Overview

overview

10

Static

static

Lucky SkinChanger.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Lucky SkinChanger.rar

  • Size

    1.8MB

  • Sample

    220209-gvx1eahfdm

  • MD5

    2d2a51e73f7d6ead1dcf6f3945e61edc

  • SHA1

    3cb5f60fd3321001da79d29966103a6987a6540e

  • SHA256

    c322a19f7b453ed4b9b03817eedc08e88cd8858fd19de799da20603b2d8f5b90

  • SHA512

    c39b6a1ed6d8aeb16eb1633321f9fbab0da3e7e1dd1c6beb576be2b3bf1cadad321fa2b5a3b099e692a6643e957a78f2b0ed32cc6e39ccf2418e6b2dbeeb8fc1

Score
10/10
echelonredlinesapphireinfostealerspywarestealersuricata

Malware Config

Extracted

Family

redline

Botnet

sapphire

C2

185.230.143.237:2548

Targets

    • Target

      Lucky SkinChanger.exe

    • Size

      2.1MB

    • MD5

      795a68d97113af5bfe54e3b0250ee2d4

    • SHA1

      65d1bd69f7fb761ffe0831548b41af9d107692db

    • SHA256

      1800e21eac1384cd70ce9edc4b58301eb632eb01489481034a3cd292314dc9ff

    • SHA512

      b87ecd159a781b83fb1e59c6e2aa372f364047832081920c2f8cb1699793536066b5e9150ec447dc280540bb5032aca5da0a1302892d561820009f95ae747990

    Score
    10/10
    echelonredlinesapphireinfostealerspywarestealersuricata

    • Echelon

      Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

      stealerspywareechelon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks