General

  • Target

    fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe

  • Size

    692KB

  • Sample

    220415-qm8llsbbfn

  • MD5

    837547af8d2a1f60f8bbe09066f0ffa2

  • SHA1

    727421a8ea79d0c0562870c33d055224c7c9a4bc

  • SHA256

    fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f

  • SHA512

    579fe72723076eb6605660258caf1b8b2a2cf4f05c50f15c0a6a1d8226c13eb847ade0230e5bb1ba21c820e6b2ae0662b33725e65f7b43e0fb2f98c4e41d6961

Malware Config

Extracted

Family

redline

Botnet

04062022

C2

62.204.41.166:27688

Attributes
  • auth_value

    48182fe753fa2aff7472da064aa2a5d9

Extracted

Family

arkei

Botnet

Default

C2

http://62.204.41.69/p8jG9WvgbE.php

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Targets

    • Target

      fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe

    • Size

      692KB

    • MD5

      837547af8d2a1f60f8bbe09066f0ffa2

    • SHA1

      727421a8ea79d0c0562870c33d055224c7c9a4bc

    • SHA256

      fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f

    • SHA512

      579fe72723076eb6605660258caf1b8b2a2cf4f05c50f15c0a6a1d8226c13eb847ade0230e5bb1ba21c820e6b2ae0662b33725e65f7b43e0fb2f98c4e41d6961

    • Arkei

      Arkei is an infostealer written in C++.

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Meta Stealer Stealer

      Meta Stealer steals passwords stored in browsers, written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • suricata: ET MALWARE Base64 Encoded Stealer Config from Server - %APPDATA% M4

      suricata: ET MALWARE Base64 Encoded Stealer Config from Server - %APPDATA% M4

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M15

      suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M15

    • suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M6

      suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M6

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks