Overview

overview

10

Static

static

a6a62f2848...d4.exe

windows7_x64

10

a6a62f2848...d4.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a6a62f2848be6b0d8cdb1372f5ed58d4.exe

  • Size

    7.0MB

  • Sample

    210505-yc46hm2skj

  • MD5

    a6a62f2848be6b0d8cdb1372f5ed58d4

  • SHA1

    7d3d18501a0480e99a44a6b3cfa5a686cfe1930d

  • SHA256

    7c7cff0a48bcfe565fb02e3a39087ce2ad56d5b1c57b229f2d0142f41b7ab191

  • SHA512

    b4b617aba40aa691194978ebb70865b32445e7bdc5966524c392600cf6392fe7cf491ebf6b4fd71fec87d1c4c1c2e58c147094dc61045560363b4a7026d0af52

Score
10/10
fickerstealerredlinexmrigbaskarservnewruzkidiscoveryinfostealerminerpersistenceupxvmprotect

Malware Config

Extracted

Family

redline

Botnet

baskarservnew

C2

87.251.71.193:20119

Extracted

Family

redline

Botnet

RUZKI

C2

Sthellete.xyz:80

Extracted

Family

fickerstealer

C2

truzen.site:80

Targets

    • Target

      a6a62f2848be6b0d8cdb1372f5ed58d4.exe

    • Size

      7.0MB

    • MD5

      a6a62f2848be6b0d8cdb1372f5ed58d4

    • SHA1

      7d3d18501a0480e99a44a6b3cfa5a686cfe1930d

    • SHA256

      7c7cff0a48bcfe565fb02e3a39087ce2ad56d5b1c57b229f2d0142f41b7ab191

    • SHA512

      b4b617aba40aa691194978ebb70865b32445e7bdc5966524c392600cf6392fe7cf491ebf6b4fd71fec87d1c4c1c2e58c147094dc61045560363b4a7026d0af52

    Score
    10/10
    fickerstealerredlinebaskarservnewruzkidiscoveryinfostealerpersistenceupxvmprotectxmrigminer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner Payload

      miner

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks