Overview

overview

10

Static

static

3

x86_x64_setup.exe

windows7-x64

10

x86_x64_setup.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ef27b0de816b9e1e7eadfe710a1c5943eb6ef7b207cf63d75aa4aeff1236cbe8

  • Size

    3.3MB

  • Sample

    241111-jbwz4svhpn

  • MD5

    c8549d0e83082a7804f66e5f06e6e24e

  • SHA1

    1565e56052687ee89078c2c31dc53584ca703701

  • SHA256

    ef27b0de816b9e1e7eadfe710a1c5943eb6ef7b207cf63d75aa4aeff1236cbe8

  • SHA512

    fe2efd71653bb5d5dd8e176e8991d7af43231e1a02fe6610a8a2880e24fbb60ccb373a63237393518e6befacf8ce9473c9153de21a47ffa74e31d755730c2c72

  • SSDEEP

    49152:fmnSSi9OrZ2J/Vbqp3ILKlhSAuyJqfBwkiha7iNSXpqirxw5hQYvOnSFSzmZY:fmOcrMhVbKx+lKksKK0pqirxwjQxMY

Score
10/10
fabookienullmixerprivateloaderredlineriseprosectopratvidar706cananewaniaspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupx

Malware Config

Extracted

Family

nullmixer

C2

http://razino.xyz/

Extracted

Family

redline

Botnet

Cana

C2

176.111.174.254:56328

Extracted

Family

vidar

Version

39.4

Botnet

706

C2

https://sergeevih43.tumblr.com/

Attributes
  • profile_id

    706

Extracted

Family

redline

Botnet

NewAni

C2

changidwia.xyz:80

Targets

    • Target

      x86_x64_setup.bin

    • Size

      3.3MB

    • MD5

      dc86e6b47b6cafd7e3fe119562ecc459

    • SHA1

      16446c65547cb9e2b549a64d524fb7eb04b4d79e

    • SHA256

      97684c32074833dcd6f52e6dcdda9287e62a9b0f240806db4a7cd4c503976f3f

    • SHA512

      741b150585f23aff59159182630f8a7ffb17b704b8d22dc8a0ffeec03abfedef31cfdc9d2f714c35319adc5383a0dbc7059bf1e3547adb2196a247f7397917bf

    • SSDEEP

      98304:JLUqeOgef2fJDpG8+KGWtwYeYSZQ1HDfIdl1IlazvSF0zm:JJBgcuHqYX/yBUOv0sm

    Score
    10/10
    fabookienullmixerprivateloaderredlineriseprosectopratvidar706cananewaniaspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupx

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Risepro family

      risepro

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      setup_installer.exe

    • Size

      3.3MB

    • MD5

      d0d79210af6cea34d0915e2e06bbafd6

    • SHA1

      a5ccfe6d6bdf82483f29890518bc510227afc6db

    • SHA256

      83515d91df5fdb7c8a5468b12ba163df6e2a7ee90d4d3c00e1aa22b97e3a6519

    • SHA512

      c0f3af7eaf189084d47b829f663cb2eba20ca380c3ed4e7ee790959ec5cba2b3befcc61895656507eb336362421411dba86241affba8d3e9b6024f5247456dd5

    • SSDEEP

      98304:xJ18Qt/Mfl+4Y5GFvrj1lT83ajvcq/7CvLUBsKA:xX8QtW+4Y5Gpj1lmwcq/ALUCKA

    Score
    10/10
    fabookienullmixerprivateloaderredlineriseprosectopratvidar706cananewaniaspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupx

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Risepro family

      risepro

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks