General
-
Target
c847880583691ca76c6ceb4cb64bc7cde2ee0074
-
Size
9.5MB
-
Sample
241110-arprasvke1
-
MD5
0ecbf71727bb0b243b89f8f03d1c261a
-
SHA1
c847880583691ca76c6ceb4cb64bc7cde2ee0074
-
SHA256
c6516c7a85b6edc568ca129e647ea741f0a2d7bd0eadfeb7b4b4a6f0b2bfc792
-
SHA512
4fd91bd060377ac80b5ee55990e90e9a618bba0ebf7c0302bdc7afa8fcbdb2707c24c61a392cfdeda97f25c2eb8055208904c9512fa18b6bac017ef648880356
-
SSDEEP
196608:7FrQ88jcRKnL/86lLoz4AsiMzhU35kahzO7Kd4+zIBR6g9Bhl8CdbrTQpsE4:e8BGb8OLfpiMzWRFO7VuIGgHXFrT6sn
Static task
static1
Behavioral task
behavioral1
Sample
96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
setup_installer.exe
Resource
win7-20240903-en
Malware Config
Extracted
nullmixer
http://6246f7513680d.com/
Extracted
smokeloader
pub3
Extracted
socelars
https://sa-us-bucket.s3.us-east-2.amazonaws.com/vsdh41/
Extracted
redline
same
116.202.106.111:9582
-
auth_value
6fcb28e68ce71e9cfc2aae3ba5e92f33
Extracted
gcleaner
appwebstat.biz
ads-memory.biz
Targets
-
-
Target
96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35
-
Size
9.6MB
-
MD5
8c065d2f1062d9b3de4e0e3b2035e0bb
-
SHA1
35861ffd472716aebb5a866a006e494c47dc8de2
-
SHA256
96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35
-
SHA512
972569ed9801ae22344bd37559bdaf4f45705ed5b2809fa7dade257f17b67c2bb8a5340dccd7eb826f99936ecbf78006da5c2b804ef54ead7bc12d00a1078d67
-
SSDEEP
196608:JMmq1ZlHqLNFIiGjETLZf+jYkz5BXUtXFl2XeYSsX:J9+ZxmN3L5AY8qXFlidh
-
Detect Fabookie payload
-
Fabookie family
-
Nullmixer family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Smokeloader family
-
Socelars family
-
Socelars payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer.exe
-
Size
9.5MB
-
MD5
e5debd90b07e67f9b1ae38e4412c86c4
-
SHA1
4b7e7161161709a25e5e655ee60f6eae3fa39c32
-
SHA256
c5c7eade46a64e20a9eae3757ec58a0c62f3d7e33971bacd7064a97588af39d8
-
SHA512
fb3bf8a363bac644f5ded4bd30ab779aa54d3e118b73893466ca93b738ad42f93ce0f3aafb7d1a1e0863f4a1506ac5faf588c344f4e812611e9c734157fe3113
-
SSDEEP
196608:xvlB860t1YFNDe2EuiwRBCpzp02nvIpO2XLrY1omCZHf8uXW8dDxQj:xvlBb0twDiuiLpnnMfHYebHUIHDO
-
Detect Fabookie payload
-
Fabookie family
-
Gcleaner family
-
Nullmixer family
-
Onlylogger family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Smokeloader family
-
Socelars family
-
Socelars payload
-
OnlyLogger payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1