Overview

overview

10

Static

static

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

1

ﱞﱞﱞ�...ฺฺ

windows10_x64

10

ﱞﱞﱞ�...ฺฺ

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Vape lite crack.rar

  • Size

    393KB

  • Sample

    210418-7mbfqyr6dj

  • MD5

    284bcf1376c4fea3aa9a07fc61615f47

  • SHA1

    a9d6522abaf2b73258ad9e756db876455d35613a

  • SHA256

    b31dcc7367aa09630f2b664e1bfa5b6214cc719742be9567da00be34399c35e1

  • SHA512

    9c5fdebc7040f09d3f48e6979d4e5bb2d565700076966cf86a3f0fc1aa88eb951144bf47eae5eb7de9f225816c81f7dba2b0835855f1776e508d96db7fc8e5b8

Score
10/10
redlinediscoveryevasioninfostealerpersistencespywarestealer

Malware Config

Targets

    • Target

      DothLibrary.dll

    • Size

      436KB

    • MD5

      5aeea45913eb8475077a9547d7d3f2f3

    • SHA1

      09931075a4fdffe7b051df6d3bc5b4a0bacdf019

    • SHA256

      ef2a67849fbe0f1c99263bf0acfddf15a1b3668e49fd9d35868e147d8a4c8c73

    • SHA512

      3f3ba1d117784aca8d6abfe84e9275da425fd23982aa1ce9af760a9e5d7cd5e9dc2e36a36cc6e190cb91e8b2c8888881cfd8feeb85c3249185d61273a1a1e0ff

    Score
    10/10
    redlinediscoveryevasioninfostealerpersistencespywarestealer

    • Modifies WinLogon for persistence

      persistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral3

    • Target

      VapeCracked.exe

    • Size

      684KB

    • MD5

      0166a38ead8cc413deab94672174d471

    • SHA1

      02fb728d11ce37573372930da9a2df73b11c1091

    • SHA256

      abed1feb307134e7385a9dbbd4a478709949c4ba9bb4e934e4596677ea3213bc

    • SHA512

      ec2627a622a6cb79311755c9d7610de8da18eceddbffd3bbe3489224af94d464499016eb06ce6e37651201ff49f24773169efda2f7fd64ff5401aa739a14bf66

    Score
    1/10
    behavioral2behavioral4

MITRE ATT&CK Enterprise v6

Tasks