General
-
Target
02c83f52_by_Libranalysis
-
Size
50KB
-
Sample
210511-gwv92vgnen
-
MD5
02c83f5255f43a2fae36ceb88223599e
-
SHA1
81d3a39a081d3e8d590cf911635b38fca967901a
-
SHA256
3905f32293f0f6bb16fae72b8e80e124408079824fc9b2c76c03068947f07f46
-
SHA512
f978c90c97bd3207a559c2b57b98215d1a373bdc40a9f4e1857413291c43f3cde6219e34512b5130757d6dbe323b69e74e4eefd58b87aa885725debd804f7a2e
Static task
static1
Behavioral task
behavioral1
Sample
02c83f52_by_Libranalysis.doc
Resource
win7v20210410
Malware Config
Extracted
https://bitbucket.org/tanake5518/fi/downloads/r1o.exe
Targets
-
-
Target
02c83f52_by_Libranalysis
-
Size
50KB
-
MD5
02c83f5255f43a2fae36ceb88223599e
-
SHA1
81d3a39a081d3e8d590cf911635b38fca967901a
-
SHA256
3905f32293f0f6bb16fae72b8e80e124408079824fc9b2c76c03068947f07f46
-
SHA512
f978c90c97bd3207a559c2b57b98215d1a373bdc40a9f4e1857413291c43f3cde6219e34512b5130757d6dbe323b69e74e4eefd58b87aa885725debd804f7a2e
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Turns off Windows Defender SpyNet reporting
-
Nirsoft
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-