Overview

overview

10

Static

static

3

setup_x86_...ll.exe

windows7-x64

10

setup_x86_...ll.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2fcac593d546c7851019d63e14ef52efea39b47889f48c52442ab08bb6bab641

  • Size

    4.8MB

  • Sample

    241108-p3mhmssfrl

  • MD5

    e933eb3a10ec3ee4392ed10e7ff0e668

  • SHA1

    29c5cee1ccd53654bc0c45473ebaa22a791e8838

  • SHA256

    2fcac593d546c7851019d63e14ef52efea39b47889f48c52442ab08bb6bab641

  • SHA512

    8899b9826182929513b8cea2acedf3b23c7781d47b87e8b6a73a6631396f44c50e89ee2e13a2f432a9280a7efe6df57673e5530c80b2878aae87786d11741b6e

  • SSDEEP

    98304:exr/DOtRyfWC4Tju4NsvWiuxvxwX35SB8RSwMyrX4E:ex/sXrPHxpSbSUEE

Score
10/10
cryptbotnullmixerprivateloaderredlinesectopratvidarpub1aspackv2discoverydropperexecutioninfostealerloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

nullmixer

C2

http://hsiens.xyz/

Extracted

Family

privateloader

C2

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

Extracted

Family

redline

Botnet

pub1

C2

viacetequn.site:80

Targets

    • Target

      setup_x86_x64_install.exe

    • Size

      4.8MB

    • MD5

      553a4bae13e8a88222760cd66804f8f7

    • SHA1

      64865048c52f49c2f92a4210765fcfdc4b795937

    • SHA256

      ce0877f0e89d0c030c47f838aafc655c77fd93f4f2c7f699f88107ce01922eef

    • SHA512

      67c36dbcd64c8db6440ce5e7b2f7543ac97ba49979654e15c245cc25d4a3acf42b4a410797e15ea74c8e192b0f2c2c197830ca35263938cf797b8ee2c98e7230

    • SSDEEP

      98304:ySHtjTw9QZfToFuedKqXymedZyWkXxmyD/Qf:yQlfyumPeU8yDIf

    Score
    10/10
    cryptbotnullmixerprivateloaderredlinesectopratvidarpub1aspackv2discoverydropperexecutioninfostealerloaderpersistenceratspywarestealertrojan

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • CryptBot payload

    • Cryptbot family

      cryptbot

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Vidar Stealer

      stealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

    • Target

      setup_installer.exe

    • Size

      4.7MB

    • MD5

      5c237194ef77ef5ec6cbadf16c76ca03

    • SHA1

      d51ef81b1050400235cee016669d8af8d7b3ea19

    • SHA256

      18f543d16c0ba0a594d2c2af6c605ddb0220cfdb09a5e06d5c761be52ac104f6

    • SHA512

      6cc54912f11b9c73c0f4417ab4429501692b6c4281e4a81af6a261d370d97ac4dd5efd7df1ea3c7bb07f3863644943a35dad9f5fcaf5d14634f4e34dfff21a70

    • SSDEEP

      98304:xsCvLUBsgu00GH2sw2pHDddmlt5YyvlfGmzWVHv90b6krq/t7A+kDQw:xxLUCgRH6GBUlPlfG4Q90dkw

    Score
    10/10
    cryptbotnullmixerprivateloaderredlinesectopratvidarpub1aspackv2discoverydropperexecutioninfostealerloaderpersistenceratspywarestealertrojan

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • CryptBot payload

    • Cryptbot family

      cryptbot

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Vidar Stealer

      stealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

Remote System Discovery

1
T1018

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks