General

  • Target

    f6c4232e68b8f6b36754cf619f5282d24af7e9a27cca2bbe72121066fb0c3cfd

  • Size

    3.6MB

  • Sample

    241108-hglkwsxhkq

  • MD5

    03eb61a6d9f9877c21917ba4c7a6b4ed

  • SHA1

    f062a7b7cac7af1d142f9a9fead954e2e66c8819

  • SHA256

    f6c4232e68b8f6b36754cf619f5282d24af7e9a27cca2bbe72121066fb0c3cfd

  • SHA512

    4a4712c925883a8e928e1e6f8c6e0afae1f1a0f7810e6c478dc343b15782065475ec42b8086870313f4682d337010dbac80ca04ca9b43172d3c289be2ef09199

  • SSDEEP

    49152:ofpinzzlORcyujAWdlc8TZbn0XaSWHLw8EfuzG09PIZ+2nC44JtI6n2CSTiNv4S4:vEL0/dDTTHLwBGz39PTB9JdnZSTBSk9

Malware Config

Extracted

Family

nullmixer

C2

http://razino.xyz/

Extracted

Family

redline

Botnet

NCanal01

C2

pupdatastart.tech:80

pupdatastart.xyz:80

pupdatastar.store:80

Extracted

Family

redline

Botnet

Ani

C2

yaklalau.xyz:80

Extracted

Family

vidar

Version

39.3

Botnet

706

C2

https://bandakere.tumblr.com/

Attributes
  • profile_id

    706

Targets

    • Target

      steup_x86

    • Size

      3.6MB

    • MD5

      05e6fd44959e6258c1e07bd12a4f284f

    • SHA1

      ea21133721033a9fe5da1dfce39f9875f5439ebb

    • SHA256

      4b89b98e5e7b67eac0fb79dbf4ad697cbd79f9fe51b8313accc8d7bfe6a439d2

    • SHA512

      66fac06f167254db8ce4e6e0b34c119f4aff9c3f6d4c9e691fcd82122a7036dc69b1b46967a46c59914a36c7d4241edfd37cb525572c16dcafc95c5cca118cef

    • SSDEEP

      98304:JSjfbEr2hEgbuyRPn6ASvoiOdl++U/qU4v:J8Er2hEgCyhn3d++Uidv

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Fabookie family

    • Modifies Windows Defender Real-time Protection settings

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • Nullmixer family

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Privateloader family

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • Risepro family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      setup_installer.exe

    • Size

      3.6MB

    • MD5

      1a7c6090d71b865cb591d454f93088f1

    • SHA1

      f15403e3c0703cb08750503a385f5b1887de0942

    • SHA256

      7e4172a1c7db31aafdfb4040394f890afdfc6d07868639e8998ef12b33ab290e

    • SHA512

      f52258bccda9005d2e6fa2d4d8b8124de8a16816884c0cfb9c620bd468360e89379385174fb50b16c23a53b2ee1a4daa22887bcf6c2506853b3725b5f0f321f8

    • SSDEEP

      98304:x518QFNDvmYbIlOKrZ1+1eupOX2qCvLUBsK1Euq:xH8QFNDmwIwKrZ1+1euSmLUCK1EL

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Fabookie family

    • Modifies Windows Defender Real-time Protection settings

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • Nullmixer family

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Privateloader family

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • Risepro family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks