General
-
Target
onestep_817601070.zip
-
Size
7.3MB
-
Sample
210722-wg9q4s96hs
-
MD5
ef2e062a5b07bb61118cc0b50e0e392b
-
SHA1
d35819f7d5a6b30465a7f877982ee42f53062d02
-
SHA256
046942c430f910e16c224d3109007c9855c0529e84cc9bf911845c62ac018186
-
SHA512
051cc370b0cb8bf72cfea60bbea8327ef1168d84eeecb1d2fe7767770be9c5d5fa2ae4b9fd36a180006bcccccfe59ad4a3548fc7de058d4222ac5b9802c8e199
Static task
static1
Behavioral task
behavioral1
Sample
_vcofsoig.nfn.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
_vcofsoig.nfn.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
onestep_817601070.exe
Resource
win7v20210410
Malware Config
Extracted
redline
180721
cookiebrokrash.info:80
Extracted
redline
KO1000000
qusenero.xyz:80
Extracted
cryptbot
smasrp42.top
morbea04.top
-
payload_url
http://gurdgo06.top/download.php?file=lv.exe
Extracted
redline
23.07
185.215.113.15:61506
Extracted
redline
lujo
45.67.228.116:49859
Targets
-
-
Target
_vcofsoig.nfn.exe
-
Size
2.1MB
-
MD5
2c6fa0b31d84f67377ddd6ea2799b752
-
SHA1
cf0b9d9c65829009eba7c1a5845be69be5e2e837
-
SHA256
1c5c3a3fa4fdd0ea52166d9a924fac13883e5c5797b9acd89dace63e1a468f6f
-
SHA512
9beaa08110453de703105a17cf6237f099b069bfd913381af334b8f61f8f69c16648f84afe3852a361a934563a27178389a1077ede1a267312394c483d941ce6
Score4/10 -
-
-
Target
onestep_817601070.exe
-
Size
7.0MB
-
MD5
9815414bc96392ce89a88d0c7c46585a
-
SHA1
56deb0499d6a67d90b5bf92a597456fd1a05535c
-
SHA256
75d4cd9fa27ad0133285d39729bc676b4062f0856e4315bf9232d5123795ce0d
-
SHA512
2dff98fa978db9fb30adfec10b13e084784381441a97ef4675c8c9ccaa2302cb72111f3e6c7265076f818a0f929b9495ea314919997748f5b3797d8371e44a13
-
CryptBot Payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
autoit_exe
AutoIT scripts compiled to PE executables.
-