Overview
overview
10Static
static
10setup_inst...32.exe
windows7_x64
10setup_inst...32.exe
windows10_x64
10setup_inst...2b.exe
windows7_x64
8setup_inst...2b.exe
windows10_x64
8setup_inst...61.exe
windows7_x64
10setup_inst...61.exe
windows10_x64
10setup_inst...f8.exe
windows7_x64
10setup_inst...f8.exe
windows10_x64
10setup_inst...34.exe
windows7_x64
10setup_inst...34.exe
windows10_x64
10setup_inst...c2.exe
windows7_x64
3setup_inst...c2.exe
windows10_x64
10setup_inst...cb.exe
windows7_x64
10setup_inst...cb.exe
windows10_x64
10setup_inst...90.exe
windows7_x64
10setup_inst...90.exe
windows10_x64
10setup_inst...79.exe
windows7_x64
6setup_inst...79.exe
windows10_x64
6setup_inst...d8.exe
windows7_x64
7setup_inst...d8.exe
windows10_x64
3setup_inst...3b.exe
windows7_x64
8setup_inst...3b.exe
windows10_x64
8setup_inst...ac.exe
windows7_x64
10setup_inst...ac.exe
windows10_x64
10setup_inst...38.exe
windows7_x64
10setup_inst...38.exe
windows10_x64
10setup_inst...b5.exe
windows7_x64
10setup_inst...b5.exe
windows10_x64
10setup_inst...b2.exe
windows7_x64
7setup_inst...b2.exe
windows10_x64
7setup_inst...rl.dll
windows7_x64
3setup_inst...rl.dll
windows10_x64
3General
-
Target
setup_installer.rar
-
Size
5.1MB
-
Sample
211027-rs7f6sfah4
-
MD5
e68e1f1dd52861b65b33805901eadb6d
-
SHA1
65279d96a0a6615743057403bffe381130d0a749
-
SHA256
6851b72e0bfaf608294bcac6ffef07e5e6591aee8b94ce9afad46b6e6cc32a59
-
SHA512
8552c053e6096067d279f289c0ff0da5b98dc6835b248f05357bba30db07dc863af17ad5a0135394744d20980a42baba40070cc2c48f4b5637bc143f692ddf79
Behavioral task
behavioral1
Sample
setup_installer/Wed0901eb1dae126e32.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
setup_installer/Wed0901eb1dae126e32.exe
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
setup_installer/Wed094c47c32b.exe
Resource
win7-en-20211014
Behavioral task
behavioral4
Sample
setup_installer/Wed094c47c32b.exe
Resource
win10-en-20210920
Behavioral task
behavioral5
Sample
setup_installer/Wed096a1bff61.exe
Resource
win7-en-20211014
Behavioral task
behavioral6
Sample
setup_installer/Wed096a1bff61.exe
Resource
win10-en-20210920
Behavioral task
behavioral7
Sample
setup_installer/Wed0971f17486f8.exe
Resource
win7-en-20210920
Behavioral task
behavioral8
Sample
setup_installer/Wed0971f17486f8.exe
Resource
win10-en-20211014
Behavioral task
behavioral9
Sample
setup_installer/Wed09977fdc12334.exe
Resource
win7-en-20210920
Behavioral task
behavioral10
Sample
setup_installer/Wed09977fdc12334.exe
Resource
win10-en-20211014
Behavioral task
behavioral11
Sample
setup_installer/Wed09abf83d9c2.exe
Resource
win7-en-20210920
Behavioral task
behavioral12
Sample
setup_installer/Wed09abf83d9c2.exe
Resource
win10-en-20210920
Behavioral task
behavioral13
Sample
setup_installer/Wed09b2a8bc4f16cb.exe
Resource
win7-en-20211014
Behavioral task
behavioral14
Sample
setup_installer/Wed09b2a8bc4f16cb.exe
Resource
win10-en-20210920
Behavioral task
behavioral15
Sample
setup_installer/Wed09b3a5ca1a712d390.exe
Resource
win7-en-20211014
Behavioral task
behavioral16
Sample
setup_installer/Wed09b3a5ca1a712d390.exe
Resource
win10-en-20210920
Behavioral task
behavioral17
Sample
setup_installer/Wed09c42cad92c20f79.exe
Resource
win7-en-20211014
Behavioral task
behavioral18
Sample
setup_installer/Wed09c42cad92c20f79.exe
Resource
win10-en-20210920
Behavioral task
behavioral19
Sample
setup_installer/Wed09cfb2f9758281d8.exe
Resource
win7-en-20211014
Behavioral task
behavioral20
Sample
setup_installer/Wed09cfb2f9758281d8.exe
Resource
win10-en-20210920
Behavioral task
behavioral21
Sample
setup_installer/Wed09d27135e5a8b3b.exe
Resource
win7-en-20210920
Behavioral task
behavioral22
Sample
setup_installer/Wed09d27135e5a8b3b.exe
Resource
win10-en-20211014
Behavioral task
behavioral23
Sample
setup_installer/Wed09d8d6edfaff2ac.exe
Resource
win7-en-20210920
Behavioral task
behavioral24
Sample
setup_installer/Wed09d8d6edfaff2ac.exe
Resource
win10-en-20211014
Behavioral task
behavioral25
Sample
setup_installer/Wed09db0d52c38.exe
Resource
win7-en-20210920
Behavioral task
behavioral26
Sample
setup_installer/Wed09db0d52c38.exe
Resource
win10-en-20210920
Behavioral task
behavioral27
Sample
setup_installer/Wed09e95ff6b5.exe
Resource
win7-en-20211014
Behavioral task
behavioral28
Sample
setup_installer/Wed09e95ff6b5.exe
Resource
win10-en-20210920
Behavioral task
behavioral29
Sample
setup_installer/Wed09f257bb7877d00b2.exe
Resource
win7-en-20211014
Behavioral task
behavioral30
Sample
setup_installer/Wed09f257bb7877d00b2.exe
Resource
win10-en-20210920
Behavioral task
behavioral31
Sample
setup_installer/libcurl.dll
Resource
win7-en-20211014
Behavioral task
behavioral32
Sample
setup_installer/libcurl.dll
Resource
win10-en-20210920
Malware Config
Extracted
redline
chris
194.104.136.5:46013
Extracted
vidar
41.6
933
https://mas.to/@lilocc
-
profile_id
933
Extracted
redline
build999
109.107.191.123:52781
Extracted
redline
media26
91.121.67.60:23325
Extracted
xloader
2.5
s0iw
http://www.kyiejenner.com/s0iw/
ortopediamodelo.com
orimshirts.store
universecatholicweekly.info
yvettechan.com
sersaudavelsempre.online
face-booking.net
europeanretailgroup.com
umofan.com
roemahbajumuslim.online
joyrosecuisine.net
3dmaker.house
megdb.xyz
stereoshopie.info
gv5rm.com
tdc-trust.com
mcglobal.club
choral.works
onlineconsultantgroup.com
friscopaintandbody.com
midwestii.com
weespiel.com
babyshell.be
gwynora.com
talkthered.com
f-punk.com
frankmatlock.com
clique-solicite.net
clientloyaltysystem.com
worldbyduco.com
kampfsport-erfurt.com
adndpanel.xyz
rocknfamily.net
ambr-creative.com
wwwks8829.com
thuexegiarehcmgoviet.com
brentmurrell.art
wolf-yachts.com
tenpobiz.com
binnamall.com
crestamarti.quest
terry-hitchcock.com
ocreverseteam.com
taxwarehouse2.xyz
megawholesalesystem.com
epstein-advisory.com
enewlaunches.com
iphone13.community
pianostands.com
newspaper.clinic
alamdave.com
costalitaestepona2d.com
arbacan.com
horikoshi-online-tutoring.net
missingthered.com
ecmcenterprises.com
giaohangtietkiemhcm.com
universidademackenzie.com
kveupcsmimli.mobi
ibellex.com
ikigaiofficial.store
jerseyboysnorfolk.com
xiamensaikang.com
lmnsky.com
bra866.com
Extracted
raccoon
8dec62c1db2959619dca43e02fa46ad7bd606400
-
url4cnc
http://telegin.top/capibar
http://ttmirror.top/capibar
http://teletele.top/capibar
http://telegalive.top/capibar
http://toptelete.top/capibar
http://telegraf.top/capibar
https://t.me/capibar
Extracted
vidar
41.6
937
https://mas.to/@lilocc
-
profile_id
937
Extracted
smokeloader
2020
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
http://xacokuo8.top/
http://hajezey1.top/
Extracted
redline
dd3
91.206.14.151:16764
Extracted
redline
serman
135.181.129.119:4805
Targets
-
-
Target
setup_installer/Wed0901eb1dae126e32.exe
-
Size
401KB
-
MD5
199dd8b65aa03e11f7eb6346506d3fd2
-
SHA1
a04261608dabc8d394dfea558fcaeb216f6335ea
-
SHA256
6d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13
-
SHA512
0d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer/Wed094c47c32b.exe
-
Size
1.3MB
-
MD5
b5cfd3a9dc9e645e24c79991bca60460
-
SHA1
0d6bcdca2121d279bbe87c66cab515ac2478f555
-
SHA256
852bffb94dbd3ed18ac11311b701ee80400209a19b3660b544146b41fa3b9768
-
SHA512
55861773c758e5f3cc7440d012d820892f7b9155b542baeab940a8c80fd50ffd1001fca6f9f9dae7eca3ae53919eba795aca53d5bb3aaaf29a111acd016d24e6
Score8/10-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
setup_installer/Wed096a1bff61.exe
-
Size
8KB
-
MD5
c4d0ec0c74d01acc7135e8045630b182
-
SHA1
d954fa19b63df6062c013093ed22f8dc5218c48b
-
SHA256
8d3586126ec20da9b63930b9995d9ad9826540a71fb958431b73ff48ff6b18e2
-
SHA512
7cc8d2d033447eed31a1ccab040a4b52803f483d7957c488ad2165db4a308b5cf84f8e2420717436bb146e6e5d33b5d65a53b2381e3caec14b092562b940a9ed
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer/Wed0971f17486f8.exe
-
Size
390KB
-
MD5
83be628244555ddba5d7ab7252a10898
-
SHA1
7a8f6875211737c844fdd14ba9999e9da672de20
-
SHA256
e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f
-
SHA512
0c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer/Wed09977fdc12334.exe
-
Size
125KB
-
MD5
6843ec0e740bdad4d0ba1dbe6e3a1610
-
SHA1
9666f20f23ecd7b0f90e057c602cc4413a52d5a3
-
SHA256
4bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a
-
SHA512
112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer/Wed09abf83d9c2.exe
-
Size
89KB
-
MD5
03137e005bdf813088f651d5b2b53e5d
-
SHA1
0aa1fb7e5fc80bed261c805e15ee4e3709564258
-
SHA256
258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd
-
SHA512
23bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer/Wed09b2a8bc4f16cb.exe
-
Size
321KB
-
MD5
94d45a7ff853b3c5d3d441cf87a71688
-
SHA1
3327a1929c68a160ef6287277d4cff5747d7bb91
-
SHA256
172362b2f1f5dca51f1520fc186c1e67c7002f924420c5828b90e099e96b0476
-
SHA512
14d60e3dec00bb95d1ac35b85c4a63aef3f0157a783c79284b874691b14fc73480f34fc95e09a1e4f9a830ed73addbccb21fe99e5a8b7f3c9f6300ae21cca88f
Score10/10-
Executes dropped EXE
-
Deletes itself
-
-
-
Target
setup_installer/Wed09b3a5ca1a712d390.exe
-
Size
63KB
-
MD5
1c80f27a97ac4ce5c1c91705e0921e5a
-
SHA1
23b8834a95a978b881f67440ceef1046d3172dd1
-
SHA256
5f3d434aa99f8e88b605495e49588a87fd0aacd47092f149ff795ae983b81ae1
-
SHA512
31bbd0054559111b8bdbdb89947e02029d1dbe8180996ad16dc732fa317b22a2a56d782f3f563f6261e14c66fae3f4603721d473a3ec2b22470ac971edff0702
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
setup_installer/Wed09c42cad92c20f79.exe
-
Size
421KB
-
MD5
48c91156511d520353b21c4df6253944
-
SHA1
a5fffe608205c897fea58541ae844d30a2fa4a0f
-
SHA256
bb8872a748020b855eacb3df80cc431edf7104a4bdd3805f0a8bb31341cb3b92
-
SHA512
fb95ccf301d3461232d436070ef0710f57137860e63285eaff25ef3f22e5e381278ece8c1a6a52d889ae5a80316a7c41d4176311d32aa1034866bc91a973deaa
Score6/10-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
setup_installer/Wed09cfb2f9758281d8.exe
-
Size
362KB
-
MD5
dcf289d0f7a31fc3e6913d6713e2adc0
-
SHA1
44be915c2c70a387453224af85f20b1e129ed0f0
-
SHA256
06edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5
-
SHA512
7035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca
Score7/10-
Deletes itself
-
-
-
Target
setup_installer/Wed09d27135e5a8b3b.exe
-
Size
379KB
-
MD5
9b07fc470646ce890bcb860a5fb55f13
-
SHA1
ef01d45abaf5060a0b32319e0509968f6be3082f
-
SHA256
506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
-
SHA512
4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
Score8/10-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
setup_installer/Wed09d8d6edfaff2ac.exe
-
Size
126KB
-
MD5
003a0cbabbb448d4bac487ad389f9119
-
SHA1
5e84f0b2823a84f86dd37181117652093b470893
-
SHA256
5c1df1c4542e2126a35d1b2ed8cb50482650e1aafa18e1229bcfb22ea49ca380
-
SHA512
53f9b6dbe2aac2c6148b4d0072129977755cc4de9f5d558ce5bbf08bcf07dd9bcfeb02fecc52dfb94ae6cb8d7c48f09e36626581fe2cb6e353b1f7d7f2e30f02
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Xloader Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer/Wed09db0d52c38.exe
-
Size
1.4MB
-
MD5
5810fe95f7fb43baf96de0e35f814d6c
-
SHA1
696118263629f3cdf300934ebc3499d1c14e0233
-
SHA256
45904081a41de45b5be01f59c5ebc0d9f6d577cea971d3b8ea2246df6036d8a9
-
SHA512
832c66baff50e389294628855729955eb156479faa45080cba88ece0ee035aeef32717432e63823cbb0f0e9088b90f017a5e2888b11a0f9ede2c9ff00f605ed1
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
setup_installer/Wed09e95ff6b5.exe
-
Size
846KB
-
MD5
c9e0bf7a99131848fc562b7b512359e1
-
SHA1
add6942e0e243ccc1b2dc80b3a986385556cc578
-
SHA256
45ed24501cd9c2098197a994aaaf9fe2bcca5bc38d146f1b1e442a19667b4d7b
-
SHA512
87a3422dad08c460c39a3ac8fb985c51ddd21a4f66469f77098770f1396180a40646d81bdae08485f488d8ca4c65264a14fe774799235b52a09b120db6410c5a
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
autoit_exe
AutoIT scripts compiled to PE executables.
-
-
-
Target
setup_installer/Wed09f257bb7877d00b2.exe
-
Size
1.3MB
-
MD5
bdbbf4f034c9f43e4ab00002eb78b990
-
SHA1
99c655c40434d634691ea1d189b5883f34890179
-
SHA256
2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
-
SHA512
dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
setup_installer/libcurl.dll
-
Size
218KB
-
MD5
d09be1f47fd6b827c81a4812b4f7296f
-
SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7
-
SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
-
SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
Score3/10 -
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
4Scheduled Task
3Modify Existing Service
2Defense Evasion
Modify Registry
14Install Root Certificate
6Disabling Security Tools
2Virtualization/Sandbox Evasion
2