General
-
Target
f6c4232e68b8f6b36754cf619f5282d24af7e9a27cca2bbe72121066fb0c3cfd
-
Size
3.6MB
-
Sample
241108-hglkwsxhkq
-
MD5
03eb61a6d9f9877c21917ba4c7a6b4ed
-
SHA1
f062a7b7cac7af1d142f9a9fead954e2e66c8819
-
SHA256
f6c4232e68b8f6b36754cf619f5282d24af7e9a27cca2bbe72121066fb0c3cfd
-
SHA512
4a4712c925883a8e928e1e6f8c6e0afae1f1a0f7810e6c478dc343b15782065475ec42b8086870313f4682d337010dbac80ca04ca9b43172d3c289be2ef09199
-
SSDEEP
49152:ofpinzzlORcyujAWdlc8TZbn0XaSWHLw8EfuzG09PIZ+2nC44JtI6n2CSTiNv4S4:vEL0/dDTTHLwBGz39PTB9JdnZSTBSk9
Static task
static1
Behavioral task
behavioral1
Sample
steup_x86.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
steup_x86.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
nullmixer
http://razino.xyz/
Extracted
redline
NCanal01
pupdatastart.tech:80
pupdatastart.xyz:80
pupdatastar.store:80
Extracted
redline
Ani
yaklalau.xyz:80
Extracted
vidar
39.3
706
https://bandakere.tumblr.com/
-
profile_id
706
Targets
-
-
Target
steup_x86
-
Size
3.6MB
-
MD5
05e6fd44959e6258c1e07bd12a4f284f
-
SHA1
ea21133721033a9fe5da1dfce39f9875f5439ebb
-
SHA256
4b89b98e5e7b67eac0fb79dbf4ad697cbd79f9fe51b8313accc8d7bfe6a439d2
-
SHA512
66fac06f167254db8ce4e6e0b34c119f4aff9c3f6d4c9e691fcd82122a7036dc69b1b46967a46c59914a36c7d4241edfd37cb525572c16dcafc95c5cca118cef
-
SSDEEP
98304:JSjfbEr2hEgbuyRPn6ASvoiOdl++U/qU4v:J8Er2hEgCyhn3d++Uidv
-
Detect Fabookie payload
-
Fabookie family
-
Nullmixer family
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Risepro family
-
SectopRAT payload
-
Sectoprat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Vidar Stealer
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer.exe
-
Size
3.6MB
-
MD5
1a7c6090d71b865cb591d454f93088f1
-
SHA1
f15403e3c0703cb08750503a385f5b1887de0942
-
SHA256
7e4172a1c7db31aafdfb4040394f890afdfc6d07868639e8998ef12b33ab290e
-
SHA512
f52258bccda9005d2e6fa2d4d8b8124de8a16816884c0cfb9c620bd468360e89379385174fb50b16c23a53b2ee1a4daa22887bcf6c2506853b3725b5f0f321f8
-
SSDEEP
98304:x518QFNDvmYbIlOKrZ1+1eupOX2qCvLUBsK1Euq:xH8QFNDmwIwKrZ1+1euSmLUCK1EL
-
Detect Fabookie payload
-
Fabookie family
-
Nullmixer family
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Risepro family
-
SectopRAT payload
-
Sectoprat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Vidar Stealer
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2