General

  • Target

    142a1878c2453fe9c9a51deef2742ac31d0c91ab332eb6ad8c4ebc00f9b25597

  • Size

    6.1MB

  • Sample

    241107-bzm34sself

  • MD5

    a48962545fb217ee33bf157dc807c31a

  • SHA1

    077f54778cc54904ecc934982e446a47f182f305

  • SHA256

    142a1878c2453fe9c9a51deef2742ac31d0c91ab332eb6ad8c4ebc00f9b25597

  • SHA512

    702e51323d600ad193e0299000061e33e688c3841de5e9385b3a0778de5446512cfc68a75f4f5c5c1f235186499baee91c8f36e23174bab2f33bcd80c83ea5a0

  • SSDEEP

    196608:4RoptWfWUkMSBj3rqhiQ5bkZhujM6uik5:4RDeUwR3rhQ5bkGjMPi6

Malware Config

Extracted

Family

socelars

C2

http://www.chosenncrowned.com/

Extracted

Family

privateloader

C2

http://212.193.30.45/proxies.txt

http://45.144.225.57/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

2.56.59.42

Extracted

Family

nullmixer

C2

http://kelenxz.xyz/

Extracted

Family

redline

Botnet

05v1user

C2

88.99.35.59:63020

Attributes
  • auth_value

    938f80985c12fe8ee069f692c27f40eb

Targets

    • Target

      cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06

    • Size

      6.1MB

    • MD5

      8b755c11c8fb6a759db106995a83cc3c

    • SHA1

      2c77c1db089a955f21b85e7726483ba1c642e3f6

    • SHA256

      cc88be4810401153eb4b479eac33ccd8864589e3465c7b8d3f5ad5e2dd0a7a06

    • SHA512

      c0e4527edbcea4b763d94d9bfea18e4454bf2c9a74228e6d3045a1cafcf0af422eea70c8d2de919aaec888d985768b057c4720221c28cdd12c6c3debdb2d82cc

    • SSDEEP

      196608:J/5HmyFcwNWWLA8P4bevaiocWRRDVJAmZigW7lH3+:JXJLA8gbeVoTHDVyhO

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Fabookie family

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Gcleaner family

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • Nullmixer family

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Privateloader family

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars family

    • Socelars payload

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    • Target

      setup_installer.exe

    • Size

      6.1MB

    • MD5

      5b6344c2ddb1d86060aeb6d04c350dcf

    • SHA1

      e4a8de11e6c96ce7d694e3f4df3664ede33d130d

    • SHA256

      fb8b312e5517e293c3e30b6be43be639ec013a4ff4660103bf2065586fd74703

    • SHA512

      340517de0b25f8fb2a18439a26335a9c1b0f3afb5f0cde3dd5562afdb9a435660ae1d53bacd01f31ea6a9708a7e0862e0868ff545735958788d789fc54ec9eaa

    • SSDEEP

      196608:xix7PxiXeUpHIzL0OCyeL1cQ0fCTFfeGOn:xix7PxUHIEOCBcQ0fyp9On

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Fabookie family

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Gcleaner family

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • Nullmixer family

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Privateloader family

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars family

    • Socelars payload

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks