Overview

overview

10

Static

static

3

d1d2ed561c...18.exe

windows7-x64

10

d1d2ed561c...18.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d1d2ed561cc81996d7f28424253acac7_JaffaCakes118

  • Size

    3.5MB

  • Sample

    241207-lt69xaxkez

  • MD5

    d1d2ed561cc81996d7f28424253acac7

  • SHA1

    ce71aa0cadf61f081f22890fbb391cc536068942

  • SHA256

    8f2789b6a628a92f9f6313305b255c405f867c49161bb864263dcfef5a6f712d

  • SHA512

    226055b7e8ea364e786f12f3fed7815e15755dea2eed15c20873cc2b01261661f75c2ea3b2d1ac1a85c0cbb82edd91c5e461ba5091ef2ff38087fad9a1f4ae6b

  • SSDEEP

    49152:Eg5CcEMhKKA4iNE41WnmZLaFDZGxJyq4sBxNtBSZYT+D+yP7kipYYvwDmly4Bg7+:J5CcEMhdrz4TSDZynVB78dKYYD90VSlI

Score
10/10
fabookienullmixerprivateloaderredlinesectopratvidar706servaniaspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupx

Malware Config

Extracted

Family

nullmixer

C2

http://sokiran.xyz/

Extracted

Family

redline

Botnet

ServAni

C2

87.251.71.195:82

Extracted

Family

vidar

Version

39.4

Botnet

706

C2

https://sergeevih43.tumblr.com/

Attributes
  • profile_id

    706

Targets

    • Target

      d1d2ed561cc81996d7f28424253acac7_JaffaCakes118

    • Size

      3.5MB

    • MD5

      d1d2ed561cc81996d7f28424253acac7

    • SHA1

      ce71aa0cadf61f081f22890fbb391cc536068942

    • SHA256

      8f2789b6a628a92f9f6313305b255c405f867c49161bb864263dcfef5a6f712d

    • SHA512

      226055b7e8ea364e786f12f3fed7815e15755dea2eed15c20873cc2b01261661f75c2ea3b2d1ac1a85c0cbb82edd91c5e461ba5091ef2ff38087fad9a1f4ae6b

    • SSDEEP

      49152:Eg5CcEMhKKA4iNE41WnmZLaFDZGxJyq4sBxNtBSZYT+D+yP7kipYYvwDmly4Bg7+:J5CcEMhdrz4TSDZynVB78dKYYD90VSlI

    Score
    10/10
    fabookienullmixerprivateloaderredlinesectopratvidar706servaniaspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupx

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      setup_installer.exe

    • Size

      3.5MB

    • MD5

      d642b666edc8814e7013690208789710

    • SHA1

      11b6b1410047bd850eec841eb7088ccb14157b12

    • SHA256

      e29c7207e9f59b69cfa032c6af951e713f7fe96aa2362511afb28900c9f875c9

    • SHA512

      ac82ca53920f1118038cf174e551825550cbde14f6af3cb0ab7b8eb3c315767222274f71cb4bad02e33af7438a60986c6828a17fe5903bcfbe3911952e90bb87

    • SSDEEP

      98304:xa18Q47B86LZ1IYD4PfUCvLUBsK/NFpaz26:xy8Q1mZ1I64PRLUCKVXaK6

    Score
    10/10
    fabookienullmixerredlinesectopratvidar706servaniaspackv2discoverydropperevasioninfostealerratspywarestealertrojanupxprivateloaderloader

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.