General
-
Target
CBE35192C04F83D4D3B179A8C229047ADE740AAC3785E.exe
-
Size
2.7MB
-
Sample
220629-2w8thsfde9
-
MD5
1ff08be8f9a879188c1b75815f9fdbef
-
SHA1
48c482b54ba17aaa436e348d62b2ddba6855a729
-
SHA256
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
-
SHA512
1822768a8f8a8d65810f729f14032c5730bdbdeefa052d25d0a581fac47cd96c31437cf6c0885021fb21cf0a80572b04149f8f327d49a75aae2d5709a56d3313
Static task
static1
Malware Config
Extracted
redline
Cana01
176.111.174.254:56328
Extracted
vidar
39.6
933
https://sslamlssa1.tumblr.com/
-
profile_id
933
Extracted
redline
Mount2
ushatamaiet.xyz:80
adinoreiver.xyz:80
qulyneanica.com:80
-
auth_value
041a7c36d4c8d195af1a8b950182ee96
Extracted
vidar
53
1448
https://t.me/ch_inagroup
https://mastodon.social/@olegf9844e
-
profile_id
1448
Extracted
vidar
53
937
https://t.me/ch_inagroup
https://mastodon.social/@olegf9844e
-
profile_id
937
Extracted
djvu
http://acacaca.org/test3/get.php
-
extension
.lloo
-
offline_id
YfcXKGLzjXMjQRwrhUHzsXjmASQ6mo4zjmEj9st1
-
payload_url
http://rgyui.top/dl/build2.exe
http://acacaca.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-OIgf49CYf3 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0505Jhyjd
Extracted
nymaim
45.141.237.3
31.210.20.149
212.192.241.16
Extracted
vidar
52.7
517
https://t.me/tg_superch
https://climatejustice.social/@olegf9844
-
profile_id
517
Targets
-
-
Target
CBE35192C04F83D4D3B179A8C229047ADE740AAC3785E.exe
-
Size
2.7MB
-
MD5
1ff08be8f9a879188c1b75815f9fdbef
-
SHA1
48c482b54ba17aaa436e348d62b2ddba6855a729
-
SHA256
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
-
SHA512
1822768a8f8a8d65810f729f14032c5730bdbdeefa052d25d0a581fac47cd96c31437cf6c0885021fb21cf0a80572b04149f8f327d49a75aae2d5709a56d3313
-
Detected Djvu ransomware
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
-
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
-
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
-
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
1Scheduled Task
1Hidden Files and Directories
1Defense Evasion
Modify Registry
3Disabling Security Tools
1File Permissions Modification
1Install Root Certificate
1Hidden Files and Directories
1