General
-
Target
SecuriteInfo.com.Trojan.Win32.Save.a.12074.6092
-
Size
333KB
-
Sample
211020-tmxqwshce9
-
MD5
aaf57561167db5ff9078b1dc96e69dc9
-
SHA1
b45a09c52c6aa38725fce1f136f04a11aadc8d43
-
SHA256
c37feba7ad29a50f566e779edd2c5514edcbd6e87909ca4d8e6d1f9727362d94
-
SHA512
2b6e321876b0eba1a73eb823d8a982f70c643dd5bbfa0327167c1076f07fe691ef79dc0d2fd25f9e848af320d7e00d00785893784b0fc692bb3e1d09cd7338c7
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Win32.Save.a.12074.6092.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.Win32.Save.a.12074.6092.exe
Resource
win10-en-20211014
Malware Config
Extracted
smokeloader
2020
http://gejajoo7.top/
http://sysaheu9.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
Extracted
tofsee
quadoil.ru
lakeflex.ru
Extracted
raccoon
7ebf9b416b72a203df65383eec899dc689d2c3d7
-
url4cnc
http://telegatt.top/agrybirdsgamerept
http://telegka.top/agrybirdsgamerept
http://telegin.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept
Extracted
redline
install
176.9.244.86:23637
Extracted
amadey
2.70
185.215.113.45/g4MbvE/index.php
Extracted
vidar
41.5
706
https://mas.to/@xeroxxx
-
profile_id
706
Extracted
raccoon
7c9b4504a63ed23664e38808e65948379b790395
-
url4cnc
http://telegka.top/capibar
http://telegin.top/capibar
https://t.me/capibar
Extracted
vidar
41.5
517
https://mas.to/@xeroxxx
-
profile_id
517
Extracted
djvu
http://rlrz.org/lancer
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Targets
-
-
Target
SecuriteInfo.com.Trojan.Win32.Save.a.12074.6092
-
Size
333KB
-
MD5
aaf57561167db5ff9078b1dc96e69dc9
-
SHA1
b45a09c52c6aa38725fce1f136f04a11aadc8d43
-
SHA256
c37feba7ad29a50f566e779edd2c5514edcbd6e87909ca4d8e6d1f9727362d94
-
SHA512
2b6e321876b0eba1a73eb823d8a982f70c643dd5bbfa0327167c1076f07fe691ef79dc0d2fd25f9e848af320d7e00d00785893784b0fc692bb3e1d09cd7338c7
-
Detected Djvu ransomware
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
XMRig Miner Payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies RDP port number used by Windows
-
Modifies Windows Firewall
-
Sets DLL path for service in the registry
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Account Manipulation
1New Service
1Modify Existing Service
1Registry Run Keys / Startup Folder
3Hidden Files and Directories
2Scheduled Task
1Defense Evasion
Disabling Security Tools
1Modify Registry
6Virtualization/Sandbox Evasion
1Hidden Files and Directories
2File Permissions Modification
1Install Root Certificate
1