Overview

overview

10

Static

static

3

446f021fd7...66.exe

windows7-x64

10

446f021fd7...66.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    00646821a7a4410e7e4dc44c57de03e59df39f82dd2cc435b00f3c35b7b80b9c

  • Size

    2.8MB

  • Sample

    241110-arvybavhkk

  • MD5

    df21bec744b2d8d506ffaf3093e98e21

  • SHA1

    935d3a9ac24a56149cc5893b8beef0d679f54fb7

  • SHA256

    00646821a7a4410e7e4dc44c57de03e59df39f82dd2cc435b00f3c35b7b80b9c

  • SHA512

    8d0fe8017ebcc965b41ab1006f1fbb208a7d5d9a188babf1fbe048a87fa5b7621b2f8abbbff22cde3cba5398054d88c8059ae1bb70ec8b6744fe3fe631715033

  • SSDEEP

    49152:tygo166/fgpy+bYEAs5KWpKUg8lD8qSYILztphrZlMycUrbGH/vlrKcax87DW:KPnOVYELpbg8lDmHhr3IUr8/wxIW

Score
10/10
gcleanernullmixeronlyloggersocelarsvidaraspackv2discoverydropperexecutionloaderspywarestealer

Malware Config

Extracted

Family

nullmixer

C2

http://sornx.xyz/

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

gcleaner

C2

194.145.227.161

Targets

    • Target

      446f021fd7d29650c1c5dc596bcb48d9662c624249840e847c316f7e775da766

    • Size

      2.8MB

    • MD5

      d66dc705a3856467500a3b14e69e418e

    • SHA1

      e1ae164a5855f4a98ceaeddaf2fae952a178ec34

    • SHA256

      446f021fd7d29650c1c5dc596bcb48d9662c624249840e847c316f7e775da766

    • SHA512

      1b8b1dc3d3c1f8fc4e4a9e65079058cf4ae86990ac1efcd7e4104fe4dfc44161facef715469e3c99791e8cc6e29c88137e1ab56d8d12e83a8c35197e771d9a52

    • SSDEEP

      49152:xcBhEwJ84vLRaBtIl9mVUDMp0dMCfL+YD/tXZVixqYVWcagyS+IEuvJEjIQhpHrx:xHCvLUBsgoAsq6tJVi5aXInvEjhBrRz

    Score
    10/10
    gcleanernullmixeronlyloggersocelarsvidaraspackv2discoverydropperexecutionloaderspywarestealer

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Gcleaner family

      gcleaner

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

      loaderonlylogger

    • Onlylogger family

      onlylogger

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • OnlyLogger payload

    • Vidar Stealer

      stealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks