General

  • Target

    f75d6ee676e63208489f05cd8c82d44fdda74b5752963e3967071f2d2d080113

  • Size

    14.7MB

  • Sample

    241108-b33b7svmcm

  • MD5

    36e895cac68782276f49144d8904f79e

  • SHA1

    411476265cdb80d2119ae49c34c6700a36577657

  • SHA256

    f75d6ee676e63208489f05cd8c82d44fdda74b5752963e3967071f2d2d080113

  • SHA512

    db7e7997e7017fc083b067aa9a610be84e425a5a562829a02dd3650b0dcf42a4ced706a69d27b7e86ce503558b13f9791b107f4281b0f4845e1d83a874e24550

  • SSDEEP

    393216:/OFW3CWhhMLh2BJcqpGZLvH023cP1vlhaR/nW67:/OFW3CWIIchL+2Rvf

Malware Config

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

redline

Botnet

1.22

C2

95.211.185.27:42097

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

NANani

C2

87.251.71.14:89

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

ffdroider

C2

http://186.2.171.3

Extracted

Family

gcleaner

C2

194.145.227.161

Extracted

Family

redline

Botnet

test

C2

193.56.146.78:51487

Extracted

Family

vidar

Version

40.1

Botnet

933

C2

https://eduarroma.tumblr.com/

Attributes
  • profile_id

    933

Targets

    • Target

      6c5db6dce13ded4e0e6c7e9a526b063e.exe

    • Size

      4.3MB

    • MD5

      1485d115c0db789ed882e6da39b845d0

    • SHA1

      b25ee4515f5a1a8b420e7eba38f233ee64a24755

    • SHA256

      036e1c48be2a9fde1e94334dcb1216eec8512b38c118234c118aaa47b6ad65c7

    • SHA512

      c8571df02ca3c8d69c49393d45a032a291c6f5c7100564e9a1337f287abd195c903bf86a20217990de38627d2a646dc7dde0e3953827afa94db270124c1f559b

    • SSDEEP

      98304:xQ4LwEKgQe6M92LKCOdyzrXabdwkxMwasT9mrWhO:xQdej2GC+McdXxMTkO

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba family

    • Glupteba payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Metasploit family

    • Windows security bypass

    • Modifies boot configuration data using bcdedit

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Target

      DusBrowserInst.exe

    • Size

      172KB

    • MD5

      2bf65413a6aabdbb7f18b7efebee633d

    • SHA1

      c4eed75b2d69ca51ce87ede0a907db0ecbb4f4b7

    • SHA256

      1db05647c15a26167a50bf7cf1d5f2d00ae89e4f18cfba2bcb4024f043c81739

    • SHA512

      b59fcc75925273239c90520d616a9e5dddacfc36d6cefb1f464dab3ef066aebfc57adfd9e28484aadfb9ed6a9dde4d509e0eee2bc5245a795025c64fb790fb2f

    • SSDEEP

      3072:OqJYORWz8q9slhk6/admfp4dipoaDNzuYnr+YvRRB:Kb9Hdmf9P

    Score
    6/10
    • Legitimate hosting services abused for malware hosting/C2

    • Target

      IDWCH2.exe

    • Size

      739KB

    • MD5

      0d5cc91890c411599e994ab4d927350b

    • SHA1

      b64c4752537fc05bd460918fe252ef64e72d2651

    • SHA256

      b64cc3011b334fe3fdc47852da28f1d865a1f71dd819827a035b9b3adab1a163

    • SHA512

      56418a6586f0cc7f985e944811744fdce2ddaea5e238d02b21435768a3738ba7cccc738190b677f0eb66916a24cdcd4b63701df8a35c7a44802ba053ccdf059b

    • SSDEEP

      6144:d/QiQXC45m+ksmpk3U9j0IeP2soxvjFEOTb9WmZX/8shzdsY4CpHPhnq/FK:VQi34c6m6UR0IeP2p1hf39Wkv8xwJqdK

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      Litever01.exe

    • Size

      502KB

    • MD5

      bca995c0fd475fb09fb7988cb876c795

    • SHA1

      0f8776b9a5b3daedcc314fa283172697dee4cf8d

    • SHA256

      659895bb642f43854043053d386b987c63db7e615d827dbc41866ac0371ab92d

    • SHA512

      94387589151f5dc774aaf981988c8f6b568e8373158ce79b5da370594a6f67f18c5b90547da62db70a808a9756fc318eeb3cd6df9b87495bfde379a46e2699df

    • SSDEEP

      12288:+Ircrb5sQow2/ZswWmTV9LSuxlrwvAsP4BmHc:+mQb5gnZswWmTbLnxyvpP6

    • Target

      NAN.exe

    • Size

      608KB

    • MD5

      db1e5d0455f39c5cf5ac0c210dd679c4

    • SHA1

      836e95bd1285ff790e55a8602febb29d97187bd7

    • SHA256

      578eddcbe98744e25e8836b7cdc447f62b7032bcd3d083f2eb0cfe018022243e

    • SHA512

      3f349ba618510f3e76e893fb70f0bfd5c3885216d73ed024617b49878eed376789eb7d3e4d347bb84aec8d90dbd0706256cdfdfa3f99c3b2b62982d9bc5c3a25

    • SSDEEP

      12288:hjMQXZURC7TnfAWtUu/wQfmY4IG6zsJMWHn4oFl8n/bmThV:hjB34FC

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Suspicious use of SetThreadContext

    • Target

      anyname.exe

    • Size

      100KB

    • MD5

      2cd68cb7fd85144362d03a0b260f338f

    • SHA1

      6e106cc5246ed9fe053ef748b28022183e520ad9

    • SHA256

      f67d7d488b447f8a6356bff9d49add653ef5c49e6dc74982005028d01609c24a

    • SHA512

      4ac9508d59f9f32d5b883b78b2b4cc80a7364731d96f01f53d816055fe7e1f8505790796ca4696c6810de89331a346e2b5eedd071c50b56c10489bcc9b72693c

    • SSDEEP

      3072:AH5/hX4B1I+Fe7UovWk07XFBbyzqRyZ/4Ji/:m/JK1RkZGXw/

    Score
    3/10
    • Target

      app.exe

    • Size

      4.3MB

    • MD5

      d3f680a40104a2bf44d1e55ab22cc283

    • SHA1

      3e44293bd666ee6842f27001e561442203479698

    • SHA256

      a5d0a8eb93516f6979ce8da08a5750bf7f0f0fc98a969cd9e5b175dd29302a86

    • SHA512

      478c308a40b3da9697ef9925e3d8c375bdc9a51d17d401fdf947f1e9ec7b4b5b59d5aa6e5ab0857825f5dbcb398a1cfffe33f972b6841d2916329f2e2358510b

    • SSDEEP

      98304:MQ4LwEKgQe6M92LKCOdyzrXabdwkxMwasT9mrWh:MQdej2GC+McdXxMTk

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba family

    • Glupteba payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Metasploit family

    • Windows security bypass

    • Modifies boot configuration data using bcdedit

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Target

      askinstall50.exe

    • Size

      1.4MB

    • MD5

      68bc0c244bb2d261a9a7d007bb6e06d7

    • SHA1

      4226d51ebf9d925de953e0a5a6b3784eabfc47b6

    • SHA256

      fd53ca7be25f932d930f68ab7818359762dde5d3608271e7a27e815f5b30e9e4

    • SHA512

      f52a04cd2a5d0f9f30be1b6827e95f5afe5f34d0453a78b000dd71d7d8e20467ef6f541a91858833704df6b1560cb5701eab08e5df0a86870b946b052cd6d9da

    • SSDEEP

      24576:8IVFA1pqtg/TnMbX0lwyh0FVmEByA1EwFYyOsFTceoCSPZVjQtYfeXPPSTy:NFA1pvTMbOwa0TmUyMYEh1oCSPnQtY2/

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars family

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Target

      farlab_setup.exe

    • Size

      1.7MB

    • MD5

      a7703240793e447ec11f535e808d2096

    • SHA1

      913af985f540dab68be0cdf999f6d7cb52d5be96

    • SHA256

      6a17ebf5da6aa3a1f4813e5f46fdd5d19d026bcfac91f232359f98e43df3c38f

    • SHA512

      57bdcdfcfa11f6b5bf4149be0fee0444fcf67ccececf1009b166b17b7dce30da1a472f1890736186f4ef76e02ed23cc0dd2a41dc9bff94218a059832d4b5c69e

    • SSDEEP

      49152:C9CKxz5eM8JvooqXrFzYA8hVU2AGm63yjpGIcLJjmyGpf8:MCm5eMOooqhomhjrcLS8

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      inst002.exe

    • Size

      265KB

    • MD5

      f38f3aab5af6435226dcca8751f61e6c

    • SHA1

      e555e536dca72784f73422a216aa35206441444a

    • SHA256

      94590b6681e3f9255a27b41a356d0334460ed596daab947258110a4ab94708db

    • SHA512

      0402a9d77388348aa055ab58a3211222ffdbe043e73052e075d861d1d0888437cfdeb2c2d7676b23e539b573bd4a4180d4e5f8af840693823979997f99c76c09

    • SSDEEP

      3072:7DO+LxoC9PZUFfYS3azG0CYUZTCldBG//7VxSVzsC1X6R8geXrVpAFdcmuYT:7a0Sf7oQYUdgiizn9XrXeddTT

    • Detects LgoogLoader payload

    • LgoogLoader

      A downloader capable of dropping and executing other malware families.

    • Lgoogloader family

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    • Target

      jamesnew.exe

    • Size

      846KB

    • MD5

      ea180cb17e71d8e32481aa37cb796cc1

    • SHA1

      351b1c6cdbdcd21215e6cb9fc7b76887ddfe7a2a

    • SHA256

      8a75fd219504039ceb7841811d75416ca52eb26a9667bbdf621055dad62e8b1a

    • SHA512

      7bfe33816e5d6373cdbae1b8fffb620e76defabd1302b8c98650980ac0292b3135cee52d7316b8fe895812e56b2a7cfa2aa983d7e746f4673c37f1b585636cbc

    • SSDEEP

      24576:1AHnh+eWsN3skA4RV1Hom2KXMmHaR1K5:kh+ZkldoPK8YaRi

    Score
    3/10
    • Target

      justdezine.exe

    • Size

      136KB

    • MD5

      7bd33952ce41285449099ae0bcd48d81

    • SHA1

      1d6224283dd85c51a22445a69b1f2771724a7733

    • SHA256

      6d5ac5464acd393224513115ebee2eeca5efca62b2a0e92f50c5186a8f740581

    • SHA512

      bbe8a7d76db63b498b0ff8736ab010c12506b8f27b17eaeb13a77d0972e6512a54dccbf5c050642ffe7665647439c5fd1424312677b351d7fe893a7956728c05

    • SSDEEP

      1536:w8Voh/WygQ/HlLg7ppfmFuOJFrh3dPiifz6JCzUKuhOZa0atsjk5/Npj6T61mD:wNqzo1lNqirxuhOZ7+sI5/DuT61m

    • Target

      md3_3kvm.exe

    • Size

      924KB

    • MD5

      53b01ccd65893036e6e73376605da1e2

    • SHA1

      12c7162ea3ce90ec064ce61251897c8bec3fd115

    • SHA256

      de95d03777407422fac23d6c1f0740e131a0d38c5ef19aca742c7bcf1a994fd7

    • SHA512

      e5d1dd0ac1a53df261179d58817e71f4b263179ba1f1599da3b654ae9550dc608afc5a12057fb533aab0abb2eb406e3a7331e10a6f2b91254f062a777299e067

    • SSDEEP

      24576:pP7A681d48vGlldFtqFbDNaYaPCQFXVDXE4IfmDWQ:pzF8I8vGbdFtabDNUPCQFXVDXvdDWQ

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

    • FFDroider payload

    • Ffdroider family

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks whether UAC is enabled

    • Target

      mixseven.exe

    • Size

      213KB

    • MD5

      984f9ec5ff106e4c08bb076ef63f3ec2

    • SHA1

      119152d00b0b883cefae6519bbe4be43c6e1aafd

    • SHA256

      438676e5d2d9fd41a35b18eee5db8917e7f960f0d50917513f4fb92b95d29995

    • SHA512

      641cdf64b6ba39fb01c0bbe86aa878026e9f61280a83d449d67656dfa89100957f9e5b2b575b7ec460a0eeb4d2a8ef8da0781de58d3c518be2a2ae97ce1acd6a

    • SSDEEP

      3072:qYq47wlx3K0mbLClhjJPHH93Bf8Pwv+/FvFeWB3SaPkN1hL8csI5/DuT61m:qf4uxaKl5JPHH96vFeWVk5LsI5/

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Gcleaner family

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

    • Onlylogger family

    • OnlyLogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      redcloud.exe

    • Size

      173KB

    • MD5

      16bf4653dfc06b85e7d34cb5cfe62717

    • SHA1

      35ca16cdb661f6978815efc8c8a2ae0fbddcb733

    • SHA256

      6038860aefedc84fdafe7d693ea6fa63147be5e3a43dd96e20adf377811c5d30

    • SHA512

      0717f23056515b18f627496c309c22bfc76da5b61f2730a320fa8584ad0fb5ed47a8695ad255bc8635cdd379d2313cb141466e86ae0b639c33772fe2177fa35f

    • SSDEEP

      1536:8t9pmEJnCKOAD3dOlbi2JKnJbpNjbuqGd0AMuyq+d0+7dDjElG6qTaoigQwY8ls:CTnCK1DtCbi2AHhG0Ajyjd0iY428ls

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Target

      udptest.exe

    • Size

      240KB

    • MD5

      265717bdcb626127fdb7e62b018e963c

    • SHA1

      d9d70e33380e33caa8c48b6a4ba7a4fe08ecafe5

    • SHA256

      e102abb40eb0795f838749e262c4e94af6df4213832b1d055b727cbc50f3a8ee

    • SHA512

      f9c3656bb1e9848620990ca2ee8c163f32c2259774cf21ff78979ba1318daabb672ba1a67924b90d55cce8b579830bf31db32e2da83a09b51916c60ca157f362

    • SSDEEP

      3072:z+9IWjNSUNngwphQyI+wyym+l2Dnn3e+3kC5p67Bp+QcsC/ddhrPOv/SsI5/DuTR:zBUNngwp8Kn3e+0C5pyBp+xsQNbsI5/

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

MITRE ATT&CK Enterprise v15

Tasks

static1

1.22socelarsredlinesectopratfabookie
Score
10/10

behavioral1

gluptebametasploitbackdoordiscoverydropperevasionloaderpersistenceprivilege_escalationrootkittrojan
Score
10/10

behavioral2

gluptebametasploitbackdoordiscoverydropperevasionloaderpersistenceprivilege_escalationrootkittrojan
Score
10/10

behavioral3

Score
6/10

behavioral4

Score
6/10

behavioral5

discovery
Score
7/10

behavioral6

discovery
Score
7/10

behavioral7

vidar933discoverystealer
Score
10/10

behavioral8

vidar933discoverystealer
Score
10/10

behavioral9

redlinesectopratnananidiscoveryinfostealerrattrojan
Score
10/10

behavioral10

redlinesectopratnananidiscoveryinfostealerrattrojan
Score
10/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

gluptebametasploitbackdoordiscoverydropperevasionloaderpersistenceprivilege_escalationrootkittrojan
Score
10/10

behavioral14

gluptebametasploitbackdoordiscoverydropperevasionloaderpersistenceprivilege_escalationrootkittrojan
Score
10/10

behavioral15

socelarsdiscoveryspywarestealer
Score
10/10

behavioral16

socelarsdiscoveryspywarestealer
Score
10/10

behavioral17

discovery
Score
7/10

behavioral18

discovery
Score
7/10

behavioral19

lgoogloaderdiscoverydownloader
Score
10/10

behavioral20

lgoogloaderdiscoverydownloader
Score
10/10

behavioral21

discovery
Score
3/10

behavioral22

discovery
Score
3/10

behavioral23

smokeloaderpub3backdoortrojan
Score
10/10

behavioral24

smokeloaderpub3backdoordiscoverytrojan
Score
10/10

behavioral25

ffdroiderdiscoveryspywarestealer
Score
10/10

behavioral26

ffdroiderdiscoveryevasionspywarestealertrojan
Score
10/10

behavioral27

gcleaneronlyloggerdiscoveryloader
Score
10/10

behavioral28

gcleaneronlyloggerdiscoveryloader
Score
10/10

behavioral29

redlinesectoprat1.22discoveryinfostealerrattrojan
Score
10/10

behavioral30

redlinesectoprat1.22discoveryinfostealerrattrojan
Score
10/10

behavioral31

redlinesectoprattestdiscoveryinfostealerrattrojan
Score
10/10

behavioral32

redlinesectoprattestdiscoveryinfostealerrattrojan
Score
10/10