General
-
Target
357ef1fdcb7bf7a66b51a197ad38485c
-
Size
3.5MB
-
Sample
241108-tkcypsxnfp
-
MD5
357ef1fdcb7bf7a66b51a197ad38485c
-
SHA1
3acca6a8bc4d733089fe98feb50416dadeb98651
-
SHA256
469b2a19deab693e53b7ea3d2c26833067fe6be1b9493505091fd9f586c54fb0
-
SHA512
e279f69f11dcb552cf0d767d7c3329e70ccb018e0b2ac747ed635097b5f03b874574b5c1b8f44379b4a366e7bdcaeb183aa3c43ce91c544d6f3995b59e1a6bcc
-
SSDEEP
49152:/yPnnpFqTsOR4Vi/v9Y2XxoGn7azOSYPpfFcwdKFlR1jkT3IhNiqTd02mY9C3ttS:Sli9Y2XxoY70OTxF0faExmYaFzoTmWs+
Static task
static1
Behavioral task
behavioral1
Sample
1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
nullmixer
http://hsiens.xyz/
Extracted
privateloader
http://45.133.1.182/proxies.txt
http://45.133.1.107/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
51.178.186.149
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
Extracted
redline
jamesbig
65.108.20.195:6774
Extracted
vidar
41
706
https://mas.to/@killern0
-
profile_id
706
Extracted
gcleaner
194.145.227.161
Targets
-
-
Target
1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15
-
Size
3.5MB
-
MD5
091972a4b28199a3dcf548286be0336c
-
SHA1
11b0289c1ad3c75c53b03e8945b21c8624d6166d
-
SHA256
1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15
-
SHA512
b581051aae417d8f84331133e7d17dd468c942150c6e896f92c396184e4af588e7aef082e954e82892d92642be226a26fdd1df064ff2490e9dfbf842f68b57ea
-
SSDEEP
98304:xbCvLUBsgXrfAcxXvULy1NJIr9Pl+hvXU29Ck:xgLUCgXrf71NW9Pl+TCk
-
Detect Fabookie payload
-
Fabookie family
-
Gcleaner family
-
Nullmixer family
-
Onlylogger family
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT payload
-
Sectoprat family
-
Socelars family
-
Socelars payload
-
Vidar family
-
OnlyLogger payload
-
Vidar Stealer
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1