Overview

overview

10

Static

static

7

Bird.exe

windows7_x64

10

Bird.exe

windows10_x64

10

Crystal.exe

windows7_x64

10

Crystal.exe

windows10_x64

10

Install.exe

windows7_x64

10

Install.exe

windows10_x64

10

Minecraft_v4.4.exe

windows7_x64

10

Minecraft_v4.4.exe

windows10_x64

10

NewHacks.exe

windows7_x64

10

NewHacks.exe

windows10_x64

10

Setup.exe

windows7_x64

10

Setup.exe

windows10_x64

10

Software p....5.exe

windows7_x64

10

Software p....5.exe

windows10_x64

10

file3.exe

windows7_x64

10

file3.exe

windows10_x64

10

forcenitro2.4.1.exe

windows7_x64

7

forcenitro2.4.1.exe

windows10_x64

7

nitro_gen.exe

windows7_x64

8

nitro_gen.exe

windows10_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Bird.rar

  • Size

    94.7MB

  • Sample

    210811-lzykvgceme

  • MD5

    b9b414f4e571e0c4f9da77661c1249ad

  • SHA1

    b01cb7b103fee5354a15726d5f88427fc93c9018

  • SHA256

    c6897ee5e6e0c63e0cf1866460859894664359d397f9d453546adf12c7794818

  • SHA512

    8861e3879418ceb6a689dc9cd7ec47616a8e36cf138f4f02bc4952bb92105e09273d7676bbf548351feef904a0f4ed9b86499f70cca611e4ae06377f9333910b

Score
10/10
echelonredlinexmrig@faqu_1asapboss8ninja0809ruzdiscoveryevasioninfostealerminerpyinstallerspywarestealerthemidatrojan

Malware Config

Extracted

Family

redline

Botnet

asap

C2

45.14.49.109:54819

Extracted

Family

redline

Botnet

boss8

C2

109.248.201.150:63757

Extracted

Family

redline

Botnet

Ninja0809

C2

185.92.73.140:80

Extracted

Family

redline

Botnet

@faqu_1

C2

45.82.179.116:10425

Extracted

Family

redline

Botnet

RUZ

C2

sandedean.xyz:80

Targets

    • Target

      Bird.exe

    • Size

      1.9MB

    • MD5

      2ef0cc6f0f8aa2534e103b829e270e1d

    • SHA1

      c146681a98d585012791c2e9504caacba25becc9

    • SHA256

      822c95f975773e71f49d3ed2c9afa87d6d27d245c7f5a4a9439278e27ee0ae64

    • SHA512

      56efa1b2e849ad5d836034a3f7992edec6e24914a80a8a1a03b29953082a0e898bace35705a76ce6660188c3954370c0c63d105c3c51f03441aadb94d590ee4a

    Score
    10/10
    redlinediscoveryevasioninfostealerspywarestealerthemidatrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Crystal.exe

    • Size

      3.0MB

    • MD5

      d59c7cc6f109cb59fa55309f4f829692

    • SHA1

      18c2361058540fdf9684ba07cef04085d90dbaa2

    • SHA256

      a35bb31351cf385fe52b27c02642f2f99aed0d8fd472b4df12bf508faf3426d3

    • SHA512

      532d135a1009a4a4985cbf15ad1cd1fe35a2ea5bb1a8ce15da5c2f5f6d7cb9b07491715b24539ad36702c664fb71e98a4f3aca1753691de5a02d73caa87bbc00

    Score
    10/10
    redlinediscoveryevasioninfostealerspywarestealerthemidatrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

    • Target

      Install.exe

    • Size

      317KB

    • MD5

      cf31bb1b26f00448ed2f1359d403fa59

    • SHA1

      22ab9cc3bdce1e177f5fac0e745229dacde1d07a

    • SHA256

      1d322ad6c295b0ee8a552e96ac231c4d9259141c9ed22f7319c7f169eaecee71

    • SHA512

      05541d9938c80c860e18cd29e3b708000fb90a89f217a1cf0faf2ced29c26dfb6dd395d12178e34f72ab386991f21cba71f8659fd99a649c81b4bf65ae86d998

    Score
    10/10
    redlineasapdiscoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral5behavioral6

    • Target

      Minecraft_v4.4.exe

    • Size

      1.3MB

    • MD5

      d60df4a3ea6bce524650ba94f6339e39

    • SHA1

      4805dc2d49d362028d48af9142f1abbe313e78c6

    • SHA256

      172b6209ca78d8006297f41fded71268689f8b9be88513673af4420c12176c75

    • SHA512

      8991e4b8b7b7602c8a8c2ea69bcb537d8d9c176ff79d151a7337334366dd9c637fc057f541298e92194f5a3a346423dfb7eca0a3e0b941b3bde59232ab5dce67

    Score
    10/10
    redlineboss8discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      NewHacks.exe

    • Size

      1.1MB

    • MD5

      d59bf492da2f21db13264aba7b40f464

    • SHA1

      c69eadf5aa174c34c90445548d5b2d5888957eae

    • SHA256

      4732655de9b6a0497a825ab53ef9e8c3db1a9d1520d1ae505ec2b07df305cef1

    • SHA512

      f781f75e84f88c9aa015644ba5744d5b360951fc753d054f2e999244907baae5a109563c5b4817a2e7ee2f91c2048366552d22364e593503ba8aec05ce4cef59

    Score
    10/10
    echelondiscoveryspywarestealer

    • Echelon

      Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

      stealerspywareechelon

    • Echelon log file

      Detects a log file produced by Echelon.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral9behavioral10

    • Target

      Setup.exe

    • Size

      373KB

    • MD5

      362fdb2e05006cd91ae2d090179b4642

    • SHA1

      b369e9475eea2e950112592944df5f2b88468fb9

    • SHA256

      574e22b44f2b1a0af1e8344a2e674d62c246287fa41c9ee3725120bc329a8a89

    • SHA512

      03b049d1214d55e0f8c64b617a8ad04c4aed8a4d97a4bb141c8165fb4d77253291c599f949789b88b6c95fee0a84b4d88b4073e5526269a80dfb57aaab46adff

    Score
    10/10
    redlineninja0809discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      Software patch v2.0.5.exe

    • Size

      3.1MB

    • MD5

      d03337f5bb060e48c67e625084d48a84

    • SHA1

      89d89fe1aeb5b69b2e5e9fdea533c4e32e5ae887

    • SHA256

      010e5cf08f24b0b769747b20d38324e7ea5b3633cc72832a07cb8769b126dd0f

    • SHA512

      4106c6922d175bbaa947a0a03783d39fe44936fa7ec5079dafece596f8378f326b0f094c0433f3f363aaad9ed6f81c7da5273347abc18031c88be79fe3c4ea56

    Score
    10/10
    redlinexmrig@faqu_1discoveryevasioninfostealerminerspywarestealerthemidatrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • XMRig Miner Payload

      miner

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      file3.exe

    • Size

      743KB

    • MD5

      4d4bc0c39fc901c1a86ef43fc3bf189a

    • SHA1

      4736a94c30917e695ebf58f674632575e383d571

    • SHA256

      1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494

    • SHA512

      62bcb7214a1f7c3143ee69f4b188cfea38369d2d7b736891bc1a280334cfd2c31d994f99a1da890203ea638ff17b82c4481f765de4bb9ff3b37dcdc11f46dee6

    Score
    10/10
    redlineruzdiscoveryevasioninfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      forcenitro2.4.1.exe

    • Size

      78.9MB

    • MD5

      d292c1fe9f36882b01bd70a2b0aa391c

    • SHA1

      72b0aa6d32e09ced66a3c10414e02e84569e009e

    • SHA256

      a5c3478916ed2c028f824b22b73fc10699be8640b308e5986b7490a1ac818da3

    • SHA512

      138acc03b072806327f03ab6149d2ca86e53ceee33420362047a2e86c800d6c7aaa21401c0a8c2eae627e42f17b2afb6a58e0a6a9eddffa2b330a85bf31a91e6

    Score
    7/10
    spywarestealer

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral17behavioral18

    • Target

      nitro_gen.exe

    • Size

      6.9MB

    • MD5

      fb4d683e3ae0f7d5e33df5bf301daa58

    • SHA1

      36a1de1d727c726aba7dab2b2937be337c538348

    • SHA256

      d684eb2255665b6953a3ce3f23721d4130987ffa61ad69482fd706392ab9bf3e

    • SHA512

      ccb13161a680f80fd6e93956bc50d3c070c344c36096118240b2159cdbf6ad866fb68b0257e8bbd156cec5dbf77195ef405ef1ddc0c92fa4d5166548b49d4554

    Score
    8/10
    pyinstallerspywarestealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral19behavioral20

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Hidden Files and Directories

2
T1158

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

3
T1497

Install Root Certificate

2
T1130

Modify Registry

2
T1112

Hidden Files and Directories

2
T1158

Credential Access

Credentials in Files

18
T1081

Discovery

Query Registry

15
T1012

Virtualization/Sandbox Evasion

3
T1497

System Information Discovery

10
T1082

Lateral Movement

Collection

Data from Local System

18
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks

static1

themidapyinstaller
Score
7/10

behavioral1

redlinediscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral2

redlinediscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral3

redlinediscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral4

redlinediscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral5

redlineasapdiscoveryinfostealerspywarestealer
Score
10/10

behavioral6

redlineasapdiscoveryinfostealerspywarestealer
Score
10/10

behavioral7

redlineboss8discoveryinfostealerspywarestealer
Score
10/10

behavioral8

redlineboss8discoveryinfostealerspywarestealer
Score
10/10

behavioral9

echelondiscoveryspywarestealer
Score
10/10

behavioral10

echelondiscoveryspywarestealer
Score
10/10

behavioral11

redlineninja0809discoveryinfostealerspywarestealer
Score
10/10

behavioral12

redlineninja0809discoveryinfostealerspywarestealer
Score
10/10

behavioral13

redlinexmrig@faqu_1discoveryevasioninfostealerminerspywarestealerthemidatrojan
Score
10/10

behavioral14

redlinexmrig@faqu_1discoveryevasioninfostealerminerspywarestealerthemidatrojan
Score
10/10

behavioral15

redlineruzdiscoveryevasioninfostealerspywarestealer
Score
10/10

behavioral16

redlineruzdiscoveryevasioninfostealerspywarestealer
Score
10/10

behavioral17

Score
7/10

behavioral18

spywarestealer
Score
7/10

behavioral19

pyinstallerspywarestealer
Score
8/10

behavioral20

pyinstallerspywarestealer
Score
8/10