General

  • Target

    c847880583691ca76c6ceb4cb64bc7cde2ee0074

  • Size

    9.5MB

  • Sample

    241110-arprasvke1

  • MD5

    0ecbf71727bb0b243b89f8f03d1c261a

  • SHA1

    c847880583691ca76c6ceb4cb64bc7cde2ee0074

  • SHA256

    c6516c7a85b6edc568ca129e647ea741f0a2d7bd0eadfeb7b4b4a6f0b2bfc792

  • SHA512

    4fd91bd060377ac80b5ee55990e90e9a618bba0ebf7c0302bdc7afa8fcbdb2707c24c61a392cfdeda97f25c2eb8055208904c9512fa18b6bac017ef648880356

  • SSDEEP

    196608:7FrQ88jcRKnL/86lLoz4AsiMzhU35kahzO7Kd4+zIBR6g9Bhl8CdbrTQpsE4:e8BGb8OLfpiMzWRFO7VuIGgHXFrT6sn

Malware Config

Extracted

Family

nullmixer

C2

http://6246f7513680d.com/

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/vsdh41/

Extracted

Family

redline

Botnet

same

C2

116.202.106.111:9582

Attributes
  • auth_value

    6fcb28e68ce71e9cfc2aae3ba5e92f33

Extracted

Family

gcleaner

C2

appwebstat.biz

ads-memory.biz

Targets

    • Target

      96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35

    • Size

      9.6MB

    • MD5

      8c065d2f1062d9b3de4e0e3b2035e0bb

    • SHA1

      35861ffd472716aebb5a866a006e494c47dc8de2

    • SHA256

      96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35

    • SHA512

      972569ed9801ae22344bd37559bdaf4f45705ed5b2809fa7dade257f17b67c2bb8a5340dccd7eb826f99936ecbf78006da5c2b804ef54ead7bc12d00a1078d67

    • SSDEEP

      196608:JMmq1ZlHqLNFIiGjETLZf+jYkz5BXUtXFl2XeYSsX:J9+ZxmN3L5AY8qXFlidh

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Fabookie family

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • Nullmixer family

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Smokeloader family

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars family

    • Socelars payload

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      setup_installer.exe

    • Size

      9.5MB

    • MD5

      e5debd90b07e67f9b1ae38e4412c86c4

    • SHA1

      4b7e7161161709a25e5e655ee60f6eae3fa39c32

    • SHA256

      c5c7eade46a64e20a9eae3757ec58a0c62f3d7e33971bacd7064a97588af39d8

    • SHA512

      fb3bf8a363bac644f5ded4bd30ab779aa54d3e118b73893466ca93b738ad42f93ce0f3aafb7d1a1e0863f4a1506ac5faf588c344f4e812611e9c734157fe3113

    • SSDEEP

      196608:xvlB860t1YFNDe2EuiwRBCpzp02nvIpO2XLrY1omCZHf8uXW8dDxQj:xvlBb0twDiuiLpnnMfHYebHUIHDO

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Fabookie family

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Gcleaner family

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • Nullmixer family

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

    • Onlylogger family

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Smokeloader family

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars family

    • Socelars payload

    • OnlyLogger payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks