General
-
Target
nig.zip
-
Size
6.7MB
-
Sample
210723-6qennlqfva
-
MD5
dcb6993bb2cec802b06658387708ca06
-
SHA1
e63e805bb33a83f03a8bdcb7453582671a6e2082
-
SHA256
1f9e72a8f9abba11621d157c4f8039d9b3d2451ae451a958efc014f6b084a0f4
-
SHA512
2da72c559476dd42bebb66db22f740299b8b7051b5c76d94cdab29b70d3f9ad69fff9c823132f5a7bfb0be0e71cbb6d57b4d1e7c574fdd6d0827cd76f5662327
Static task
static1
Behavioral task
behavioral1
Sample
Star-Wars-Battlefron_821352007.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Star-Wars-Battlefron_821352007.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
_vcofsoig.nfn.exe
Resource
win7v20210410
Behavioral task
behavioral4
Sample
_vcofsoig.nfn.exe
Resource
win10v20210408
Malware Config
Extracted
redline
230721
cookiebrokrash.info:80
Extracted
redline
KO1000000
qusenero.xyz:80
Extracted
vidar
39.7
818
https://shpak125.tumblr.com/
-
profile_id
818
Extracted
cryptbot
smaokt52.top
morzie05.top
-
payload_url
http://gurqfo07.top/download.php?file=lv.exe
Extracted
redline
24.07
185.215.113.15:61506
Targets
-
-
Target
Star-Wars-Battlefron_821352007.exe
-
Size
6.5MB
-
MD5
1c22e8d467e46a281f08d476539e720c
-
SHA1
8f6da0d5498494d5737930259d3119c447f008ee
-
SHA256
87e66f34924869dcb2eb4489b069dc6c0ff8d5988dc87fb584997e08ebce3b82
-
SHA512
3e60ea9e6e6cd6b56712733df412566f794282c257a334c2ff10ced0f6f7fd108cc077578d73f2d0e0869bb35a81b2af604303151f90587d362a70bda7273d25
-
CryptBot Payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Vidar Stealer
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
autoit_exe
AutoIT scripts compiled to PE executables.
-
-
-
Target
_vcofsoig.nfn.exe
-
Size
2.1MB
-
MD5
2c6fa0b31d84f67377ddd6ea2799b752
-
SHA1
cf0b9d9c65829009eba7c1a5845be69be5e2e837
-
SHA256
1c5c3a3fa4fdd0ea52166d9a924fac13883e5c5797b9acd89dace63e1a468f6f
-
SHA512
9beaa08110453de703105a17cf6237f099b069bfd913381af334b8f61f8f69c16648f84afe3852a361a934563a27178389a1077ede1a267312394c483d941ce6
Score4/10 -