Overview

overview

10

Static

static

3

setup_x86_...ll.exe

windows7-x64

10

setup_x86_...ll.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7c748c167fb51cd7fed4a021099037a350ee56587c70663d6e1411cb6a4095e7

  • Size

    4.8MB

  • Sample

    241105-1zwspaypax

  • MD5

    aacd3214744ac20a9c068c9b4bee7260

  • SHA1

    991a2dc4c3865373c11c54b750145ec39c407341

  • SHA256

    7c748c167fb51cd7fed4a021099037a350ee56587c70663d6e1411cb6a4095e7

  • SHA512

    376a87b970a4f273047eb918c6bf888807abbdf1ee1df8507ce9b6de91e43d2c1402d8c97710625b49de6a7aa3a1bcb1f2d5bc0757792900b32756f041eb323f

  • SSDEEP

    98304:dHb4kGK7SO6stfQ5flViERjKVH7gBuJHrys/B4Cqgbv74HbjSNmbgCuTlUQPufdB:dHckGK1fQVl0EJKVH7ouFms/Bbn434gZ

Score
10/10
cryptbotnullmixerprivateloaderredlinesectopratvidarpub1aspackv2discoverydropperexecutioninfostealerloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

privateloader

C2

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

Extracted

Family

redline

Botnet

pub1

C2

viacetequn.site:80

Extracted

Family

nullmixer

C2

http://hsiens.xyz/

Targets

    • Target

      setup_x86_x64_install.exe

    • Size

      4.8MB

    • MD5

      5be1db1c6f5734deea0b54aa1cc63f21

    • SHA1

      73b9e29335b177ca9e4573a9f6f535e0c6a8ca6b

    • SHA256

      ee53b1e9dd5c6d88f6c45fe49fad6a700789406242f8a8a7d5dd1e7eb6d639d4

    • SHA512

      fa9b266bf67c65651717c9610fc1bdc429306cef5b646f755d88ae7d4055f65d17ddfb2c003b59cb06da6af52e72a9bf3d4616ed7700ed8b782215f944194e2a

    • SSDEEP

      98304:y85iH7WmWfXwrOCX9m8aSs6xr7vQefiguaJ0S1ScUA4TLUk:ykWOf5C5aSHr74eagD0kgR

    Score
    10/10
    cryptbotnullmixerprivateloaderredlinesectopratvidarpub1aspackv2discoverydropperexecutioninfostealerloaderpersistenceratspywarestealertrojan

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • CryptBot payload

    • Cryptbot family

      cryptbot

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Vidar Stealer

      stealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

    • Target

      setup_installer.exe

    • Size

      4.7MB

    • MD5

      2b5da84c260d3dc1fda90ddd388c251b

    • SHA1

      cc62fe4eef6bdb92c2ca09cf2e0bb312d8f23cd2

    • SHA256

      9e50fb11db3f1587ca566759703d32a4bbf6c256cec8d4f985c8216bb92662d3

    • SHA512

      9276aeffdf3303424248161479c4c8a667dc70791ce7fac62d4aebc601f1e37193e387d03b67f8c551bf61dff954821332c883d9e8721481e3151e0788bf9232

    • SSDEEP

      98304:xkCvLUBsghEwhswXXzb44SyCX/27zkbq3pWvtpQX47lSZoKdl6OMd:x5LUCgSw7zb4T+30lg6l8lu

    Score
    10/10
    cryptbotnullmixerprivateloaderredlinesectopratvidarpub1aspackv2discoverydropperexecutioninfostealerloaderpersistenceratspywarestealertrojan

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • CryptBot payload

    • Cryptbot family

      cryptbot

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Vidar Stealer

      stealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

Remote System Discovery

1
T1018

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks