General

  • Target

    476257ebcbb7ecfa831e625b1d110d6b

  • Size

    7.8MB

  • Sample

    241109-gm1fka1rhl

  • MD5

    476257ebcbb7ecfa831e625b1d110d6b

  • SHA1

    0fe7b399f9acfaf448662eb500ba062ffd6e5b91

  • SHA256

    f588626ae93f8d280520dc8a46009d01c68129006b6786641a458963af97b5bc

  • SHA512

    83a4ed5e0faba1bf132d397ca1122d662e0951f714756c8da7c9c92e2c5f97a1af16d377ddf39a0c2d578f23d003f8ad5f1a689215dc8a88485f00d4df953a9c

  • SSDEEP

    196608:JOk1nkZIuVQHasQWXYZ/Bw9AVHPeDZj2VPkRASLYnH1jyPrYVW:J/nkZ5VQ6DWX6cAVHPOpJRA/nVmT

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

gcleaner

C2

31.210.20.149

212.192.241.16

212.192.246.217

203.159.80.49

Extracted

Family

redline

Botnet

bernard05

C2

141.95.211.151:34846

Attributes
  • auth_value

    0ca8e0ce5f601474792a9d04a56b69f8

Targets

    • Target

      476257ebcbb7ecfa831e625b1d110d6b

    • Size

      7.8MB

    • MD5

      476257ebcbb7ecfa831e625b1d110d6b

    • SHA1

      0fe7b399f9acfaf448662eb500ba062ffd6e5b91

    • SHA256

      f588626ae93f8d280520dc8a46009d01c68129006b6786641a458963af97b5bc

    • SHA512

      83a4ed5e0faba1bf132d397ca1122d662e0951f714756c8da7c9c92e2c5f97a1af16d377ddf39a0c2d578f23d003f8ad5f1a689215dc8a88485f00d4df953a9c

    • SSDEEP

      196608:JOk1nkZIuVQHasQWXYZ/Bw9AVHPeDZj2VPkRASLYnH1jyPrYVW:J/nkZ5VQ6DWX6cAVHPOpJRA/nVmT

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Fabookie family

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Gcleaner family

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Smokeloader family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      setup_installer.exe

    • Size

      7.8MB

    • MD5

      62c031e5a7ff452d122856ceb0fab07d

    • SHA1

      d4ec184055acd1fa5cee0e9a0af478ce21c6921d

    • SHA256

      e2ccabb2928b7d5f92e55cc60a4ed9e9e0c67349b393adf6eb8072980f5ebefa

    • SHA512

      019cebfbf9bb36c1a57494332e724aac6d3e8afd35a76ed01ee337191c0faf46822f339db883340132ec4d433fee31afd315620c3d705f989b6d0d8750d5c67c

    • SSDEEP

      196608:xoYSPl5z0o/SJsI5von1MTtZfXSjUrJvO3toM/6r:xoYAlB0oaayvwMTnSSJvOadr

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Fabookie family

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Gcleaner family

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Smokeloader family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks