General
-
Target
a792286cfe967e3e4acc4b818066ee4a.exe
-
Size
1.6MB
-
Sample
210910-ev9cbshbf6
-
MD5
a792286cfe967e3e4acc4b818066ee4a
-
SHA1
ac89b4df47e5bd77cf9bb5e86682246a60fc4b9f
-
SHA256
1169aa40b39712cd78f3bba1509b3a5864752c534497431180eb752015d2d482
-
SHA512
aef5f2c32a7d513e699121f832d41659dd09f10ebbf1cb493a18f9b57135adfb27d5ff5168d74eb8936bd1b0022a8ec8d70971a567c120702f03486107b3f9b3
Static task
static1
Behavioral task
behavioral1
Sample
a792286cfe967e3e4acc4b818066ee4a.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
a792286cfe967e3e4acc4b818066ee4a.exe
Resource
win10-en
Malware Config
Extracted
vidar
40.5
937
https://gheorghip.tumblr.com/
-
profile_id
937
Extracted
vidar
40.5
916
https://gheorghip.tumblr.com/
-
profile_id
916
Extracted
smokeloader
2020
http://fazanaharahe1.xyz/
http://xandelissane2.xyz/
http://ustiassosale3.xyz/
http://cytheriata4.xyz/
http://ggiergionard5.xyz/
http://rrelleynaniy6.store/
http://danniemusoa7.store/
http://nastanizab8.store/
http://onyokandis9.store/
http://dmunaavank10.store/
http://gilmandros11.site/
http://cusanthana12.site/
http://willietjeana13.site/
http://ximusokall14.site/
http://blodinetisha15.site/
http://urydiahadyss16.club/
http://glasamaddama17.club/
http://marlingarly18.club/
http://alluvianna19.club/
http://xandirkaniel20.club/
Extracted
metasploit
windows/single_exec
Extracted
redline
Инсталлусы5к
91.142.77.155:5469
Extracted
redline
NORMAN3
45.14.49.184:28743
Extracted
redline
test
45.14.49.169:22411
Extracted
raccoon
6e76410dbdf2085ebcf2777560bd8cb0790329c9
-
url4cnc
https://telete.in/bibiOutriggr1
Targets
-
-
Target
a792286cfe967e3e4acc4b818066ee4a.exe
-
Size
1.6MB
-
MD5
a792286cfe967e3e4acc4b818066ee4a
-
SHA1
ac89b4df47e5bd77cf9bb5e86682246a60fc4b9f
-
SHA256
1169aa40b39712cd78f3bba1509b3a5864752c534497431180eb752015d2d482
-
SHA512
aef5f2c32a7d513e699121f832d41659dd09f10ebbf1cb493a18f9b57135adfb27d5ff5168d74eb8936bd1b0022a8ec8d70971a567c120702f03486107b3f9b3
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1