General
-
Target
e39ab2c65deceb3c63869c5e0b855f65b38aca0c34e96534e8087223199769f3
-
Size
245KB
-
Sample
220617-jggsdaahhq
-
MD5
81f7105dd8ccd574c2dd7399931d52d5
-
SHA1
1a86da9b77441b0486acfe1b4302c8699dd2ae36
-
SHA256
e39ab2c65deceb3c63869c5e0b855f65b38aca0c34e96534e8087223199769f3
-
SHA512
cfce0b2fcb76546da3a3a7c3428d6ca9d91c4df14d13aae7bda0af368285a001527df967b28cf2c8bf2ae76360ea507de9b64419fa48781b2e2777c08215bd31
Static task
static1
Behavioral task
behavioral1
Sample
e39ab2c65deceb3c63869c5e0b855f65b38aca0c34e96534e8087223199769f3.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
vidar
52.6
1415
https://t.me/tg_dailylessons
https://busshi.moe/@olegf9844xx
-
profile_id
1415
Extracted
recordbreaker
http://138.197.179.146/
Extracted
redline
mario
193.106.191.129:80
-
auth_value
8fb912f79eac650a3e3f25f46f070f5d
Extracted
redline
USAeuTEST
193.106.191.246:23196
-
auth_value
7dbf5ba6d421c1b0e8ce8d5867af4537
Targets
-
-
Target
e39ab2c65deceb3c63869c5e0b855f65b38aca0c34e96534e8087223199769f3
-
Size
245KB
-
MD5
81f7105dd8ccd574c2dd7399931d52d5
-
SHA1
1a86da9b77441b0486acfe1b4302c8699dd2ae36
-
SHA256
e39ab2c65deceb3c63869c5e0b855f65b38aca0c34e96534e8087223199769f3
-
SHA512
cfce0b2fcb76546da3a3a7c3428d6ca9d91c4df14d13aae7bda0af368285a001527df967b28cf2c8bf2ae76360ea507de9b64419fa48781b2e2777c08215bd31
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
RecordBreaker
RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE Generic Stealer Config Download Request
suricata: ET MALWARE Generic Stealer Config Download Request
-
suricata: ET MALWARE Recordbreaker Stealer CnC Checkin
suricata: ET MALWARE Recordbreaker Stealer CnC Checkin
-
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
-
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
ModiLoader Second Stage
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-