Overview
overview
10Static
static
106c5db6dce1...3e.exe
windows7_x64
106c5db6dce1...3e.exe
windows10_x64
10DusBrowserInst.exe
windows7_x64
10DusBrowserInst.exe
windows10_x64
10IDWCH2.exe
windows7_x64
10IDWCH2.exe
windows10_x64
10Litever01.exe
windows7_x64
10Litever01.exe
windows10_x64
10anyname.exe
windows7_x64
10anyname.exe
windows10_x64
10app.exe
windows7_x64
10app.exe
windows10_x64
10askinstall50.exe
windows7_x64
10askinstall50.exe
windows10_x64
10farlab_setup.exe
windows7_x64
10farlab_setup.exe
windows10_x64
8inst002.exe
windows7_x64
1inst002.exe
windows10_x64
1jamesnew.exe
windows7_x64
8jamesnew.exe
windows10_x64
10justdezine.exe
windows7_x64
10justdezine.exe
windows10_x64
10md3_3kvm.exe
windows7_x64
7md3_3kvm.exe
windows10_x64
7mixseven.exe
windows7_x64
10mixseven.exe
windows10_x64
10redcloud.exe
windows7_x64
7redcloud.exe
windows10_x64
7vguuu.exe
windows7_x64
6vguuu.exe
windows10_x64
6General
-
Target
av2.zip
-
Size
14.6MB
-
Sample
210831-rnd3rp8542
-
MD5
8ebd8e10033bc4efaa0446f4e474ecea
-
SHA1
bf084f4bcf1652dfd1d538980ea4a40f7ef2db39
-
SHA256
7b1cf1979579775f48e8d20974753453f75963b3094d3b95519d9362e943dbbb
-
SHA512
78a60cd29e384be3688814a603668e7d237bdd8a0f7ae1eceea9bc9609278a5bfe427b9b27d682630b70ca00b3c6914ad9122e4479b554097c0f58c5da9da1f1
Behavioral task
behavioral1
Sample
6c5db6dce13ded4e0e6c7e9a526b063e.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
6c5db6dce13ded4e0e6c7e9a526b063e.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
DusBrowserInst.exe
Resource
win7v20210410
Behavioral task
behavioral4
Sample
DusBrowserInst.exe
Resource
win10v20210408
Behavioral task
behavioral5
Sample
IDWCH2.exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
IDWCH2.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
Litever01.exe
Resource
win7v20210410
Behavioral task
behavioral8
Sample
Litever01.exe
Resource
win10v20210410
Behavioral task
behavioral9
Sample
anyname.exe
Resource
win7v20210408
Behavioral task
behavioral10
Sample
anyname.exe
Resource
win10v20210410
Behavioral task
behavioral11
Sample
app.exe
Resource
win7v20210408
Behavioral task
behavioral12
Sample
app.exe
Resource
win10v20210410
Behavioral task
behavioral13
Sample
askinstall50.exe
Resource
win7v20210408
Behavioral task
behavioral14
Sample
askinstall50.exe
Resource
win10v20210410
Behavioral task
behavioral15
Sample
farlab_setup.exe
Resource
win7v20210410
Behavioral task
behavioral16
Sample
farlab_setup.exe
Resource
win10v20210408
Behavioral task
behavioral17
Sample
inst002.exe
Resource
win7v20210410
Behavioral task
behavioral18
Sample
inst002.exe
Resource
win10v20210408
Behavioral task
behavioral19
Sample
jamesnew.exe
Resource
win7v20210410
Behavioral task
behavioral20
Sample
jamesnew.exe
Resource
win10v20210408
Behavioral task
behavioral21
Sample
justdezine.exe
Resource
win7v20210410
Behavioral task
behavioral22
Sample
justdezine.exe
Resource
win10v20210410
Behavioral task
behavioral23
Sample
md3_3kvm.exe
Resource
win7v20210408
Behavioral task
behavioral24
Sample
md3_3kvm.exe
Resource
win10v20210410
Behavioral task
behavioral25
Sample
mixseven.exe
Resource
win7v20210408
Behavioral task
behavioral26
Sample
mixseven.exe
Resource
win10v20210410
Behavioral task
behavioral27
Sample
redcloud.exe
Resource
win7v20210408
Behavioral task
behavioral28
Sample
redcloud.exe
Resource
win10v20210410
Behavioral task
behavioral29
Sample
vguuu.exe
Resource
win7v20210410
Behavioral task
behavioral30
Sample
vguuu.exe
Resource
win10v20210408
Malware Config
Extracted
redline
1.22
95.211.185.27:42097
Extracted
metasploit
windows/single_exec
Extracted
redline
185.215.113.29:8678
Extracted
redline
22_8_big
185.215.113.104:18754
Extracted
raccoon
10c753321b3ff323727f510579572aa4c5ea00cb
-
url4cnc
https://telete.in/bimboDinotrex
Extracted
redline
NORMAN2
45.14.49.184:27587
Extracted
redline
spnewportspectr
135.148.139.222:1594
Extracted
redline
jjmaes
188.165.204.121:41812
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Extracted
amadey
2.50
185.215.113.206/k8FppT/index.php
Extracted
redline
3108
95.217.77.23:53845
Extracted
redline
mix31.08
185.215.113.15:6043
Targets
-
-
Target
6c5db6dce13ded4e0e6c7e9a526b063e.exe
-
Size
4.4MB
-
MD5
15f91f6b410dde682ba9afacc7a4d011
-
SHA1
41b04c412ae131c8fcbf314f75a8ae8985468f59
-
SHA256
3f2fe1d2857ba3eba92108104c95c0d4908b5aaa5677ba53c251a16714923a6b
-
SHA512
a5f5bfaabfe4ecd5918fc60c588a3bd55fccfcf39cbdcb8eacace8da2fa85eee7cbb5e9487bc836bddf6cec77c2be7d3ec8916b2dbb34ab04925e093df06a37c
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
-
-
Target
DusBrowserInst.exe
-
Size
127KB
-
MD5
95e6582024b57ff4885652f76a66764b
-
SHA1
3a0ead166d8310503b0ed97e32f50c08ea0e2f25
-
SHA256
b29a251be022532e0e704ccde0bea5f7061f393781089a76713d8bc81e002887
-
SHA512
aa9d591e699a9975a0992e87c05bcad04c3bd931f8a9548d95425bea4c82a6752edb4260bbfc1c521f3b40ca266ee9b28ecaea3855cdb9fe8515b0a4a9c96feb
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
IDWCH2.exe
-
Size
739KB
-
MD5
0d5cc91890c411599e994ab4d927350b
-
SHA1
b64c4752537fc05bd460918fe252ef64e72d2651
-
SHA256
b64cc3011b334fe3fdc47852da28f1d865a1f71dd819827a035b9b3adab1a163
-
SHA512
56418a6586f0cc7f985e944811744fdce2ddaea5e238d02b21435768a3738ba7cccc738190b677f0eb66916a24cdcd4b63701df8a35c7a44802ba053ccdf059b
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
Litever01.exe
-
Size
593KB
-
MD5
c85b133eae3ca2e8aa788b5b41dd12ca
-
SHA1
46842b223e918590f851dc58feb0333756fc872e
-
SHA256
0fca09eff75cd95e68f6ec7aed7c3f89ae7345a180f94fc5b470e2b24ebbc63a
-
SHA512
a485023b501126130a5c01a6c6348a5d2f28b9f5c89329d8eec6451cd494984eab6d66215fd3b3fb4db7545fc524cd371373859a7dfa3a67e2c0f4e84613bbf2
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar Stealer
-
-
-
Target
anyname.exe
-
Size
99KB
-
MD5
5d776f9eb3d9ca1e9cf31dda19fb28ba
-
SHA1
03f2cc43b88ac135237063eb4a72d0f5d7a0ef89
-
SHA256
113a6c00df14d47482626ed8b10003715a4a42c86b9686c626921716700d6e41
-
SHA512
c220ca758b27ebcfb8e9d0a1025af64fefba01db3742c4c99273cb0f73c7c873338653d23aeab2be041216f6b07e2a95a66017eb2b850391c1851dc3ed36d00c
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
app.exe
-
Size
4.4MB
-
MD5
ac5d54f7823c2dcfc4ae1c84c1b35c5f
-
SHA1
e45ff6c476b2b4710e1ec0ed4f85b1925599db6d
-
SHA256
911b4f2268a203dccaf0912403d08865f21b3299c9d7f6d166c7e90fe6a4be5f
-
SHA512
b5be2516e9971bf274e8314d5959dc65d22beb5d69ffcb36c92bf9ff3623b6ebf75d0963b5b73ab8a08512cbdebee78ff090967b21932dbe7d9d62480023fa84
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
-
-
Target
askinstall50.exe
-
Size
1.4MB
-
MD5
237d4aa94739fdee04cd9c86684179d3
-
SHA1
6219d6f61d0b78a60d7f0bdfd20837c0586b0d89
-
SHA256
a08013695327ad7cb9daa90a7687cb03e6142587903b8198e2edac94fd1672de
-
SHA512
c0449b6ab12af1bba5fa58f3bfd0d7e67372c847c6aca98508071b8f0e53c24eb12b7a29b7dd93cf119efac23c00ac3577f19518aa88d3dd5ab40a1e9c6da1d2
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
farlab_setup.exe
-
Size
1.7MB
-
MD5
a7703240793e447ec11f535e808d2096
-
SHA1
913af985f540dab68be0cdf999f6d7cb52d5be96
-
SHA256
6a17ebf5da6aa3a1f4813e5f46fdd5d19d026bcfac91f232359f98e43df3c38f
-
SHA512
57bdcdfcfa11f6b5bf4149be0fee0444fcf67ccececf1009b166b17b7dce30da1a472f1890736186f4ef76e02ed23cc0dd2a41dc9bff94218a059832d4b5c69e
-
Modifies firewall policy service
-
Registers COM server for autorun
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
inst002.exe
-
Size
213KB
-
MD5
765e53b7873cf667a9ba7e3b4e0f4edf
-
SHA1
1ef4929386dcbdbc0c3b46e391b6ca77bbdec7be
-
SHA256
d3d0b963d898bf3c5413ea1b3a25a11930a033a9533d113afdca78b00256f245
-
SHA512
5c98f8e2892f681073d7bb8b67f42d6369c5052fbaffc189c59317de39ce76294bdddde9fe09ffd10a81963db821d2be7c06924bbe9ad3b5936d64248342f564
Score1/10 -
-
-
Target
jamesnew.exe
-
Size
846KB
-
MD5
ea180cb17e71d8e32481aa37cb796cc1
-
SHA1
351b1c6cdbdcd21215e6cb9fc7b76887ddfe7a2a
-
SHA256
8a75fd219504039ceb7841811d75416ca52eb26a9667bbdf621055dad62e8b1a
-
SHA512
7bfe33816e5d6373cdbae1b8fffb620e76defabd1302b8c98650980ac0292b3135cee52d7316b8fe895812e56b2a7cfa2aa983d7e746f4673c37f1b585636cbc
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
justdezine.exe
-
Size
266KB
-
MD5
af42f93ce8f525564d27ac04797a2803
-
SHA1
f3b2f54a2881dbfb06d2a8c830953d775f2205d0
-
SHA256
c8133af9c1ab5f1087ec298e5b06fab0002903b0dac672ed72530c61a45ccf99
-
SHA512
ac2a12884f0dda0bd93e45f6e02a7eed8bd44befd39c9b9456a97b7faa201af9a67817f45529e250bd609df0dbb65ddf797b7aec784cc9d48bd3f8614d2950f8
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
XMRig Miner Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
md3_3kvm.exe
-
Size
924KB
-
MD5
53b01ccd65893036e6e73376605da1e2
-
SHA1
12c7162ea3ce90ec064ce61251897c8bec3fd115
-
SHA256
de95d03777407422fac23d6c1f0740e131a0d38c5ef19aca742c7bcf1a994fd7
-
SHA512
e5d1dd0ac1a53df261179d58817e71f4b263179ba1f1599da3b654ae9550dc608afc5a12057fb533aab0abb2eb406e3a7331e10a6f2b91254f062a777299e067
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
mixseven.exe
-
Size
313KB
-
MD5
e2b46439ae09a3b7a4250d848c7b7265
-
SHA1
b1dd7e352c779651fcce756e0a4a6d78ac08c87a
-
SHA256
e0c8cc8c66b2d57aa27efa5eb8be1331934645b12bfbe26c5fdab271f1c94bc4
-
SHA512
e5d419bd44b94b521ae8e63d90b3c3621288063dbfc908d50826e857abb61b512fd4a677f4d8e281b54c3cc105c8b8dc49459a4eaae42e4b4fc935fda0d1df31
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
redcloud.exe
-
Size
173KB
-
MD5
16bf4653dfc06b85e7d34cb5cfe62717
-
SHA1
35ca16cdb661f6978815efc8c8a2ae0fbddcb733
-
SHA256
6038860aefedc84fdafe7d693ea6fa63147be5e3a43dd96e20adf377811c5d30
-
SHA512
0717f23056515b18f627496c309c22bfc76da5b61f2730a320fa8584ad0fb5ed47a8695ad255bc8635cdd379d2313cb141466e86ae0b639c33772fe2177fa35f
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
vguuu.exe
-
Size
1.3MB
-
MD5
652050d5745a5303a8ff54662e77902c
-
SHA1
740d12548b306b4ed1953ecdbf90fa7255b2fda7
-
SHA256
4759a108a1a33d66992db0371dd760ef6edb0a6a773ccf4263e0efeb2c76a80e
-
SHA512
6913129d8faad2c97cff339e9206eab990a7c31ec70d3c77169f51113fed52e612c696d40a3209e248bfe6eafa3f1b998ac654675810fed1f671308023e267e2
Score6/10-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
5Scheduled Task
2Modify Existing Service
2Defense Evasion
Install Root Certificate
8Modify Registry
18Disabling Security Tools
3Scripting
1Virtualization/Sandbox Evasion
1