Overview

overview

10

Static

static

10

CSGOhack.exe

windows7_x64

10

CSGOhack.exe

windows10_x64

10

Minecraft_v4.3.exe

windows7_x64

10

Minecraft_v4.3.exe

windows10_x64

10

SetupCrack.exe

windows7_x64

10

SetupCrack.exe

windows10_x64

10

Vape Crack.exe

windows7_x64

10

Vape Crack.exe

windows10_x64

10

cheat.exe

windows7_x64

9

cheat.exe

windows10_x64

9

launcher.exe

windows7_x64

launcher.exe

windows10_x64

10

onetap.exe

windows7_x64

10

onetap.exe

windows10_x64

10

Minecraft_v4.3.exe

windows7_x64

10

Minecraft_v4.3.exe

windows10_x64

10

SetupCrack.exe

windows7_x64

10

SetupCrack.exe

windows10_x64

10

Vape Crack.exe

windows7_x64

10

Vape Crack.exe

windows10_x64

10

cheat.exe

windows7_x64

9

cheat.exe

windows10_x64

9

launcher.exe

windows7_x64

10

launcher.exe

windows10_x64

10

onetap.exe

windows7_x64

10

onetap.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Minecraft v4.3.rar

  • Size

    27.2MB

  • Sample

    210810-qv38tjvgyn

  • MD5

    b7b82119736f96caa292bbf142128b00

  • SHA1

    8ee0eed1966e6b5abae0d11500af9856582ecf9f

  • SHA256

    592ea2c548c74f9778a17ac78eba08eb7bfde214d690a7e593731fdbd604c877

  • SHA512

    36d65fd54afcd91289a6e2c1f10596c40ffca68b2b31bea83df599439c2195b78d1c1917338282c8341107e4db92a536c2665fecacf2a2cd8b4e31882e8e4e6d

Score
10/10
pandastealerredline@bestieffcs@killyxu@tupa187boss7ninja0809discoveryevasioninfostealerminerspywarestealervmprotect

Malware Config

Extracted

Family

redline

Botnet

boss7

C2

109.248.201.150:63757

Extracted

Family

redline

Botnet

Ninja0809

C2

185.92.73.140:80

Extracted

Family

redline

Botnet

@bestiefFcs

C2

37.46.128.72:29799

Extracted

Family

redline

Botnet

@killyxu

C2

3.68.106.170:59223

Extracted

Family

redline

Botnet

@tupa187

C2

37.1.213.214:63028

Targets

    • Target

      CSGOhack.exe

    • Size

      681KB

    • MD5

      ef7fe4b7b3228cd6489817ec4fd9dffa

    • SHA1

      d913aa1d8028bf6e02a240b7c07d8638757af7fc

    • SHA256

      ca322f6d0db4e99ec9df55fa02ba3ef49557ce5ee932e44888a687418a91fbc4

    • SHA512

      c2f951b0a1098a93713b66bc735df52ac52793f9ecb98f0ad425f372cd13eadc430db0e733a33b9bd76986bfb6a28ba1676da565e84094ed3a68c7aaad1d8833

    Score
    10/10
    pandastealerspywarestealer

    • PandaStealer

      Panda Stealer is a fork of CollectorProject Stealer written in C++.

      stealerpandastealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1behavioral2

    • Target

      Minecraft_v4.3.exe

    • Size

      1.9MB

    • MD5

      54263196f68701f4d74ecce284ebf501

    • SHA1

      7432a4a4a57973d77ca7f65a2be4bb357efddc30

    • SHA256

      8f9d77e5b65e2263f81d3398d3cc6741752702021bb5aa6a2a716cf6f6e204d5

    • SHA512

      bbda9e72dd377915f6a065b52d4bbb4ceb5f4c22197ced84b78cee644a2dd408e375ee41cfa00e454fe45b3b953f3bb8747fac223d878d23bb9800bb5a8c8ff9

    Score
    10/10
    redlineboss7discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      SetupCrack.exe

    • Size

      373KB

    • MD5

      362fdb2e05006cd91ae2d090179b4642

    • SHA1

      b369e9475eea2e950112592944df5f2b88468fb9

    • SHA256

      574e22b44f2b1a0af1e8344a2e674d62c246287fa41c9ee3725120bc329a8a89

    • SHA512

      03b049d1214d55e0f8c64b617a8ad04c4aed8a4d97a4bb141c8165fb4d77253291c599f949789b88b6c95fee0a84b4d88b4073e5526269a80dfb57aaab46adff

    Score
    10/10
    redlineninja0809discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      Vape Crack.exe

    • Size

      796KB

    • MD5

      a61f6f94009c04607f1ba923adcaba0d

    • SHA1

      71b964ba1d7a6ddcebb9fadf29efba3f440c00af

    • SHA256

      36022c868a49fc44968f6647239106f536b2cae40340ad69e3772f7be482daf7

    • SHA512

      0d108e686fa33405b2deb127de0cb4ab60d9960d1af43ea4886496f8249c131da8a5a378b6f61b3d8e09179a295e2a7365b01d2db22d0fd916ce3190904a97dd

    Score
    10/10
    redline@bestieffcsevasioninfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Looks for VMWare Tools registry key

      evasion

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      cheat.exe

    • Size

      12.2MB

    • MD5

      69c885675b1b98e2fbb3f0196a1df2d1

    • SHA1

      533fa79f3b20623ae1c6de3fded5fb54b145af6a

    • SHA256

      73bcd67ddecc7bf320a19bd5dbefdb36c097c3047959d67e0e3cc5e22f8b510b

    • SHA512

      8b89b0a456e9d423c7e0d053772716f2e0e7877bff250e08f788d20b20fcb00bb6da831f59a781964ede23f9de74b5afcda0183d104fca523b392a89d063e44c

    Score
    9/10
    minervmprotect

    • Detected Stratum cryptominer command

      Looks to be attempting to contact Stratum mining pool.

      miner

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral9behavioral10

    • Target

      launcher.exe

    • Size

      378KB

    • MD5

      36aeb708e396c2627e52d8c50d8ea287

    • SHA1

      e1bd5ab1cb291915db4e3d03b0e88b4dc737f53a

    • SHA256

      b35f6e33f997d11867056950aae71610d3bbef64eb443db3aed8a49cc850e226

    • SHA512

      1ad276b880dd136f4364ccf0361d8ef3c790a6f178c39f1fd0c365b93f789595c7060f90020b7b4f0592a3c0f64444b194c83fc7652ffbad3afa5f14b8574a6d

    Score
    10/10
    redline@killyxudiscoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      onetap.exe

    • Size

      400KB

    • MD5

      7914f8165ade3f483e1f62dce8ec8828

    • SHA1

      7ac59abb131d0644d0f0aa31cb99cf0a415deb9e

    • SHA256

      e5b091808b73fbf1b94a24bb98d8ac945012ec6b69f0979371af225ecdb804df

    • SHA512

      e3b4e163e9cbb2fb4719c09c2274af3e068f762d570b1d24093be411ef9b81ba91c10d92317a8af6a050bc4dd34a9a4bc67861ce00bff5e09383281e95163aa7

    Score
    10/10
    redline@tupa187discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      Minecraft_v4.3.exe

    • Size

      1.9MB

    • MD5

      54263196f68701f4d74ecce284ebf501

    • SHA1

      7432a4a4a57973d77ca7f65a2be4bb357efddc30

    • SHA256

      8f9d77e5b65e2263f81d3398d3cc6741752702021bb5aa6a2a716cf6f6e204d5

    • SHA512

      bbda9e72dd377915f6a065b52d4bbb4ceb5f4c22197ced84b78cee644a2dd408e375ee41cfa00e454fe45b3b953f3bb8747fac223d878d23bb9800bb5a8c8ff9

    Score
    10/10
    redlineboss7discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      SetupCrack.exe

    • Size

      373KB

    • MD5

      362fdb2e05006cd91ae2d090179b4642

    • SHA1

      b369e9475eea2e950112592944df5f2b88468fb9

    • SHA256

      574e22b44f2b1a0af1e8344a2e674d62c246287fa41c9ee3725120bc329a8a89

    • SHA512

      03b049d1214d55e0f8c64b617a8ad04c4aed8a4d97a4bb141c8165fb4d77253291c599f949789b88b6c95fee0a84b4d88b4073e5526269a80dfb57aaab46adff

    Score
    10/10
    redlineninja0809discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      Vape Crack.exe

    • Size

      796KB

    • MD5

      a61f6f94009c04607f1ba923adcaba0d

    • SHA1

      71b964ba1d7a6ddcebb9fadf29efba3f440c00af

    • SHA256

      36022c868a49fc44968f6647239106f536b2cae40340ad69e3772f7be482daf7

    • SHA512

      0d108e686fa33405b2deb127de0cb4ab60d9960d1af43ea4886496f8249c131da8a5a378b6f61b3d8e09179a295e2a7365b01d2db22d0fd916ce3190904a97dd

    Score
    10/10
    redline@bestieffcsevasioninfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Looks for VMWare Tools registry key

      evasion

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      cheat.exe

    • Size

      12.2MB

    • MD5

      69c885675b1b98e2fbb3f0196a1df2d1

    • SHA1

      533fa79f3b20623ae1c6de3fded5fb54b145af6a

    • SHA256

      73bcd67ddecc7bf320a19bd5dbefdb36c097c3047959d67e0e3cc5e22f8b510b

    • SHA512

      8b89b0a456e9d423c7e0d053772716f2e0e7877bff250e08f788d20b20fcb00bb6da831f59a781964ede23f9de74b5afcda0183d104fca523b392a89d063e44c

    Score
    9/10
    minervmprotect

    • Detected Stratum cryptominer command

      Looks to be attempting to contact Stratum mining pool.

      miner

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral21behavioral22

    • Target

      launcher.exe

    • Size

      378KB

    • MD5

      36aeb708e396c2627e52d8c50d8ea287

    • SHA1

      e1bd5ab1cb291915db4e3d03b0e88b4dc737f53a

    • SHA256

      b35f6e33f997d11867056950aae71610d3bbef64eb443db3aed8a49cc850e226

    • SHA512

      1ad276b880dd136f4364ccf0361d8ef3c790a6f178c39f1fd0c365b93f789595c7060f90020b7b4f0592a3c0f64444b194c83fc7652ffbad3afa5f14b8574a6d

    Score
    10/10
    redline@killyxudiscoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

    • Target

      onetap.exe

    • Size

      400KB

    • MD5

      7914f8165ade3f483e1f62dce8ec8828

    • SHA1

      7ac59abb131d0644d0f0aa31cb99cf0a415deb9e

    • SHA256

      e5b091808b73fbf1b94a24bb98d8ac945012ec6b69f0979371af225ecdb804df

    • SHA512

      e3b4e163e9cbb2fb4719c09c2274af3e068f762d570b1d24093be411ef9b81ba91c10d92317a8af6a050bc4dd34a9a4bc67861ce00bff5e09383281e95163aa7

    Score
    10/10
    redline@tupa187discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

2
T1053

Persistence

Scheduled Task

2
T1053

Privilege Escalation

Scheduled Task

2
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

17
T1081

Discovery

Query Registry

10
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

17
T1005

Exfiltration

Command and Control

Impact

Tasks

static1

pandastealer
Score
10/10

behavioral1

pandastealerspywarestealer
Score
10/10

behavioral2

pandastealerspywarestealer
Score
10/10

behavioral3

redlineboss7discoveryinfostealerspywarestealer
Score
10/10

behavioral4

redlineboss7discoveryinfostealerspywarestealer
Score
10/10

behavioral5

redlineninja0809discoveryinfostealerspywarestealer
Score
10/10

behavioral6

redlineninja0809discoveryinfostealerspywarestealer
Score
10/10

behavioral7

redline@bestieffcsevasioninfostealer
Score
10/10

behavioral8

redline@bestieffcsevasioninfostealer
Score
10/10

behavioral9

minervmprotect
Score
9/10

behavioral10

minervmprotect
Score
9/10

behavioral11

Score
1/10

behavioral12

redline@killyxudiscoveryinfostealerspywarestealer
Score
10/10

behavioral13

redline@tupa187discoveryinfostealerspywarestealer
Score
10/10

behavioral14

redline@tupa187discoveryinfostealerspywarestealer
Score
10/10

behavioral15

redlineboss7discoveryinfostealerspywarestealer
Score
10/10

behavioral16

redlineboss7discoveryinfostealerspywarestealer
Score
10/10

behavioral17

redlineninja0809discoveryinfostealerspywarestealer
Score
10/10

behavioral18

redlineninja0809discoveryinfostealerspywarestealer
Score
10/10

behavioral19

redline@bestieffcsevasioninfostealer
Score
10/10

behavioral20

redline@bestieffcsevasioninfostealer
Score
10/10

behavioral21

minervmprotect
Score
9/10

behavioral22

minervmprotect
Score
9/10

behavioral23

redline@killyxudiscoveryinfostealerspywarestealer
Score
10/10

behavioral24

redline@killyxudiscoveryinfostealerspywarestealer
Score
10/10

behavioral25

redline@tupa187discoveryinfostealerspywarestealer
Score
10/10

behavioral26

redline@tupa187discoveryinfostealerspywarestealer
Score
10/10