216.73.217.22

New InnoSetup Malware Created Upon Each Download Attempt

· Published 27/06/2024 09:34 · Modified 27/06/2024 09:56

Export JSON

Essential information

Published
27/06/2024 09:34
Modified
27/06/2024 09:56
Tags
2024-06-27 dga innosetup lu0bot multistagepayload obfuscation stealc
Related entities
32 observables, 9 techniques (mitre), 3 malware

Description

A security intelligence report describing a new malware distribution technique where malicious code is dynamically generated for each download attempt, evading detection through unique hash values. The malware, termed 'InnoLoader', disguises itself as legitimate software installers, executing a complex sequence of downloading and executing additional payloads, including information stealers, adware, and malicious browser plugins. It employs evasion tactics like varying C2 responses and downloading benign files to hinder analysis. The report underscores the evolving strategies employed by threat actors to distribute malware and compromise systems.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (32)

  • 93.123.39.135
  • https://song.oaksfoxes.ltd/tid/202.exe
  • https://cdn-edge-node.com/online_security_mkl.exe
  • http://monkeyagreement.fun/coo.php?paw=895836&spot=4&a=2857&on=418&o=1660
  • http://monkeyagreement.fun/coo.php?paw=956684&spot=5&a=2857&on=460&o=1690
  • http://monkeyagreement.fun/coo.php?paw=883174&spot=1&a=2857&on=444&o=1678
  • http://monkeyagreement.fun/coo.php?paw=787557&spot=6&a=2857&on=244&o=331
  • http://monkeyagreement.fun/coo.php?paw=762694&spot=2&a=2857&on=458&o=1688
  • http://monkeyagreement.fun/coo.php?paw=401610&spot=3&a=2857&on=420&o=1662
  • http://93.123.39.135/129edec4272dc2c8.php
  • http://kapetownlink.com/installer.exe
  • http://240601155506901.try.kyhd08.buzz/f/fvgbm0601901.txt
  • http://240601155351354.try.kyhd08.buzz/f/fvgbm0601001.msi
  • e38ee82150cc00a8627814c6.bag.sack54.net
  • song.oaksfoxes.ltd
  • d9500682396017175017969210108a04a635094d7af3f018356690047bce5.aoa.aent78.sbs
  • 240601155351354.try.kyhd08.buzz
  • 240601155506901.try.kyhd08.buzz
  • whipunit.hair
  • selectionword.xyz
  • nightauthority.xyz
  • monkeyagreement.fun
  • laughvein.hair
  • kapetownlink.com
  • eyesnose.hair
  • cdn-edge-node.com
  • cattlebusiness.icu
  • caretouch.hair
  • valuescent.website
  • brotherpopcorn.website
  • da1b144b5f908cb7e811489dfe660e06aa6df9c9158c6972ec9c79c48afacb7e
  • 9c5898b1b354b139794f10594e84e94e991971a54d179b2e9f746319ffac56aa

Techniques (MITRE) (9)

Malware (3)

  • Socks5Systemz
    Family
    Published 16/12/2024 23:06 · Modified 16/12/2024 23:06
  • Lu0Bot
    Family
    Published 27/06/2024 09:34 · Modified 27/06/2024 09:34
  • StealC
    Family
    Published 27/03/2026 08:46 · Modified 27/03/2026 08:46

External references