General
-
Target
d591818f6fb84db3add31f0613e5cd32d12bf270f48d5da2b3d6369c555da214
-
Size
4.1MB
-
Sample
241108-sne2ssvblb
-
MD5
cf15f7bd68567cb7d477efaf605caaec
-
SHA1
750278f91ea02d3cc295201c50c67ca6f4ff2091
-
SHA256
d591818f6fb84db3add31f0613e5cd32d12bf270f48d5da2b3d6369c555da214
-
SHA512
24c6e69905a0ea072a843e1b8b7c518077fdd4ad9621b95d4de1f7b9c9ba7406c1f2743314f5374de8b88c7ae9206f627b0de1ef82c0624dfc775c85e689ae1f
-
SSDEEP
98304:XcGx5HX8MoUSBDUc8upHYIomjeGEZZsxhHkncF8IrwfX7Rnjh:sGTMlHBl4I9xHkcmuwT5h
Static task
static1
Malware Config
Extracted
nullmixer
http://hsiens.xyz/
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
Extracted
gcleaner
194.145.227.161
Targets
-
-
Target
setup_installer.bin
-
Size
4.1MB
-
MD5
2181742f9ce60225fec76568093c64b9
-
SHA1
2e675b68a7bd8b8af090a1cf0b6f8362760f229f
-
SHA256
c200e71fb51bbdbd3cbf1a487d41bf99f4f9357387fa53985db847e635b029c3
-
SHA512
cb19ef65fbf8264fdb7e18ba22594b7f246932b7cd4822d934a9ba4b9aa57a2b6615c8fbd21f5072fbfe568df25df7617c4a1e9d7d47bd3c938a69b946601bfa
-
SSDEEP
98304:xhCvLUBsg8XmfjODwoiSii9J8wW0wANElQgfmXlVmY0ngkSWiKl:xqLUCg8XWjOdse+Q0mXlVB5kSWiq
-
Detect Fabookie payload
-
Fabookie family
-
Gcleaner family
-
Nullmixer family
-
Onlylogger family
-
Socelars family
-
Socelars payload
-
Vidar family
-
OnlyLogger payload
-
Vidar Stealer
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2