General
-
Target
241108-b33b7svmcm_pw_infected.zip
-
Size
14.8MB
-
Sample
241108-k32v4syndx
-
MD5
02a543e645436acb260918d441ded13a
-
SHA1
601325df3bf004ceb36fdd7186ed6adde331c83b
-
SHA256
75d167249768d3b15728389b25c65e97f6ad92610b26b7d65fe8e2db83c41e4d
-
SHA512
f93390ca1e0d558d82a71204ae6853d9e55d0cda7670fc9b3e24e3f8a620d0fe942b863fd11bc8dedcc0e43937ddaee71c6c0cef94d8ad7a090c538efed9f855
-
SSDEEP
393216:B8M2uCQmYGT/IdmgL1zWArD+sVnrzKdVnB:TCQmYGMf5hr6dVB
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
Extracted
redline
1.22
95.211.185.27:42097
Extracted
metasploit
windows/single_exec
Extracted
redline
NANani
87.251.71.14:89
Extracted
smokeloader
pub3
Extracted
ffdroider
http://186.2.171.3
Extracted
gcleaner
194.145.227.161
Extracted
redline
test
193.56.146.78:51487
Extracted
vidar
40.1
933
https://eduarroma.tumblr.com/
-
profile_id
933
Targets
-
-
Target
6c5db6dce13ded4e0e6c7e9a526b063e.exe
-
Size
4.3MB
-
MD5
1485d115c0db789ed882e6da39b845d0
-
SHA1
b25ee4515f5a1a8b420e7eba38f233ee64a24755
-
SHA256
036e1c48be2a9fde1e94334dcb1216eec8512b38c118234c118aaa47b6ad65c7
-
SHA512
c8571df02ca3c8d69c49393d45a032a291c6f5c7100564e9a1337f287abd195c903bf86a20217990de38627d2a646dc7dde0e3953827afa94db270124c1f559b
-
SSDEEP
98304:xQ4LwEKgQe6M92LKCOdyzrXabdwkxMwasT9mrWhO:xQdej2GC+McdXxMTkO
Score10/10-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba family
-
Glupteba payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Windows security bypass
-
Modifies boot configuration data using bcdedit
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMon driver.
Roottkits write to WinMon to hide PIDs from being detected.
-
Manipulates WinMonFS driver.
Roottkits write to WinMonFS to hide directories/files from being detected.
-
-
-
Target
DusBrowserInst.exe
-
Size
172KB
-
MD5
2bf65413a6aabdbb7f18b7efebee633d
-
SHA1
c4eed75b2d69ca51ce87ede0a907db0ecbb4f4b7
-
SHA256
1db05647c15a26167a50bf7cf1d5f2d00ae89e4f18cfba2bcb4024f043c81739
-
SHA512
b59fcc75925273239c90520d616a9e5dddacfc36d6cefb1f464dab3ef066aebfc57adfd9e28484aadfb9ed6a9dde4d509e0eee2bc5245a795025c64fb790fb2f
-
SSDEEP
3072:OqJYORWz8q9slhk6/admfp4dipoaDNzuYnr+YvRRB:Kb9Hdmf9P
Score6/10-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
IDWCH2.exe
-
Size
739KB
-
MD5
0d5cc91890c411599e994ab4d927350b
-
SHA1
b64c4752537fc05bd460918fe252ef64e72d2651
-
SHA256
b64cc3011b334fe3fdc47852da28f1d865a1f71dd819827a035b9b3adab1a163
-
SHA512
56418a6586f0cc7f985e944811744fdce2ddaea5e238d02b21435768a3738ba7cccc738190b677f0eb66916a24cdcd4b63701df8a35c7a44802ba053ccdf059b
-
SSDEEP
6144:d/QiQXC45m+ksmpk3U9j0IeP2soxvjFEOTb9WmZX/8shzdsY4CpHPhnq/FK:VQi34c6m6UR0IeP2p1hf39Wkv8xwJqdK
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
Litever01.exe
-
Size
502KB
-
MD5
bca995c0fd475fb09fb7988cb876c795
-
SHA1
0f8776b9a5b3daedcc314fa283172697dee4cf8d
-
SHA256
659895bb642f43854043053d386b987c63db7e615d827dbc41866ac0371ab92d
-
SHA512
94387589151f5dc774aaf981988c8f6b568e8373158ce79b5da370594a6f67f18c5b90547da62db70a808a9756fc318eeb3cd6df9b87495bfde379a46e2699df
-
SSDEEP
12288:+Ircrb5sQow2/ZswWmTV9LSuxlrwvAsP4BmHc:+mQb5gnZswWmTbLnxyvpP6
Score10/10-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Vidar Stealer
-
-
-
Target
NAN.exe
-
Size
608KB
-
MD5
db1e5d0455f39c5cf5ac0c210dd679c4
-
SHA1
836e95bd1285ff790e55a8602febb29d97187bd7
-
SHA256
578eddcbe98744e25e8836b7cdc447f62b7032bcd3d083f2eb0cfe018022243e
-
SHA512
3f349ba618510f3e76e893fb70f0bfd5c3885216d73ed024617b49878eed376789eb7d3e4d347bb84aec8d90dbd0706256cdfdfa3f99c3b2b62982d9bc5c3a25
-
SSDEEP
12288:hjMQXZURC7TnfAWtUu/wQfmY4IG6zsJMWHn4oFl8n/bmThV:hjB34FC
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
Sectoprat family
-
Suspicious use of SetThreadContext
-
-
-
Target
anyname.exe
-
Size
100KB
-
MD5
2cd68cb7fd85144362d03a0b260f338f
-
SHA1
6e106cc5246ed9fe053ef748b28022183e520ad9
-
SHA256
f67d7d488b447f8a6356bff9d49add653ef5c49e6dc74982005028d01609c24a
-
SHA512
4ac9508d59f9f32d5b883b78b2b4cc80a7364731d96f01f53d816055fe7e1f8505790796ca4696c6810de89331a346e2b5eedd071c50b56c10489bcc9b72693c
-
SSDEEP
3072:AH5/hX4B1I+Fe7UovWk07XFBbyzqRyZ/4Ji/:m/JK1RkZGXw/
Score3/10 -
-
-
Target
app.exe
-
Size
4.3MB
-
MD5
d3f680a40104a2bf44d1e55ab22cc283
-
SHA1
3e44293bd666ee6842f27001e561442203479698
-
SHA256
a5d0a8eb93516f6979ce8da08a5750bf7f0f0fc98a969cd9e5b175dd29302a86
-
SHA512
478c308a40b3da9697ef9925e3d8c375bdc9a51d17d401fdf947f1e9ec7b4b5b59d5aa6e5ab0857825f5dbcb398a1cfffe33f972b6841d2916329f2e2358510b
-
SSDEEP
98304:MQ4LwEKgQe6M92LKCOdyzrXabdwkxMwasT9mrWh:MQdej2GC+McdXxMTk
Score10/10-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba family
-
Glupteba payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Windows security bypass
-
Modifies boot configuration data using bcdedit
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMon driver.
Roottkits write to WinMon to hide PIDs from being detected.
-
Manipulates WinMonFS driver.
Roottkits write to WinMonFS to hide directories/files from being detected.
-
-
-
Target
askinstall50.exe
-
Size
1.4MB
-
MD5
68bc0c244bb2d261a9a7d007bb6e06d7
-
SHA1
4226d51ebf9d925de953e0a5a6b3784eabfc47b6
-
SHA256
fd53ca7be25f932d930f68ab7818359762dde5d3608271e7a27e815f5b30e9e4
-
SHA512
f52a04cd2a5d0f9f30be1b6827e95f5afe5f34d0453a78b000dd71d7d8e20467ef6f541a91858833704df6b1560cb5701eab08e5df0a86870b946b052cd6d9da
-
SSDEEP
24576:8IVFA1pqtg/TnMbX0lwyh0FVmEByA1EwFYyOsFTceoCSPZVjQtYfeXPPSTy:NFA1pvTMbOwa0TmUyMYEh1oCSPnQtY2/
Score10/10-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars family
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
-
-
Target
farlab_setup.exe
-
Size
1.7MB
-
MD5
a7703240793e447ec11f535e808d2096
-
SHA1
913af985f540dab68be0cdf999f6d7cb52d5be96
-
SHA256
6a17ebf5da6aa3a1f4813e5f46fdd5d19d026bcfac91f232359f98e43df3c38f
-
SHA512
57bdcdfcfa11f6b5bf4149be0fee0444fcf67ccececf1009b166b17b7dce30da1a472f1890736186f4ef76e02ed23cc0dd2a41dc9bff94218a059832d4b5c69e
-
SSDEEP
49152:C9CKxz5eM8JvooqXrFzYA8hVU2AGm63yjpGIcLJjmyGpf8:MCm5eMOooqhomhjrcLS8
Score10/10-
Modifies firewall policy service
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Network Share Discovery
Attempt to gather information on host network.
-
Drops file in System32 directory
-
-
-
Target
inst002.exe
-
Size
265KB
-
MD5
f38f3aab5af6435226dcca8751f61e6c
-
SHA1
e555e536dca72784f73422a216aa35206441444a
-
SHA256
94590b6681e3f9255a27b41a356d0334460ed596daab947258110a4ab94708db
-
SHA512
0402a9d77388348aa055ab58a3211222ffdbe043e73052e075d861d1d0888437cfdeb2c2d7676b23e539b573bd4a4180d4e5f8af840693823979997f99c76c09
-
SSDEEP
3072:7DO+LxoC9PZUFfYS3azG0CYUZTCldBG//7VxSVzsC1X6R8geXrVpAFdcmuYT:7a0Sf7oQYUdgiizn9XrXeddTT
Score10/10-
Detects LgoogLoader payload
-
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
Lgoogloader family
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
-
-
Target
jamesnew.exe
-
Size
846KB
-
MD5
ea180cb17e71d8e32481aa37cb796cc1
-
SHA1
351b1c6cdbdcd21215e6cb9fc7b76887ddfe7a2a
-
SHA256
8a75fd219504039ceb7841811d75416ca52eb26a9667bbdf621055dad62e8b1a
-
SHA512
7bfe33816e5d6373cdbae1b8fffb620e76defabd1302b8c98650980ac0292b3135cee52d7316b8fe895812e56b2a7cfa2aa983d7e746f4673c37f1b585636cbc
-
SSDEEP
24576:1AHnh+eWsN3skA4RV1Hom2KXMmHaR1K5:kh+ZkldoPK8YaRi
Score3/10 -
-
-
Target
justdezine.exe
-
Size
136KB
-
MD5
7bd33952ce41285449099ae0bcd48d81
-
SHA1
1d6224283dd85c51a22445a69b1f2771724a7733
-
SHA256
6d5ac5464acd393224513115ebee2eeca5efca62b2a0e92f50c5186a8f740581
-
SHA512
bbe8a7d76db63b498b0ff8736ab010c12506b8f27b17eaeb13a77d0972e6512a54dccbf5c050642ffe7665647439c5fd1424312677b351d7fe893a7956728c05
-
SSDEEP
1536:w8Voh/WygQ/HlLg7ppfmFuOJFrh3dPiifz6JCzUKuhOZa0atsjk5/Npj6T61mD:wNqzo1lNqirxuhOZ7+sI5/DuT61m
Score10/10-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
-
-
Target
md3_3kvm.exe
-
Size
924KB
-
MD5
53b01ccd65893036e6e73376605da1e2
-
SHA1
12c7162ea3ce90ec064ce61251897c8bec3fd115
-
SHA256
de95d03777407422fac23d6c1f0740e131a0d38c5ef19aca742c7bcf1a994fd7
-
SHA512
e5d1dd0ac1a53df261179d58817e71f4b263179ba1f1599da3b654ae9550dc608afc5a12057fb533aab0abb2eb406e3a7331e10a6f2b91254f062a777299e067
-
SSDEEP
24576:pP7A681d48vGlldFtqFbDNaYaPCQFXVDXE4IfmDWQ:pzF8I8vGbdFtabDNUPCQFXVDXvdDWQ
Score10/10-
FFDroider
Stealer targeting social media platform users first seen in April 2022.
-
FFDroider payload
-
Ffdroider family
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled
-
-
-
Target
mixseven.exe
-
Size
213KB
-
MD5
984f9ec5ff106e4c08bb076ef63f3ec2
-
SHA1
119152d00b0b883cefae6519bbe4be43c6e1aafd
-
SHA256
438676e5d2d9fd41a35b18eee5db8917e7f960f0d50917513f4fb92b95d29995
-
SHA512
641cdf64b6ba39fb01c0bbe86aa878026e9f61280a83d449d67656dfa89100957f9e5b2b575b7ec460a0eeb4d2a8ef8da0781de58d3c518be2a2ae97ce1acd6a
-
SSDEEP
3072:qYq47wlx3K0mbLClhjJPHH93Bf8Pwv+/FvFeWB3SaPkN1hL8csI5/DuT61m:qf4uxaKl5JPHH96vFeWVk5LsI5/
Score10/10-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Gcleaner family
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
Onlylogger family
-
OnlyLogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
redcloud.exe
-
Size
173KB
-
MD5
16bf4653dfc06b85e7d34cb5cfe62717
-
SHA1
35ca16cdb661f6978815efc8c8a2ae0fbddcb733
-
SHA256
6038860aefedc84fdafe7d693ea6fa63147be5e3a43dd96e20adf377811c5d30
-
SHA512
0717f23056515b18f627496c309c22bfc76da5b61f2730a320fa8584ad0fb5ed47a8695ad255bc8635cdd379d2313cb141466e86ae0b639c33772fe2177fa35f
-
SSDEEP
1536:8t9pmEJnCKOAD3dOlbi2JKnJbpNjbuqGd0AMuyq+d0+7dDjElG6qTaoigQwY8ls:CTnCK1DtCbi2AHhG0Ajyjd0iY428ls
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
Sectoprat family
-
-
-
Target
udptest.exe
-
Size
240KB
-
MD5
265717bdcb626127fdb7e62b018e963c
-
SHA1
d9d70e33380e33caa8c48b6a4ba7a4fe08ecafe5
-
SHA256
e102abb40eb0795f838749e262c4e94af6df4213832b1d055b727cbc50f3a8ee
-
SHA512
f9c3656bb1e9848620990ca2ee8c163f32c2259774cf21ff78979ba1318daabb672ba1a67924b90d55cce8b579830bf31db32e2da83a09b51916c60ca157f362
-
SSDEEP
3072:z+9IWjNSUNngwphQyI+wyym+l2Dnn3e+3kC5p67Bp+QcsC/ddhrPOv/SsI5/DuTR:zBUNngwp8Kn3e+0C5pyBp+xsQNbsI5/
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
Sectoprat family
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
5Disable or Modify System Firewall
2Disable or Modify Tools
2Modify Registry
7Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1