506c2f513d64242fcb20ccff8c26c0ed1755fe9120b984c29ba224b311d635c3.bin
General
Target
Size
Sample
506c2f513d64242fcb20ccff8c26c0ed1755fe9120b984c29ba224b311d635c3.bin
403KB
211021-v9bydabdhp
Score
10 /10
MD5
SHA1
SHA256
SHA512
d1b2c8ddca2f8dd02e2c132153055084
21c011ac7406eef048c175f5887e4eb885c050d6
506c2f513d64242fcb20ccff8c26c0ed1755fe9120b984c29ba224b311d635c3
ab73df911df41235159341cc8fefed284a3f9720f241b51dfe2db2ac415b3438d5fbbeacfa980a61d402edc64afeda87447ccda49b7d279fba524036e9287594
Malware Config
Extracted
| Family | redline |
| C2 |
205.185.119.191:60857 |
Extracted
| Family | redline |
| Botnet | jjfuck |
| C2 |
135.181.129.119:4805 |
Extracted
| Family | smokeloader |
| Version | 2020 |
| C2 |
http://gejajoo7.top/ http://sysaheu9.top/ |
| rc4.i32 |
|
| rc4.i32 |
|
Extracted
| Family | raccoon |
| Botnet | 7c9b4504a63ed23664e38808e65948379b790395 |
| Attributes |
url4cnc http://telegka.top/capibar http://telegin.top/capibar https://t.me/capibar |
| rc4.plain |
|
| rc4.plain |
|
Extracted
| Family | vidar |
| Version | 41.5 |
| Botnet | 937 |
| C2 |
https://mas.to/@xeroxxx |
| Attributes |
profile_id 937 |
Targets
Target
MD5
Filesize
506c2f513d64242fcb20ccff8c26c0ed1755fe9120b984c29ba224b311d635c3.bin
d1b2c8ddca2f8dd02e2c132153055084
403KB
Score
10/10
SHA1
SHA256
SHA512
21c011ac7406eef048c175f5887e4eb885c050d6
506c2f513d64242fcb20ccff8c26c0ed1755fe9120b984c29ba224b311d635c3
ab73df911df41235159341cc8fefed284a3f9720f241b51dfe2db2ac415b3438d5fbbeacfa980a61d402edc64afeda87447ccda49b7d279fba524036e9287594
Tags
Signatures
-
Modifies Windows Defender Real-time Protection settings
-
Raccoon
Description
Simple but powerful infostealer which was very active in 2019.
Tags
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
Description
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
Tags
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
Description
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags
TTPs
-
Vidar Stealer
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
Tags
TTPs
-
Checks BIOS information in registry
Description
BIOS information is often read in order to detect sandboxing environments.
TTPs
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Themida packer
Description
Detects Themida, an advanced Windows software protection system.
Tags
-
Checks installed software on the system
Description
Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags
TTPs
-
Checks whether UAC is enabled
Tags
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
Related Tasks
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Tasks