Resubmissions
26-08-2021 15:30
210826-eqjwc3wpfa 1026-08-2021 15:06
210826-zjkk6mr366 1026-08-2021 14:31
210826-mw2gr11d6j 1026-08-2021 01:04
210826-5ld5kf1zrj 1026-08-2021 01:03
210826-32mdflhtr6 1026-08-2021 00:58
210826-6fpc34ct8x 1026-08-2021 00:41
210826-ylmpk9586e 1026-08-2021 00:31
210826-pygyb6r89x 10General
-
Target
71E2CF4709767EAB8E0E6DCD8F19D37C.exe
-
Size
5.2MB
-
Sample
210826-pygyb6r89x
-
MD5
71e2cf4709767eab8e0e6dcd8f19d37c
-
SHA1
0641acedc06c13a17d94968e3237c4d9533fc0b9
-
SHA256
077ac4018bc25a85796c54e06872071d561df272188dde34daca7e5d01e950fd
-
SHA512
686cae3db08ad1c7beaf13758a74cae4eb4084d152be49510c11a13010cbb27a1407657fab57d0d732648e91e21862c0604a9ad789e55bcac803fc7be6b4b675
Static task
static1
Behavioral task
behavioral1
Sample
71E2CF4709767EAB8E0E6DCD8F19D37C.exe
Resource
win7v20210408
Malware Config
Extracted
redline
pub1
viacetequn.site:80
Extracted
vidar
40.1
706
https://eduarroma.tumblr.com/
-
profile_id
706
Extracted
xloader
2.3
ec33
http://www.chaturvedi.fyi/ec33/
ride-hard.net
westindiesofficial.com
technewcomer.com
anwen.ink
smarthumanresource.com
aspenhillgetaway.com
westinventures.com
sercomp.pro
fitwoop.com
advertisingviews.site
stinato.com
kidsfundshoes.com
xaufuture.com
emaildesktophelp.com
hey-events.com
v-j9.com
eurekabox.net
export-rice.net
arcadems.com
thejackparker.com
paikewatch.com
genetics-nutrition.com
promoterconnect.com
shanghaihousechelmsford.com
csatec.com
michelevandykedc.com
guytongeorgiahomes.com
streetindo.com
webhost.directory
tohilldentistrysomerset.com
rocketcompaniessucks.net
stuconnect-app.com
outfitideas.today
xlht114.com
skandlstal.com
gonzalezpartyrentals.com
sabaigame.com
findthebestpricecar.com
amberandtomyoutube.com
ecopylesos.online
fineenclave.com
lbm120.com
x2emails.xyz
southernsidesolar.com
apptopshop.com
emilyreynoldsdesign.com
saraheve.com
356892.com
apsservicos.com
watertowerguy.com
streampee.com
dealndesign.com
cleanasbest.com
504cares.com
aaaemploymentagency.com
xtodosmexico.com
century21guyana.com
oisinreynolds.com
itsrightreview.com
affinitychin.guru
riderswall.com
investolog.com
lwwtrtwcf.icu
9968-info.com
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
metasploit
windows/single_exec
Targets
-
-
Target
71E2CF4709767EAB8E0E6DCD8F19D37C.exe
-
Size
5.2MB
-
MD5
71e2cf4709767eab8e0e6dcd8f19d37c
-
SHA1
0641acedc06c13a17d94968e3237c4d9533fc0b9
-
SHA256
077ac4018bc25a85796c54e06872071d561df272188dde34daca7e5d01e950fd
-
SHA512
686cae3db08ad1c7beaf13758a74cae4eb4084d152be49510c11a13010cbb27a1407657fab57d0d732648e91e21862c0604a9ad789e55bcac803fc7be6b4b675
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
Vidar Stealer
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-