General
-
Target
817.zip
-
Size
9.6MB
-
Sample
210823-m6psjka2ye
-
MD5
4b234d2532387c31344a285a8c03fe8f
-
SHA1
68743d269f02669f473cc74f0b09fc0f4b1032c8
-
SHA256
5159ddf4335b0e93e4b265d03549ce64d2e20081941de194f88b0ad81119d53e
-
SHA512
32ce72e4e8110b26ce7bd49ea62865282bcfb827969315705ead6dda56990756a52847635070bf730cfd4d13e978cb690b2fecb3ec83beae5c86636d202a46db
Static task
static1
Behavioral task
behavioral1
Sample
817.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
817.exe
Resource
win11
Behavioral task
behavioral3
Sample
817.exe
Resource
win10v20210408
Malware Config
Extracted
redline
UPD
193.56.146.78:54955
Extracted
metasploit
windows/single_exec
Extracted
redline
Build2_Mastif
95.181.157.69:8552
Extracted
redline
Ayrelia1
77.83.175.169:11490
Extracted
vidar
40.1
973
https://eduarroma.tumblr.com/
-
profile_id
973
Extracted
smokeloader
2020
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
redline
23.08
95.181.172.100:55640
Extracted
vidar
40.1
937
https://eduarroma.tumblr.com/
-
profile_id
937
Extracted
vidar
40.1
995
https://eduarroma.tumblr.com/
-
profile_id
995
Targets
-
-
Target
817
-
Size
9.8MB
-
MD5
724f01298e921f1f7362af6b1bc31642
-
SHA1
e892f38da2f930133cf67533e592ded56b7d6154
-
SHA256
8174d7d1e9ccf99d8a0164e39dbb7df725cbd710cf2f611d3ca4f2fdeb434535
-
SHA512
ee276907cf9d4a0039d3c0affdb318bf08c1b265f4b454bfc9459a923428e701efeccbae1d88c40e2bbc56e05602289aa7e142f7193f39ec4e20bb2fcb4f0953
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Defense Evasion
Modify Registry
4Disabling Security Tools
1File Deletion
2Virtualization/Sandbox Evasion
1Install Root Certificate
1