General
-
Target
minecraft hacked client from youtube.zip
-
Size
6.7MB
-
Sample
211026-szdywahgh5
-
MD5
6b50b3c12f6f936b474781339e8134a1
-
SHA1
283019eb233c1ca6f1608ffb4d4e7ff0fd441a60
-
SHA256
a752e6646589c8b6f273ef47f91b8290ae41ed81ec2e18f56aa42aefaad1f47f
-
SHA512
9a7503828319d389dafb37becf093ebc9719b9d7189a840712f469b59ad3c2398d605c5c97748679db711e1e0bd336ecd0e5ecd69f30d9cb3cfd5ef9431ad0bc
Malware Config
Extracted
redline
Youtube
185.203.240.16:1249
Extracted
redline
221021
m360li.info:81
Extracted
raccoon
8dec62c1db2959619dca43e02fa46ad7bd606400
-
url4cnc
http://telegin.top/capibar
http://ttmirror.top/capibar
http://teletele.top/capibar
http://telegalive.top/capibar
http://toptelete.top/capibar
http://telegraf.top/capibar
https://t.me/capibar
Extracted
cryptbot
kelsok22.top
morwyk02.top
-
payload_url
http://butzyr14.top/download.php?file=temple.exe
Extracted
raccoon
580b491e2149e767dbb79725a6a0395d016c0b15
-
url4cnc
http://telegin.top/jabbahatt121
http://ttmirror.top/jabbahatt121
http://teletele.top/jabbahatt121
http://telegalive.top/jabbahatt121
http://toptelete.top/jabbahatt121
http://telegraf.top/jabbahatt121
https://t.me/jabbahatt121
Targets
-
-
Target
Software updated by Dylox.exe
-
Size
3.2MB
-
MD5
6f78118b606c3c7c9bad1a9e0671cda8
-
SHA1
00abbc6a45d7009d8e166794289b39d0bb709ba5
-
SHA256
7be5baa4d9a45af1e6f15fdf6600537ed78e1694f9daa37741b5e8c3e58d7005
-
SHA512
77d474c0a67754e7f71ee1c932cd4f21bcbd1f94472ffd9c21cbe2c6242f5fa07f5fede82255b9037cff87fbde614225105db3b6a55be560dfc10ac74149d916
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Software-update-patc_828811790.exe
-
Size
3.6MB
-
MD5
6e9eb03a3eb0f09e4080d9c8ab1912d4
-
SHA1
f9c72350b8daa26d9305588ed6012d0282db70a8
-
SHA256
cc87d298ec17242a0cdb49c08067af27b51b97ac386c7955c04799e9d8770049
-
SHA512
d3d2df27be23aa68646753da2bff49bb4328fa7fefb8d5bcce80ea795b89bd16af12d409953ee374ea4240423598f6777de98f5030e60b9d64e55f0a43a7b8e1
Score10/10-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
autoit_exe
AutoIT scripts compiled to PE executables.
-
-
-
Target
open this if the doesn't work.exe
-
Size
225KB
-
MD5
75dc0b7ee8ecf84a04ae6dd0ace2f54d
-
SHA1
4185141db5402579321714059282892a932661cf
-
SHA256
06f18fc3c26ff3b6b028d3745e020bc973b3892c0a77096b5d1371dc82989298
-
SHA512
57de91590f724f26eec8d24deaaa1f6cb5eb23ee0fe727152de89abbff9503bffd2ea91d60be280c482df942e51b196de8c73a71e6194c2019d0563eb5cd0d05
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Turns off Windows Defender SpyNet reporting
-
Windows security bypass
-
Nirsoft
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Scheduled Task
1Registry Run Keys / Startup Folder
1Modify Existing Service
1Defense Evasion
Virtualization/Sandbox Evasion
2Modify Registry
7Install Root Certificate
1Disabling Security Tools
4