General

  • Target

    2fc7d93dc85c813ecf2157ef43e53845ad46343b17ec0648f55101a8330005d6

  • Size

    6.9MB

  • Sample

    241109-kz78qa1hmk

  • MD5

    3fbac86ed0aa4fe2aab4e62748550746

  • SHA1

    64b0e33dd3dca744e0ac48b70b17ccaae8e71619

  • SHA256

    2fc7d93dc85c813ecf2157ef43e53845ad46343b17ec0648f55101a8330005d6

  • SHA512

    25437b69fefcfc4f988130abf6334ab52d871f3f608684cf59a6cc005cb4b642e68b8180ea20a569bcca8aa0aa3558c070be2643a3b279a90054de23fa4fb8af

  • SSDEEP

    196608:XwoExAku0xtgpFdLzOiM58cgv0iTFiWSk:XwoSAD0tUzOiQV/qFiWSk

Malware Config

Extracted

Family

socelars

C2

http://www.anquyebt.com/

Extracted

Family

nullmixer

C2

http://hornygl.xyz/

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

redline

Botnet

media262231

C2

92.255.57.115:11841

Attributes
  • auth_value

    5e0e6c3491655e18f0126b2b32773d57

Extracted

Family

gcleaner

C2

appwebstat.biz

ads-memory.biz

Targets

    • Target

      174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e

    • Size

      6.9MB

    • MD5

      2db59bc805ebb1b8b1a947b15684e899

    • SHA1

      97e2beaa6bcddf9b27a1175352a85fc769d88597

    • SHA256

      174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e

    • SHA512

      e3849f480698c82229f49914d0cfb3dd2d836e492f2eaea3f26170a12d08cc591aaf17efb0798d75456997ef846d5180653549268925afcdefdb4bbd17229e46

    • SSDEEP

      196608:JFyORANUm677HoE/IEyu9vAhzsN4MlPbuumo8YG:J4OS+m67c+IkhAhI/lPbuldb

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Fabookie family

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Gcleaner family

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • Nullmixer family

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

    • Onlylogger family

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Smokeloader family

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars family

    • Socelars payload

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • OnlyLogger payload

    • Blocklisted process makes network request

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Enumerates processes with tasklist

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      setup_installer.exe

    • Size

      6.9MB

    • MD5

      d3e22d7fcc478eaf4b9e03a8a5038c12

    • SHA1

      bfa29d4c2535b479102cd37c4a7f4245961daeb3

    • SHA256

      6d7f35c19fef11f48a274dcf38e942635e6946eca4ecd3c39dd38de8e0cbf656

    • SHA512

      83bc2bd9f2b5fe85a5eabdb6aab5c6ba64ac590b005780cee51d7c01f565a416b674fa9ff1b439325f9e50604fe130c3911c43c50da0254f0309beca742a1956

    • SSDEEP

      196608:xkYTPwdk38Jcv2PH7iFO4SzNWRDLR2/oyRZ156yoJ2YWc:xkYTodk30cvIHV4ShYL8oIZ18TP

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Fabookie family

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Gcleaner family

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • Nullmixer family

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

    • Onlylogger family

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Smokeloader family

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars family

    • Socelars payload

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • OnlyLogger payload

    • Blocklisted process makes network request

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Enumerates processes with tasklist

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks