General
-
Target
142a1878c2453fe9c9a51deef2742ac31d0c91ab332eb6ad8c4ebc00f9b25597
-
Size
6.1MB
-
Sample
241107-bzm34sself
-
MD5
a48962545fb217ee33bf157dc807c31a
-
SHA1
077f54778cc54904ecc934982e446a47f182f305
-
SHA256
142a1878c2453fe9c9a51deef2742ac31d0c91ab332eb6ad8c4ebc00f9b25597
-
SHA512
702e51323d600ad193e0299000061e33e688c3841de5e9385b3a0778de5446512cfc68a75f4f5c5c1f235186499baee91c8f36e23174bab2f33bcd80c83ea5a0
-
SSDEEP
196608:4RoptWfWUkMSBj3rqhiQ5bkZhujM6uik5:4RDeUwR3rhQ5bkGjMPi6
Static task
static1
Behavioral task
behavioral1
Sample
cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
socelars
http://www.chosenncrowned.com/
Extracted
privateloader
http://212.193.30.45/proxies.txt
http://45.144.225.57/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
2.56.59.42
Extracted
nullmixer
http://kelenxz.xyz/
Extracted
redline
05v1user
88.99.35.59:63020
-
auth_value
938f80985c12fe8ee069f692c27f40eb
Targets
-
-
Target
cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06
-
Size
6.1MB
-
MD5
8b755c11c8fb6a759db106995a83cc3c
-
SHA1
2c77c1db089a955f21b85e7726483ba1c642e3f6
-
SHA256
cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06
-
SHA512
c0e4527edbcea4b763d94d9bfea18e4454bf2c9a74228e6d3045a1cafcf0af422eea70c8d2de919aaec888d985768b057c4720221c28cdd12c6c3debdb2d82cc
-
SSDEEP
196608:J/5HmyFcwNWWLA8P4bevaiocWRRDVJAmZigW7lH3+:JXJLA8gbeVoTHDVyhO
-
Detect Fabookie payload
-
Fabookie family
-
Gcleaner family
-
Nullmixer family
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Socelars family
-
Socelars payload
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer.exe
-
Size
6.1MB
-
MD5
5b6344c2ddb1d86060aeb6d04c350dcf
-
SHA1
e4a8de11e6c96ce7d694e3f4df3664ede33d130d
-
SHA256
fb8b312e5517e293c3e30b6be43be639ec013a4ff4660103bf2065586fd74703
-
SHA512
340517de0b25f8fb2a18439a26335a9c1b0f3afb5f0cde3dd5562afdb9a435660ae1d53bacd01f31ea6a9708a7e0862e0868ff545735958788d789fc54ec9eaa
-
SSDEEP
196608:xix7PxiXeUpHIzL0OCyeL1cQ0fCTFfeGOn:xix7PxUHIEOCBcQ0fyp9On
-
Detect Fabookie payload
-
Fabookie family
-
Gcleaner family
-
Nullmixer family
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Socelars family
-
Socelars payload
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1