General
-
Target
ab444e67d59822e2db238c4eb8e99d04.exe
-
Size
193KB
-
Sample
211002-xc7pwsegen
-
MD5
ab444e67d59822e2db238c4eb8e99d04
-
SHA1
8acd24cb9543babc8e9c22f2aafd39e0430a4602
-
SHA256
a60659139ff3a9e6a4a482e060e301c83a25a02227308f6f572d79cc95c63dce
-
SHA512
fc2cd599f4ef10f0f5a1d0db8de316b07076ed8323abc2fd099a40cb97fec0a46f35d7bbb1513435738f1c6bca0fb21b6998ea7b0658124fca95262106c80e73
Static task
static1
Behavioral task
behavioral1
Sample
ab444e67d59822e2db238c4eb8e99d04.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
ab444e67d59822e2db238c4eb8e99d04.exe
Resource
win10v20210408
Malware Config
Extracted
raccoon
�u'h�Y�����&s҈���Kcc,d�6�1�>�-�
-
url4cnc
�cb{K^�WXP�۸��fB:O�٩٭w<n'�>�+�d�?�]�e?$g����k�J��6�:������$Q
Extracted
redline
mix02.10
185.215.113.15:6043
Targets
-
-
Target
ab444e67d59822e2db238c4eb8e99d04.exe
-
Size
193KB
-
MD5
ab444e67d59822e2db238c4eb8e99d04
-
SHA1
8acd24cb9543babc8e9c22f2aafd39e0430a4602
-
SHA256
a60659139ff3a9e6a4a482e060e301c83a25a02227308f6f572d79cc95c63dce
-
SHA512
fc2cd599f4ef10f0f5a1d0db8de316b07076ed8323abc2fd099a40cb97fec0a46f35d7bbb1513435738f1c6bca0fb21b6998ea7b0658124fca95262106c80e73
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
-
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
-
suricata: ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M1
suricata: ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M1
-
suricata: ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M2
suricata: ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M2
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-