Resubmissions
04-06-2023 21:35
230604-1fcwgadg89 1013-02-2022 03:16
220213-dsq8asfbej 1013-02-2022 03:12
220213-dqagrsdda9 1013-02-2022 03:11
220213-dpxwnsfbdq 106-12-2021 20:39
211206-zflypsfahr 1019-10-2021 03:48
211019-ec1mgafbf7 1011-08-2021 05:28
210811-rjsxfvjxd2 1011-08-2021 05:07
210811-rs31ylg4ls 1011-08-2021 04:56
210811-tvaldfm4jx 10General
-
Target
Setup.exe
-
Size
1.6MB
-
Sample
220213-dqagrsdda9
-
MD5
ce6eaa52767b2df78b34519231966588
-
SHA1
ab32d09951189022a1a39e9204ec9ce2926b3fcf
-
SHA256
40924781ba072ea88bd7cad3f6d2a48e87f370e1c1ee334a3415dd26b5ea17e5
-
SHA512
36a09fe704823d6db5d0982d761ba1976c940b82b7c1ca650627d66e16b420612b78c761f2ed00e533453eeb2dd7e431cf47b0c2cf826354aa6e779fda531067
Malware Config
Extracted
raccoon
1c0fad6805a0f65d7b597130eb9f089ffbe9857d
-
url4cnc
http://194.180.191.241/capibar
http://103.155.93.35/capibar
https://t.me/capibar
Extracted
redline
shafty_inst
91.243.32.25:25121
-
auth_value
764049059437c802ecea88e790fdca27
Extracted
redline
tako
65.108.27.131:45256
-
auth_value
5e2b00f8574b1c698db50a067014ec7c
Targets
-
-
Target
Setup.exe
-
Size
1.6MB
-
MD5
ce6eaa52767b2df78b34519231966588
-
SHA1
ab32d09951189022a1a39e9204ec9ce2926b3fcf
-
SHA256
40924781ba072ea88bd7cad3f6d2a48e87f370e1c1ee334a3415dd26b5ea17e5
-
SHA512
36a09fe704823d6db5d0982d761ba1976c940b82b7c1ca650627d66e16b420612b78c761f2ed00e533453eeb2dd7e431cf47b0c2cf826354aa6e779fda531067
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
OnlyLogger Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-