4b4a6f0b2bfc792

  • Size

    9.5MB

  • Sample

    241104-vh5rdawmel

  • MD5

    0ecbf71727bb0b243b89f8f03d1c261a

  • SHA1

    c847880583691ca76c6ceb4cb64bc7cde2ee0074

  • SHA256

    c6516c7a85b6edc568ca129e647ea741f0a2d7bd0eadfeb7b4b4a6f0b2bfc792

  • SHA512

    4fd91bd060377ac80b5ee55990e90e9a618bba0ebf7c0302bdc7afa8fcbdb2707c24c61a392cfdeda97f25c2eb8055208904c9512fa18b6bac017ef648880356

  • SSDEEP

    196608:7FrQ88jcRKnL/86lLoz4AsiMzhU35kahzO7Kd4+zIBR6g9Bhl8CdbrTQpsE4:e8BGb8OLfpiMzWRFO7VuIGgHXFrT6sn

Score
10/10
fabookiegcleanernullmixeronlyloggerredlinesmokeloadersocelarspub3sameaspackv2backdoordiscoverydropperexecutioninfostealerloaderspywarestealertrojanvmprotect

Malware Config

Extracted

Family

nullmixer

C2

http://6246f7513680d.com/

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/vsdh41/

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

redline

Botnet

same

C2

116.202.106.111:9582

Attributes
  • auth_value

    6fcb28e68ce71e9cfc2aae3ba5e92f33

Extracted

Family

gcleaner

C2

appwebstat.biz

ads-memory.biz

Targets

    • Target

      96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35

    • Size

      9.6MB

    • MD5

      8c065d2f1062d9b3de4e0e3b2035e0bb

    • SHA1

      35861ffd472716aebb5a866a006e494c47dc8de2

    • SHA256

      96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35

    • SHA512

      972569ed9801ae22344bd37559bdaf4f45705ed5b2809fa7dade257f17b67c2bb8a5340dccd7eb826f99936ecbf78006da5c2b804ef54ead7bc12d00a1078d67

    • SSDEEP

      196608:JMmq1ZlHqLNFIiGjETLZf+jYkz5BXUtXFl2XeYSsX:J9+ZxmN3L5AY8qXFlidh

    Score
    10/10
    fabookienullmixerredlinesmokeloadersocelarspub3sameaspackv2backdoordiscoverydropperexecutioninfostealerspywarestealertrojanvmprotectgcleaneronlyloggerloader

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Gcleaner family

      gcleaner

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

      loaderonlylogger

    • Onlylogger family

      onlylogger

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Smokeloader family

      smokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • OnlyLogger payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      setup_installer.exe

    • Size

      9.5MB

    • MD5

      e5debd90b07e67f9b1ae38e4412c86c4

    • SHA1

      4b7e7161161709a25e5e655ee60f6eae3fa39c32

    • SHA256

      c5c7eade46a64e20a9eae3757ec58a0c62f3d7e33971bacd7064a97588af39d8

    • SHA512

      fb3bf8a363bac644f5ded4bd30ab779aa54d3e118b73893466ca93b738ad42f93ce0f3aafb7d1a1e0863f4a1506ac5faf588c344f4e812611e9c734157fe3113

    • SSDEEP

      196608:xvlB860t1YFNDe2EuiwRBCpzp02nvIpO2XLrY1omCZHf8uXW8dDxQj:xvlBb0twDiuiLpnnMfHYebHUIHDO

    Score
    10/10
    nullmixersocelarsaspackv2discoverydropperexecutionstealervmprotect

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks