Overview

overview

10

Static

static

3

setup_x86_...l3.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    setup_x86_x64_install3.exe

  • Size

    7.1MB

  • Sample

    250513-xdxajsypy2

  • MD5

    4b2f083706cd4d27905d9ae767e5e108

  • SHA1

    4b6f4f9bfd561d01d2b392d4846f517730b2e117

  • SHA256

    6e4d9abc645cabc745bdbc1414a505e657156ed49403e74cb3f1edb393510524

  • SHA512

    c3d8e12e44eeb2c048dc4795ee09e2a77934cd3931b05071bdd608ac0f86ca114255936233d8951a168d6089e36728e4f4d0eddd3d7f1e721da825538578a90d

  • SSDEEP

    196608:JQBZQVQa6dAAo6d+E3u/T0Jo5KAuigEwCq:J4Z+QaYJd+O1Auig9Cq

Score
10/10
fabookienullmixerredlinesocelarsvidar915media20nv3user1aspackv2discoverydropperexecutioninfostealerspywarestealer

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

nullmixer

C2

http://kelenxz.xyz/

Extracted

Family

redline

Botnet

media20n

C2

65.108.69.168:13293

Attributes
  • auth_value

    c66c58bd1c5c7f021227a8dae1d7d65d

Extracted

Family

redline

Botnet

v3user1

C2

159.69.246.184:13127

Attributes
  • auth_value

    54df5250af9cbc5099c3e1e6f9e897c0

Extracted

Family

vidar

Version

49.1

Botnet

915

C2

https://noc.social/@sergeev46

https://c.im/@sergeev47
Attributes
  • profile_id

    915

Targets

    • Target

      setup_x86_x64_install3.exe

    • Size

      7.1MB

    • MD5

      4b2f083706cd4d27905d9ae767e5e108

    • SHA1

      4b6f4f9bfd561d01d2b392d4846f517730b2e117

    • SHA256

      6e4d9abc645cabc745bdbc1414a505e657156ed49403e74cb3f1edb393510524

    • SHA512

      c3d8e12e44eeb2c048dc4795ee09e2a77934cd3931b05071bdd608ac0f86ca114255936233d8951a168d6089e36728e4f4d0eddd3d7f1e721da825538578a90d

    • SSDEEP

      196608:JQBZQVQa6dAAo6d+E3u/T0Jo5KAuigEwCq:J4Z+QaYJd+O1Auig9Cq

    Score
    10/10
    fabookienullmixerredlinesocelarsvidar915media20nv3user1aspackv2discoverydropperexecutioninfostealerspywarestealer

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Vidar Stealer

      stealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral1

MITRE ATT&CK Enterprise v16

Tasks

OSZAR »