Extracted

Extracted

Extracted

Extracted

• • Target

    da595de09db6109b997fe33f0210d9c04482fdbabe39bed183b0dfb0c82b6f6b

  • Size

    6.4MB

  • MD5

    2f6c5142552002cb6f4bdf174114a778

  • SHA1

    dc09ef0a7f2d436e70cf7dbb6ddd30c91f6d7168

  • SHA256

    da595de09db6109b997fe33f0210d9c04482fdbabe39bed183b0dfb0c82b6f6b

  • SHA512

    8210f9ba08bd70835ac2abfeb080b20bb1e6142bb73a9c2abdb54f54c9b068763184ac6bbc42c363fd79527ba9eda58b1c9035ae03fcaba0f3651527882db4e1

  • SSDEEP

    196608:Jd7VBlnr9NSAB3RI2ZSPj3v/2DWPsnOw3qg5:Jnr9hU2oPj3X6kHg5

  Score

  10^/10

  fabookienullmixerredlinesocelarsvidar915media14nv2user1aspackv2discoverydropperexecutioninfostealerspywarestealer

  • Detect Fabookie payload

  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie

  • Fabookie family

    fabookie

  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer

  • Nullmixer family

    nullmixer

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars

  • Socelars family

    socelars

  • Socelars payload

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Vidar family

    vidar

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Vidar Stealer

    stealer

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2

• • Target

    setup_installer.exe

  • Size

    6.4MB

  • MD5

    48432b59a4797b343f80624e5c6deae6

  • SHA1

    a90346a714488bb080cf7e2319fe13ddcf7718ec

  • SHA256

    517aa44e5c7c3b9814c81abe4f0771520bfabffa6b86541411ffc1cf21bcb583

  • SHA512

    2a5fb3e71c6944ef7f1d3327edfc1c6d37a253c868b00f7c9917a1596e7a83576dbe98ad6f7c2b2ca0581c8fddd7ca467a2e7809bf10de1173b3c178a288d345

  • SSDEEP

    196608:xYLUCgFPNni7xTZ4kD8+c87/mbDuupBUcT1:x0dgFP5idt4kD8+c4/eDuuZT1

  Score

  10^/10

  fabookienullmixerredlinesocelarsmedia14nv2user1aspackv2discoverydropperexecutioninfostealerspywarestealervidar915

  • Detect Fabookie payload

  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie

  • Fabookie family

    fabookie

  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer

  • Nullmixer family

    nullmixer

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars

  • Socelars family

    socelars

  • Socelars payload

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Vidar family

    vidar

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Vidar Stealer

    stealer

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext

  behavioral3behavioral4