General

  • Target

    0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe

  • Size

    392KB

  • Sample

    220415-qm8xdaebe2

  • MD5

    5fea51478a01f10a78d428751e973aba

  • SHA1

    cb7f1e3acc3636a6f890edb8c44d0abe2674ec1c

  • SHA256

    0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b

  • SHA512

    47ea5c07b4d9d2bd5f9045906da94961f9d7d64e55c992435bdae2d21334daed98f096892da46f2bd18637f48ecac6bc80d6531c5a1cacceb7f3a46182e103c6

Malware Config

Extracted

Family

redline

Botnet

04062022

C2

62.204.41.166:27688

Attributes
  • auth_value

    48182fe753fa2aff7472da064aa2a5d9

Extracted

Family

arkei

Botnet

Default

C2

http://62.204.41.69/p8jG9WvgbE.php

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Targets

    • Target

      0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe

    • Size

      392KB

    • MD5

      5fea51478a01f10a78d428751e973aba

    • SHA1

      cb7f1e3acc3636a6f890edb8c44d0abe2674ec1c

    • SHA256

      0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b

    • SHA512

      47ea5c07b4d9d2bd5f9045906da94961f9d7d64e55c992435bdae2d21334daed98f096892da46f2bd18637f48ecac6bc80d6531c5a1cacceb7f3a46182e103c6

    • Arkei

      Arkei is an infostealer written in C++.

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Meta Stealer Stealer

      Meta Stealer steals passwords stored in browsers, written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks