General
-
Target
4D0DCD6CBA9B3E15150F22D6F3FE296A.exe
-
Size
254KB
-
Sample
210505-e7a21qe1ta
-
MD5
4d0dcd6cba9b3e15150f22d6f3fe296a
-
SHA1
df0e4a41f545a4141c62cf7c7dff06c3a24e32cc
-
SHA256
fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172
-
SHA512
15b8520fc474f05179077a0b2bb7857cb6ded2640367966218261e4929614a50d54036823ad1bbcc09a60fac80e78a1907f9e5da9f7080f789c7137b52fc34b6
Static task
static1
Behavioral task
behavioral1
Sample
4D0DCD6CBA9B3E15150F22D6F3FE296A.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
4D0DCD6CBA9B3E15150F22D6F3FE296A.exe
Resource
win10v20210408
Malware Config
Extracted
fickerstealer
truzen.site:80
Extracted
cryptbot
eosytv32.top
mormtw03.top
-
payload_url
http://agnuxg04.top/download.php?file=lv.exe
Extracted
redline
MIX 05.05
wialadyar.xyz:80
Targets
-
-
Target
4D0DCD6CBA9B3E15150F22D6F3FE296A.exe
-
Size
254KB
-
MD5
4d0dcd6cba9b3e15150f22d6f3fe296a
-
SHA1
df0e4a41f545a4141c62cf7c7dff06c3a24e32cc
-
SHA256
fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172
-
SHA512
15b8520fc474f05179077a0b2bb7857cb6ded2640367966218261e4929614a50d54036823ad1bbcc09a60fac80e78a1907f9e5da9f7080f789c7137b52fc34b6
-
CryptBot Payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-