Overview

overview

10

Static

static

362592241e...bb.exe

windows7_x64

1

362592241e...bb.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    362592241e15293c68d0f24468723bbb.exe

  • Size

    206KB

  • Sample

    220220-x5hapscgdm

  • MD5

    362592241e15293c68d0f24468723bbb

  • SHA1

    99b0b0506c746fbf7dd23c684dcc1d81a6f78e98

  • SHA256

    43f2b1760660ae09452c80f028390add8d8b2d95920d608e45c191f883167682

  • SHA512

    3e01c2c034a1398bdfd77459598746020af60c7adadf2c76039c4b727755abd6dd15b3a97df3214ce6e5ad0cbb08398b11a173ce87da9ab563754d3acc4aa56e

Score
10/10
redlinepapsevasioninfostealerspywarestealersuricatathemidatrojanupx

Malware Config

Extracted

Family

redline

Botnet

paps

C2

65.108.27.131:45256

Attributes
  • auth_value

    c7b06cfdce3af6496f70c3f411db6722

Targets

    • Target

      362592241e15293c68d0f24468723bbb.exe

    • Size

      206KB

    • MD5

      362592241e15293c68d0f24468723bbb

    • SHA1

      99b0b0506c746fbf7dd23c684dcc1d81a6f78e98

    • SHA256

      43f2b1760660ae09452c80f028390add8d8b2d95920d608e45c191f883167682

    • SHA512

      3e01c2c034a1398bdfd77459598746020af60c7adadf2c76039c4b727755abd6dd15b3a97df3214ce6e5ad0cbb08398b11a173ce87da9ab563754d3acc4aa56e

    Score
    10/10
    redlinepapsevasioninfostealerspywarestealersuricatathemidatrojanupx

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

      suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

      suricata

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

      suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

      suricata

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks