General
-
Target
tmp
-
Size
95KB
-
Sample
220612-pgmxaabcar
-
MD5
f69b759484f6dddde5ee53713c16bd8f
-
SHA1
6f13170df9c452f69b2eab421ade5aed99284849
-
SHA256
3a6872c4340a880b287df860e876fab5363c7896cfe01bf32e9aa6a0a4451d75
-
SHA512
3cd56456abefc07906f38f27c647559e450925de42942bfbd550c5193c3cd0647100e84932e410c01bacc57a77b72a6134c679d430d9c5446af9ca5f214f9409
Malware Config
Extracted
redline
cheat
moduleconnector.at:1338
Extracted
netwire
moduleconnector.at:444
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\JavaUpdater\Java.exe
-
lock_executable
false
-
mutex
OkOSGIVK
-
offline_keylogger
false
-
password
Nigger25!
-
registry_autorun
false
-
use_mutex
false
Extracted
bitrat
1.38
moduleconnector.at:80
-
communication_password
a719e6eb1cd0fc059eb960515ec9d970
-
install_dir
JavaTools
-
install_file
Java.exe
-
tor_process
tor
Targets
-
-
Target
tmp
-
Size
95KB
-
MD5
f69b759484f6dddde5ee53713c16bd8f
-
SHA1
6f13170df9c452f69b2eab421ade5aed99284849
-
SHA256
3a6872c4340a880b287df860e876fab5363c7896cfe01bf32e9aa6a0a4451d75
-
SHA512
3cd56456abefc07906f38f27c647559e450925de42942bfbd550c5193c3cd0647100e84932e410c01bacc57a77b72a6134c679d430d9c5446af9ca5f214f9409
-
NetWire RAT payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE Possible Kelihos.F EXE Download Common Structure
suricata: ET MALWARE Possible Kelihos.F EXE Download Common Structure
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
XMRig Miner Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-