General
-
Target
Your_File_Is_Ready_To_Download.rar.zip
-
Size
164KB
-
Sample
210821-kyrhmh4pan
-
MD5
edc53deb862f5293a3e7f92b4b9d7b66
-
SHA1
eb069d0fe7535ccd3169bd276a4ba9d622a9d81c
-
SHA256
cdd0905f8f1b309e54b1a6361ed270c0d5a92c38011f53051e68ee44e8a2e8ab
-
SHA512
418620b41c0103a6eadcad0f68215d683b1a61dd5e099105451956e602b6f38d81cb2635244f129e0bcbfdd0fc5f0a529a42dd7b40ba3f8478f7dddd0bbdb036
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win11
Behavioral task
behavioral3
Sample
Setup.exe
Resource
win10v20210410
Malware Config
Extracted
redline
www
185.204.109.146:54891
Extracted
redline
Second_7.5K
45.14.49.200:27625
Extracted
metasploit
windows/single_exec
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
redline
205.185.119.191:18846
193.38.55.57:7575
Extracted
vidar
40.1
937
https://eduarroma.tumblr.com/
-
profile_id
937
Extracted
vidar
40.1
517
https://eduarroma.tumblr.com/
-
profile_id
517
Extracted
redline
20_8_rs
jekorikani.xyz:80
Extracted
redline
dibild
135.148.139.222:33569
Extracted
redline
19.08
95.181.172.100:6795
Targets
-
-
Target
Setup.exe
-
Size
631KB
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Nirsoft
-
Vidar Stealer
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
4Disabling Security Tools
1Virtualization/Sandbox Evasion
1File Permissions Modification
1Install Root Certificate
1