Overview
overview
10Static
static
742ad3be42...3e.exe
windows7_x64
10742ad3be42...3e.exe
windows10_x64
108b388efb71...ed.exe
windows7_x64
108b388efb71...ed.exe
windows10_x64
10bce6f763f3...cf.exe
windows7_x64
10bce6f763f3...cf.exe
windows10_x64
10d380178c93...40.exe
windows7_x64
10d380178c93...40.exe
windows10_x64
10ea7a287a8e...6d.exe
windows7_x64
10ea7a287a8e...6d.exe
windows10_x64
10General
-
Target
1.zip
-
Size
9.4MB
-
Sample
210701-bs4vxadwn2
-
MD5
c419ccbf50da7d51e3653cef9e0d12f9
-
SHA1
321c59b811bcd2b690ca4302e6b8cf638a4a6040
-
SHA256
3730331af3c27626d8e2074e29aa6c184776c61d07f56eff6a44e2a528c8c487
-
SHA512
6207298e095aadd5ca77183c8d260f286b32f43f2be3286b3cc7421e6e8cb1e8ec24be04700604a34ad809a05ad02cd6901e73567a9527064d955769a21016ef
Static task
static1
Behavioral task
behavioral1
Sample
742ad3be42f5023d4fbd854fa6f1eb80054b94d537aaa32e7d7ae1db6dd6683e.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
742ad3be42f5023d4fbd854fa6f1eb80054b94d537aaa32e7d7ae1db6dd6683e.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
8b388efb71328e18ee3dd5b4c932387ddad5ee79b595751a79fe535533e2c4ed.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
8b388efb71328e18ee3dd5b4c932387ddad5ee79b595751a79fe535533e2c4ed.exe
Resource
win10v20210410
Behavioral task
behavioral5
Sample
bce6f763f3239bc692f34f9d6f92d6d8df6335456296940f3fe36d140818fccf.exe
Resource
win7v20210408
Behavioral task
behavioral6
Sample
bce6f763f3239bc692f34f9d6f92d6d8df6335456296940f3fe36d140818fccf.exe
Resource
win10v20210410
Behavioral task
behavioral7
Sample
d380178c93ba5b323f915df1d3f0ab7953630bdd502b699093874cae4b581d40.exe
Resource
win7v20210410
Behavioral task
behavioral8
Sample
d380178c93ba5b323f915df1d3f0ab7953630bdd502b699093874cae4b581d40.exe
Resource
win10v20210408
Behavioral task
behavioral9
Sample
ea7a287a8e15a510ef664a89ee62c1b08585573d2f6d6ba8fcd3c5e66f16a16d.exe
Resource
win7v20210410
Malware Config
Extracted
redline
18_6_bl_84s7
qitoshalan.xyz:80
Extracted
vidar
39.4
890
https://sergeevih43.tumblr.com
-
profile_id
890
Extracted
fickerstealer
game2030.site:80
Extracted
cryptbot
xeibmh42.top
mororx04.top
-
payload_url
http://lopcpd05.top/download.php?file=lv.exe
Extracted
redline
MIX 01.07
185.215.113.17:18597
Extracted
asyncrat
0.5.7B
marcelajarakmisdhuakfsg.duckdns.org:5020
AsyncMutex_6SI8OkPnk
-
aes_key
P46q6agnmY2Ylpj71o7G1ATzxhUTccsn
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
marcelajarakmisdhuakfsg.duckdns.org
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
5020
-
version
0.5.7B
Extracted
metasploit
windows/single_exec
Extracted
remcos
3.1.2 Pro
ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZREMIX
dominoduck2117.duckdns.org:9804
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
data.dat
-
keylog_flag
false
-
keylog_folder
Appdata
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-NHNHBD
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Extracted
vidar
39.4
517
https://sergeevih43.tumblr.com
-
profile_id
517
Targets
-
-
Target
742ad3be42f5023d4fbd854fa6f1eb80054b94d537aaa32e7d7ae1db6dd6683e
-
Size
3.1MB
-
MD5
ce7931866cf54b812ea1b2f40720eb41
-
SHA1
0df4808c44fe7ec98d458ad1155fbbef9282960b
-
SHA256
742ad3be42f5023d4fbd854fa6f1eb80054b94d537aaa32e7d7ae1db6dd6683e
-
SHA512
c3beab8c016907d32775be5096b65082d4bcd0969f120d2940ecc6fb2a846a9293b52d5c2f60baa8027d58a6e120033ba9dc5485664ec5840bd25aa647fa069d
-
CryptBot Payload
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
autoit_exe
AutoIT scripts compiled to PE executables.
-
-
-
Target
8b388efb71328e18ee3dd5b4c932387ddad5ee79b595751a79fe535533e2c4ed
-
Size
849KB
-
MD5
8596052f4363bb3e6a757b49d0a6bc4e
-
SHA1
46c12679779db95009223d3a21ca13fc0dc4bb0b
-
SHA256
8b388efb71328e18ee3dd5b4c932387ddad5ee79b595751a79fe535533e2c4ed
-
SHA512
5d4235863c87dba5d044e019b2832783775440bc60849b901e683281f77ca26cfafbce3e384fc26448325a8157d058fe58cfa808bf60c6cea9a41841f54f29b7
-
Async RAT payload
-
Suspicious use of SetThreadContext
-
-
-
Target
bce6f763f3239bc692f34f9d6f92d6d8df6335456296940f3fe36d140818fccf
-
Size
4.5MB
-
MD5
25b0a9971369d767f9316067b35ef3b7
-
SHA1
404da37439348011195d43554a9ff3fe99cc530f
-
SHA256
bce6f763f3239bc692f34f9d6f92d6d8df6335456296940f3fe36d140818fccf
-
SHA512
661f194cd158721cad97635503fa71a3754d94c63c9354f19b6f1efb5941421c95a8d89dde3eb7798fe6c2f9657673a18fdc4eb845211a55524355b2c09c03f6
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
-
-
Target
d380178c93ba5b323f915df1d3f0ab7953630bdd502b699093874cae4b581d40
-
Size
1.2MB
-
MD5
953bf44c0a25a64d66503833e668e12e
-
SHA1
721b2d4aac669b9ee36a7f91cf30c6ebef4a5252
-
SHA256
d380178c93ba5b323f915df1d3f0ab7953630bdd502b699093874cae4b581d40
-
SHA512
c183386239dc2f5c7e22255199b3bef3a2c577acf4cd48e6d2f1fc4cf16e98f42adb8cf77ffb6ebc7de20e64f7097a013e886c6eb4d11a2f1758b224f4cc5c57
-
Suspicious use of SetThreadContext
-
-
-
Target
ea7a287a8e15a510ef664a89ee62c1b08585573d2f6d6ba8fcd3c5e66f16a16d
-
Size
836KB
-
MD5
de83876d36914f7a659a088bf267555e
-
SHA1
ace23ab6e4f441cc8bfac4455db181bc1adc295d
-
SHA256
ea7a287a8e15a510ef664a89ee62c1b08585573d2f6d6ba8fcd3c5e66f16a16d
-
SHA512
f7a49629aee52f24ddef81e8f2927d99409ecf796a9393517876549950df3474ebb61f2f30b58a55dc2d947de43feabb81c7a8b3789ccb45b438eaefd7a9bedd
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-