General
-
Target
D1EEC7914A5CA2F3E3A0B4C3C4E557EF.exe
-
Size
2.4MB
-
Sample
210825-hqap6aelje
-
MD5
d1eec7914a5ca2f3e3a0b4c3c4e557ef
-
SHA1
f655fcf0e1ecf1a79a6c19d71fba9714611c1bef
-
SHA256
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
-
SHA512
0f640a7649b2b3fadf2686f3fb0fb811bee25f6eeb7591909ba2671036ef933604166737dc74eb22c12851330c027124522a3deee5317f62873b77b7325f163d
Static task
static1
Behavioral task
behavioral1
Sample
D1EEC7914A5CA2F3E3A0B4C3C4E557EF.exe
Resource
win7v20210408
Malware Config
Extracted
cryptbot
lysuht78.top
morisc07.top
-
payload_url
http://damysa10.top/download.php?file=lv.exe
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
vidar
40
706
https://lenak513.tumblr.com/
-
profile_id
706
Extracted
redline
test1
185.215.113.15:61506
Targets
-
-
Target
D1EEC7914A5CA2F3E3A0B4C3C4E557EF.exe
-
Size
2.4MB
-
MD5
d1eec7914a5ca2f3e3a0b4c3c4e557ef
-
SHA1
f655fcf0e1ecf1a79a6c19d71fba9714611c1bef
-
SHA256
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
-
SHA512
0f640a7649b2b3fadf2686f3fb0fb811bee25f6eeb7591909ba2671036ef933604166737dc74eb22c12851330c027124522a3deee5317f62873b77b7325f163d
-
CryptBot Payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-