Overview

overview

10

Static

static

10

022e3c30a1...66.exe

windows7-x64

6

022e3c30a1...66.exe

windows10-2004-x64

6

043d28836f...9f.exe

windows7-x64

10

043d28836f...9f.exe

windows10-2004-x64

10

096fc162ed...c8.exe

windows7-x64

10

096fc162ed...c8.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

1ad787b5aa...62.exe

windows7-x64

10

1ad787b5aa...62.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

258cbb13ac...bd.exe

windows7-x64

3

258cbb13ac...bd.exe

windows10-2004-x64

7

25d79c1a50...7f.exe

windows7-x64

3

25d79c1a50...7f.exe

windows10-2004-x64

7

4d27dca0a1...ef.exe

windows7-x64

10

4d27dca0a1...ef.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

500e7e5c00...44.exe

windows7-x64

10

500e7e5c00...44.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

578a3a7a2b...b3.exe

windows7-x64

10

578a3a7a2b...b3.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

7dc7ca2414...84.exe

windows7-x64

3

7dc7ca2414...84.exe

windows10-2004-x64

3

96c9fde298...34.exe

windows7-x64

10

96c9fde298...34.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    31e01879dfaafe473840c755dedc6390305167a580e24c64d80315731ac6bc4f

  • Size

    62.8MB

  • Sample

    241110-vy135avkbq

  • MD5

    c7436fa1de0a57da5c70db37daac39e5

  • SHA1

    15b7fe23ddeda187c10fa95a84de69f909ea529f

  • SHA256

    31e01879dfaafe473840c755dedc6390305167a580e24c64d80315731ac6bc4f

  • SHA512

    5a9efcb2c7c5e22fe36a162d3398b2e9a97a0995978a050f861cea0cbc273ca39991e250ae31b899e1f283dbe913f60f8fe7bf5a6d84ea92bc6ff3bf43a8aa1c

  • SSDEEP

    1572864:XlUqcnRNyTaKo/J00FboeiF+7Y9qhf09aZpndqT6Wk74AkO1eKA:XlUBemKo/JxFtiF+7Y9qZ0sZfak7WB

Score
10/10
fabookiegcleanernullmixeronlyloggerprivateloaderraccoonredlinesectopratsocelarsvidarxmrigchrisfucker2media18media20media23aspackv2discoverydropperexecutioninfostealerloaderminerratspywarestealertrojan

Malware Config

Extracted

Family

privateloader

C2

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

Extracted

Family

nullmixer

C2

http://sayanu.xyz/

http://mooorni.xyz/

http://marianu.xyz/

http://wensela.xyz/

http://gazrxlog.xyz/

Extracted

Family

redline

Botnet

media20

C2

91.121.67.60:2151

Attributes
  • auth_value

    e37d5065561884bb54c8ed1baa6de446

Extracted

Family

redline

Botnet

Chris

C2

194.104.136.5:46013

Attributes
  • auth_value

    9491a1c5e11eb6097e68a4fa8627fda8

Extracted

Family

redline

Botnet

fucker2

C2

135.181.129.119:4805

Attributes
  • auth_value

    b69102cdbd4afe2d3159f88fb6dac731

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.efxety.top/

Extracted

Family

redline

Botnet

media18

C2

91.121.67.60:2151

Attributes
  • auth_value

    e37d5065561884bb54c8ed1baa6de446

Extracted

Family

gcleaner

C2

gcl-gb.biz

45.9.20.13

Extracted

Family

redline

Botnet

media23

C2

91.121.67.60:23325

Attributes
  • auth_value

    e37d5065561884bb54c8ed1baa6de446

Targets

    • Target

      022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66

    • Size

      403KB

    • MD5

      f957e397e71010885b67f2afe37d8161

    • SHA1

      a8bf84b971b37ac6e7f66c5e5a7e971a7741401e

    • SHA256

      022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66

    • SHA512

      8b5e9cb926fafc295c403c1fce7aa883db3a327e58c3295e9a081a8937bed28e305cca08c2c7d98080818095ea99bb4047e10aa2f61e3e4d6d965aef6d16a4f6

    • SSDEEP

      6144:ilwYPg/USg7WFugaqIv1pE0EAPMrGWsWDWidF0HQszCZ2Ftppb9Y81+k7pq7FLfj:iyYI/7FugaLS2zO

    Score
    6/10
    discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

    • Target

      043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f

    • Size

      3.4MB

    • MD5

      b46fae262aee376a381040944af704da

    • SHA1

      2f0e50db7dc766696260702d00e891a9b467108c

    • SHA256

      043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f

    • SHA512

      2134c503a7abdb773d02d800e909e1372425a6d46cefa30fed8f54f4164190d836a86584de52e972bf619de06420a00e1c1ebc408d2932651e9a3b1978959d69

    • SSDEEP

      98304:xUCvLUBsg4fyvKcIpMrvwSlDyW6MfVEl5GQUI4HJ:xJLUCg4fyvjIpMrokGgCl8Q/G

    Score
    10/10
    fabookienullmixerprivateloaderredlinesectopratchrisfucker2media20aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8

    • Size

      4.2MB

    • MD5

      a6ba5fc790a5f555b8b6f28e7837253c

    • SHA1

      ea77f8f24c106948eb398d682826afde02c7270d

    • SHA256

      096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8

    • SHA512

      5f77a237fdeffaaefac2decb9f08fdba7d909709c3796ef3142922559a5e8c25c9c0856088c9ce9f2025dcd91aa25b48f891ae9cb1d1a28275a2ad43f48f8fa2

    • SSDEEP

      98304:J3KOJtrOPjVShZyRB2o4X0xgkwY9BdqoC:JaOTUVt+X0xgkwSMoC

    Score
    10/10
    fabookiegcleanernullmixeronlyloggerprivateloaderredlinemedia23aspackv2discoverydropperexecutioninfostealerloaderspywarestealer

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Gcleaner family

      gcleaner

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

      loaderonlylogger

    • Onlylogger family

      onlylogger

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • OnlyLogger payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      setup_installer.exe

    • Size

      4.2MB

    • MD5

      c93901703b1d556d494f7a31ffb04720

    • SHA1

      d14e2dc239ac85e6020f1fc4c035f7d2ea72d262

    • SHA256

      0d5b2226f4199a3891ec836c5b54023595b4aa06d4a80e816a8d6545a0bb3631

    • SHA512

      3e31e881d7b7c74baa5ea0e8d97f86dfc6feb06ec7061f30891b7736477f2888fdb58ccaa4d8ea764249191c89e5897954515b6bfdfe6a45d51640c63c20e900

    • SSDEEP

      98304:xVCvLUBsg7YyMtiPheSGykvDinvGCy8JoyvdSaXD:xmLUCg77MMP/GyTdy2YaXD

    Score
    10/10
    fabookiegcleanernullmixeronlyloggerprivateloaderredlinemedia23aspackv2discoverydropperexecutioninfostealerloaderspywarestealer

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Gcleaner family

      gcleaner

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

      loaderonlylogger

    • Onlylogger family

      onlylogger

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • OnlyLogger payload

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62

    • Size

      3.5MB

    • MD5

      e50d513140faae89008c9c433ed162a5

    • SHA1

      9b6ca10865926ae6113df2ff7f14649b9d17a153

    • SHA256

      1ad787b5aa241bdde87b30d49ad286d75e23367b833a7d7e97769ca81ac5ae62

    • SHA512

      f40b5abb0d3f1205a892c9e506c8c009d0a37785581f3b8c6f7d573d21c098ef3b3a462492b4c178b3ae51786b5ba5528959953b6df0fcf1c646e148811e00bf

    • SSDEEP

      49152:EgiKBXiwNy+eN6bAvd9jEIU/mUfY0+MQVn/aKtY0tpbGxUrLKTkMcpaTPgTUJXOB:J3pNyWbAvHEp/mv0+FViKt9icpK20a3

    Score
    10/10
    fabookienullmixerprivateloaderredlinesectopratchrisfucker2media20aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      setup_installer.exe

    • Size

      3.4MB

    • MD5

      1b16fe969e31beab26afc7060fba271b

    • SHA1

      97f350235d63a11eb5bf555d1d63f8667d47fb31

    • SHA256

      c8345b213f585dffbfc2ec8374dee34b9760c4ce5ddc02414cb90de95dd85e7e

    • SHA512

      90e72cb53e6e983ea3a02aabbb7547873162bdcd47316126c1c7c57efa1104cb6f1f4a0bf5e418a345aba088f23a6d1a02454fb5e50c5222ecfc53fda1ace882

    • SSDEEP

      98304:xbCvLUBsgD+4XFrStC2lyYNM45VXN6CVldZTkv6tK:xgLUCgC4XFrApA6Hd6GdZc6tK

    Score
    10/10
    fabookienullmixerprivateloaderredlinesectopratchrisfucker2media20aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd

    • Size

      89KB

    • MD5

      03137e005bdf813088f651d5b2b53e5d

    • SHA1

      0aa1fb7e5fc80bed261c805e15ee4e3709564258

    • SHA256

      258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd

    • SHA512

      23bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd

    • SSDEEP

      1536:4ZxrW2eq7mQeNzn26jO0+7I+LeScuT1Gd5anG7IW1V7hYxamr+s8jcdMTWsM/D:4bEZQC26S0+7NeSrTcTanGEWLh477MTI

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral13behavioral14

    • Target

      25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f

    • Size

      89KB

    • MD5

      ff3fffe53dee30a1c24bf86d419bd4ac

    • SHA1

      303348ffa41a6a54784ff9ba7af6c03c7cad4efd

    • SHA256

      25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f

    • SHA512

      1c11b106f4e65d31f07e54649b5ee6c2b4e29de24b51749249ff5cfdbf641f3c38946d8204ea02998a6412403cc47a68ef2e8161ec54caec853b7d8d3ced22aa

    • SSDEEP

      1536:4ZxrW2eq7mQeNzn26jO0+7I+LeScuT1Gd5anG7IW1V7hYxamr+s8jcdMTWgM/D:4bEZQC26S0+7NeSrTcTanGEWLh477MT8

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral15behavioral16

    • Target

      4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef

    • Size

      4.7MB

    • MD5

      0cc50985a2e8ae4f126dabb4b6a1c2be

    • SHA1

      4d20dd812a0b2d47f4b9b511538125a1ad5d917c

    • SHA256

      4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef

    • SHA512

      9916db8f6dcc3532d3f205d3d96154cdb511ac3b135a874f72f47be251feeedc3a83b9304f132b1e680b48b2d820dd88a2692cc1080baf88be4ffcb45d2cc439

    • SSDEEP

      98304:J2IB6bn7qZeFMO8++yA9pH2oRp7hRspTbueWyjg74Y2ObUu+Qr157DUgrXft6GT:Jq/8+LAr7OCg9QUuJ7DUgzB

    Score
    10/10
    gcleanernullmixeronlyloggerprivateloaderredlinesectopratsocelarschrisfucker2media18aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojanraccoon

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Gcleaner family

      gcleaner

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

      loaderonlylogger

    • Onlylogger family

      onlylogger

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Raccoon Stealer V1 payload

    • Raccoon family

      raccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • OnlyLogger payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      setup_installer.exe

    • Size

      4.6MB

    • MD5

      06c46fe375c6748c533c881346b684d1

    • SHA1

      cb488c5b5f58f3adaf360b0721e145f59c110b57

    • SHA256

      07cf30eb7de3a5626ce499d5efdeba147c3c5bd40686cfc8727b4da7f9ab7d1a

    • SHA512

      bdf582b78bc5ef135260f7c93119ef315cc08836d9864014951bc6fe919e33ca3184828c70e6ab43b70730bd191a511112a088968abf03bbe4a5e17cb4276443

    • SSDEEP

      98304:xqCvLUBsgeElUaQvHpeKG5Qd0LW9fH/W5onZQfkRNZiAX:xrLUCgeEljQfsKG5QdbP/W54SMRKAX

    Score
    10/10
    gcleanernullmixeronlyloggerprivateloaderraccoonredlinesectopratsocelarschrisfucker2media18aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Gcleaner family

      gcleaner

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

      loaderonlylogger

    • Onlylogger family

      onlylogger

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Raccoon Stealer V1 payload

    • Raccoon family

      raccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • OnlyLogger payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644

    • Size

      3.4MB

    • MD5

      e635ed70bbc424514a872445893b1574

    • SHA1

      97b3796c29853ef58955a1e06c5e6b1f02a0dd7e

    • SHA256

      500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644

    • SHA512

      cded0958181fcb4c36b1aaccff193590eba0c6d92e8c4e0e089d7560cf79947112d6ef64550bdff2eb77ee2e089e8f8b79465dfb4b2f100fe7515209e0b03b0b

    • SSDEEP

      98304:JrpthAc5DB/9B0jaNOtsDM7V7tkPiHf4SB6moPKIvo:JRJ9LNOuAAPigmovo

    Score
    10/10
    fabookienullmixerprivateloaderredlinesectopratfucker2media18aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      setup_installer.exe

    • Size

      3.4MB

    • MD5

      bc10ee7cbbf3ea8b505c94bd655f5e50

    • SHA1

      4667e7d52e54ba83ee7c264c14171a4db0d1c444

    • SHA256

      33ea6a4e83204a0798a7a4e6d3361618e171d37342ed1b16d33b504eafb3b111

    • SHA512

      a1e2349e226e83fa041ca5ade434927c5ca2a7f4c3f322944cce829c7ae5aa47376b7a9825618d3393668751baa3b45be55c749625344764a2532e92a167815f

    • SSDEEP

      98304:xbCvLUBsgRCBWbLqJb5OD3bdBaSCyxVPAPB:xgLUCgRvZXdo70mPB

    Score
    10/10
    fabookienullmixerprivateloaderredlinesectopratfucker2media18aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

    • Target

      578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3

    • Size

      4.6MB

    • MD5

      4f85f62146d5148f290ff107d4380941

    • SHA1

      5c513bcc232f36d97c2e893d1c763f3cbbf554ff

    • SHA256

      578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3

    • SHA512

      bc4ae4f7101b20ab649ea2a44d5da42875af5068c33c1772960c342cc8731bddfdabd721fb31a49523ea957615252d567a00346035bddacfa58cf97853587594

    • SSDEEP

      98304:JBw9RoHv20QUG38f+A5SeNU0sDDBKaWFEW07YqoBEstLcU4v1HbQS:J29+e0QJMPLU0s/BKjEW0LALcvbQS

    Score
    10/10
    gcleanernullmixeronlyloggerprivateloaderraccoonredlinesectopratsocelarschrisfucker2media18aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Gcleaner family

      gcleaner

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

      loaderonlylogger

    • Onlylogger family

      onlylogger

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Raccoon Stealer V1 payload

    • Raccoon family

      raccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • OnlyLogger payload

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      setup_installer.exe

    • Size

      4.6MB

    • MD5

      d0fbd06f5709db11a8b2449a1b919251

    • SHA1

      83f4610e15b613668b9ebad734dbc2f8fbefc614

    • SHA256

      e94188908546b2f00a506d7596d3673b814ab62173967b3d258422877bc56f84

    • SHA512

      c82970a78fba054ec6e9a962a43ca6fb94ddd3a0d744dd5b9d04a014f541e6da8038497c2ba15403df12600372cb624caf6e672eeac6915f680b062efeae1e8b

    • SSDEEP

      98304:xACvLUBsg0qq4T7AkqMOPG5730iWJQ/lv5FCknu6zN:x9LUCgfRT7AjMIG573+gB5AknLR

    Score
    10/10
    gcleanernullmixeronlyloggerprivateloaderraccoonredlinesectopratsocelarschrisfucker2media18aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Gcleaner family

      gcleaner

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

      loaderonlylogger

    • Onlylogger family

      onlylogger

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Raccoon Stealer V1 payload

    • Raccoon family

      raccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • OnlyLogger payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084

    • Size

      96KB

    • MD5

      c202f1103c957930ec4cc01b43dfd472

    • SHA1

      ffed9fc2e035d31f1b2e098471e8ec70334ff9fc

    • SHA256

      7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084

    • SHA512

      569aa632a2677cb9d1b0186f19676161853ceea55cb6ee94cfcc6ad4b558c57a2694ab0d2dc541484e4099530b2aab742b95d08c093150efa6585d98ce6356e4

    • SSDEEP

      1536:F+Td2NTQCqdNeTOG/Yyz17QmSYYIKgD3DDO7y8VNCYX/isWcgIcdnws8nBsIHWf+:F+ATqPatQy57QGYFq3Dy7yKCS6JnNcWm

    Score
    3/10
    discovery
    behavioral29behavioral30

    • Target

      96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434

    • Size

      7.0MB

    • MD5

      42fff45c940c819040ca8920fbb405cc

    • SHA1

      753821199880873e232bbe95ab2beb4ad0b6797c

    • SHA256

      96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434

    • SHA512

      7943f9d50e11fae6e3bc1a2fdf05bf5a1a96e3366948157ae1067e4f7834f692f1d2a59cf7fe4ef13e773596ca5a0ad26d62bbd285412550c01d02c1d4f7a05f

    • SSDEEP

      98304:1AeVWwuSDrUwc6WxbYUUaoBJdjW/ViuqA0t7MWcdkWHgwHTsH4H5iC+JYUCnTPlW:3WwumIuWxtPcsVQA0tIqfuLrUCTt0h

    Score
    10/10
    vidarxmrigdiscoveryminerstealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Vidar Stealer

      stealer

    • XMRig Miner payload

      miner

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

5
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

loaderprivateloader
Score
10/10

behavioral1

discovery
Score
6/10

behavioral2

discovery
Score
6/10

behavioral3

fabookienullmixerprivateloaderredlinesectopratchrisfucker2media20aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan
Score
10/10

behavioral4

fabookienullmixerprivateloaderredlinesectopratchrisfucker2media20aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan
Score
10/10

behavioral5

fabookiegcleanernullmixeronlyloggerprivateloaderredlinemedia23aspackv2discoverydropperexecutioninfostealerloaderspywarestealer
Score
10/10

behavioral6

fabookiegcleanernullmixeronlyloggerprivateloaderredlinemedia23aspackv2discoverydropperexecutioninfostealerloaderspywarestealer
Score
10/10

behavioral7

fabookiegcleanernullmixeronlyloggerprivateloaderredlinemedia23aspackv2discoverydropperexecutioninfostealerloaderspywarestealer
Score
10/10

behavioral8

fabookiegcleanernullmixeronlyloggerprivateloaderredlinemedia23aspackv2discoverydropperexecutioninfostealerloaderspywarestealer
Score
10/10

behavioral9

fabookienullmixerprivateloaderredlinesectopratchrisfucker2media20aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan
Score
10/10

behavioral10

fabookienullmixerprivateloaderredlinesectopratchrisfucker2media20aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan
Score
10/10

behavioral11

fabookienullmixerprivateloaderredlinesectopratchrisfucker2media20aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan
Score
10/10

behavioral12

fabookienullmixerprivateloaderredlinesectopratchrisfucker2media20aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan
Score
10/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
7/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
7/10

behavioral17

gcleanernullmixeronlyloggerprivateloaderredlinesectopratsocelarschrisfucker2media18aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan
Score
10/10

behavioral18

gcleanernullmixeronlyloggerprivateloaderraccoonredlinesectopratsocelarschrisfucker2media18aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan
Score
10/10

behavioral19

gcleanernullmixeronlyloggerprivateloaderraccoonredlinesectopratsocelarschrisfucker2media18aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan
Score
10/10

behavioral20

gcleanernullmixeronlyloggerprivateloaderraccoonredlinesectopratsocelarschrisfucker2media18aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan
Score
10/10

behavioral21

fabookienullmixerprivateloaderredlinesectopratfucker2media18aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan
Score
10/10

behavioral22

fabookienullmixerprivateloaderredlinesectopratfucker2media18aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan
Score
10/10

behavioral23

fabookienullmixerprivateloaderredlinesectopratfucker2media18aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan
Score
10/10

behavioral24

fabookienullmixerprivateloaderredlinesectopratfucker2media18aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan
Score
10/10

behavioral25

gcleanernullmixeronlyloggerprivateloaderraccoonredlinesectopratsocelarschrisfucker2media18aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan
Score
10/10

behavioral26

gcleanernullmixeronlyloggerprivateloaderraccoonredlinesectopratsocelarschrisfucker2media18aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan
Score
10/10

behavioral27

gcleanernullmixeronlyloggerprivateloaderraccoonredlinesectopratsocelarschrisfucker2media18aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan
Score
10/10

behavioral28

gcleanernullmixeronlyloggerprivateloaderraccoonredlinesectopratsocelarschrisfucker2media18aspackv2discoverydropperexecutioninfostealerloaderratspywarestealertrojan
Score
10/10

behavioral29

discovery
Score
3/10

behavioral30

discovery
Score
3/10

behavioral31

vidarxmrigdiscoveryminerstealer
Score
10/10

behavioral32

vidarxmrigdiscoveryminerstealer
Score
10/10