General

  • Target

    a6efc4fa4c7dcb4621a256f18feca2ddb4312cc73a08b0779b790a5da2799efb

  • Size

    7.0MB

  • Sample

    241109-kzhcas1hlk

  • MD5

    427e7b72d31cf76f2f36deb3eb762cc4

  • SHA1

    08be2960808aa7cde50c5806d5d8aafb8363ca8d

  • SHA256

    a6efc4fa4c7dcb4621a256f18feca2ddb4312cc73a08b0779b790a5da2799efb

  • SHA512

    9a5370c8a928f09ba28afe01f7f01587cb734f5ace6225400812ecbed38910f5e67f7e6499a21cee63fa7c1cd158010385ad3a69b18f63c12b75f29ec356d71d

  • SSDEEP

    196608:BQWQxiK1pW2xVaP0MuZB9iZx78Ev2KYgbmY1D6PscFu:Sxt1pNxVaP5z99vEgyaiu

Malware Config

Extracted

Family

nullmixer

C2

http://621f9481e1e2d.com/

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/qwwgh/

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

gcleaner

C2

appwebstat.biz

ads-memory.biz

Extracted

Family

redline

Botnet

media60603

C2

92.255.57.154:11841

Attributes
  • auth_value

    32ca3353c43f67b3879fce4660e9c65d

Targets

    • Target

      0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6

    • Size

      7.1MB

    • MD5

      1f6e0a406d4d8dbd2c113d3565dbe7a8

    • SHA1

      dc5a439e7a0e918494c1065fe15d4bbe2b9b33be

    • SHA256

      0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6

    • SHA512

      59310d8756a63d7df6c05a6ae78721d8339913bca4b47e076a60cdc95071bd690648c1e298bd29510fc252d813a0ea3dc05d7cdf07ef243770722d4fe1b8e59c

    • SSDEEP

      196608:xtgdzQIV48kCWgj0JSk2apV4f0PxHtJvMYOYqF06pamS:xtgdz1V4tC3j08k2apyf0pHtWYkC2amS

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Fabookie family

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Gcleaner family

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • Nullmixer family

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

    • Onlylogger family

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Smokeloader family

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars family

    • Socelars payload

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • OnlyLogger payload

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks