General

  • Target

    40c8505ae953230b7df57cd41ff9b958

  • Size

    9.7MB

  • Sample

    241111-ejyfpawjhq

  • MD5

    40c8505ae953230b7df57cd41ff9b958

  • SHA1

    561cf900de177b402c608af14fdcae6bd23c728f

  • SHA256

    6d42b89a86c2e85f79f6652889209d14c641cde35d7a8c43fc7ea6a657f80957

  • SHA512

    1442b879b609a6b220cf297970a1d52ac1cf43ee06e4cbbbf0c877b873b2fbf432653ca013ec1ebbbfa3a21ae7919b62ca194eb55ab15eee96f909413e9bebf2

  • SSDEEP

    196608:6KAgJI87N9cfq0El7fmLqPNLVokwYh+SpkWd1R4lKbQ24EC5tCR/FF:zn7N9cqlZPokjhh/Ru3zMtF

Malware Config

Extracted

Family

nullmixer

C2

http://6242487de156a.com/

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/jhvre24/

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

gcleaner

C2

appwebstat.biz

ads-memory.biz

Targets

    • Target

      96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a

    • Size

      9.7MB

    • MD5

      ac5ac3dc9105407cdcea292bbb1e2282

    • SHA1

      91ba4cf7e046e1ec164ea4e7ac930daa8aefb1e6

    • SHA256

      96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a

    • SHA512

      dd3bbe1e448b7de46e6fa085d28404075d8c4b01bceddc7d558bcb7c2c7ce9941eac0bd3b064ee2e04eac422dbd04ca3678caa4c1decb1c85507069963dbd525

    • SSDEEP

      196608:J5OOa//h7LtA7MIYH9ohniTadHd/OjMdtJrJplMOoakfUPG8FuZOcEQUuGcu:J8Oah7RA7LYH9oRhd/oqJrHlXkfURIZy

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Fabookie family

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Gcleaner family

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • Nullmixer family

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

    • Onlylogger family

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Smokeloader family

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars family

    • Socelars payload

    • OnlyLogger payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      setup_installer.exe

    • Size

      9.6MB

    • MD5

      e71bedc46122099d570715a1a7114d29

    • SHA1

      b54aaf5dc06da686481e1801e1d7c84b731034c9

    • SHA256

      bd2d33ab5f78ad9f2d7bb562dd217022694b7b737e131ee4e8ed6abc3610e3f8

    • SHA512

      4435f7735acb93666960790f8dfebc0a1374121f6295cd638eeb4c1d80199d0422d982c539fb1ebaec22b22baab8d514725a81427c7bf2ec618c911e42cefb2f

    • SSDEEP

      196608:xOri6u89eoFT6Sg+Sjp7SmWlEohbqE0fNGZDHbfxtC14kFVGlZAjxav4oKmuS5:xL6umeSTu+SjproRq8DHbf78wlZkYvl9

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Fabookie family

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Gcleaner family

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • Nullmixer family

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

    • Onlylogger family

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Smokeloader family

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars family

    • Socelars payload

    • OnlyLogger payload

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks