General

  • Target

    x86_x64_setup.exe

  • Size

    4.3MB

  • Sample

    250513-v6d9bsyxdx

  • MD5

    415eb2a265e348e630a1f460a462240a

  • SHA1

    189494a1c18c0a144ea49ec1f72480c32e777e4e

  • SHA256

    6d29006485decfbf2f980135e87de1c5392f2207e382211dca5c7d1bdaa32947

  • SHA512

    4bd5635ce1477de65582f134a8b18cf10bc1b26dc834cb3c1faaf024f00657d592ef822ae95f7e9eaf2b331e70b9a54cfd35cc2bbd852b60c243dc47a184fcab

  • SSDEEP

    98304:Jr8fbFReiQn4t5KXMmWJtMlEbihwVDgC3+5248stv9NUu4Swl6zlt5oSK:Jr8pRFQM5rlXihwZl3U2RiUu1lt5u

Malware Config

Extracted

Family

nullmixer

C2

http://razino.xyz/

Extracted

Family

redline

Botnet

Cana

C2

176.111.174.254:56328

Extracted

Family

redline

Botnet

Ani

C2

detuyaluro.xyz:80

Targets

    • Target

      x86_x64_setup.exe

    • Size

      4.3MB

    • MD5

      415eb2a265e348e630a1f460a462240a

    • SHA1

      189494a1c18c0a144ea49ec1f72480c32e777e4e

    • SHA256

      6d29006485decfbf2f980135e87de1c5392f2207e382211dca5c7d1bdaa32947

    • SHA512

      4bd5635ce1477de65582f134a8b18cf10bc1b26dc834cb3c1faaf024f00657d592ef822ae95f7e9eaf2b331e70b9a54cfd35cc2bbd852b60c243dc47a184fcab

    • SSDEEP

      98304:Jr8fbFReiQn4t5KXMmWJtMlEbihwVDgC3+5248stv9NUu4Swl6zlt5oSK:Jr8pRFQM5rlXihwZl3U2RiUu1lt5u

    • Detect Fabookie payload

    • Detect ZGRat V2

    • Fabookie

      Fabookie is facebook account info stealer.

    • Fabookie family

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • Nullmixer family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Zgrat family

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v16

Tasks