General
-
Target
d679480608237f232180bbccdb98a4aa237d1c7b4963a5815cd51f8e85d49013
-
Size
359KB
-
Sample
220709-mxpdyadgcq
-
MD5
6c296ac4e759e49b1a4354664adf9e62
-
SHA1
c1aad4f7250a9e46e995dd5be6c83156dc78d42a
-
SHA256
d679480608237f232180bbccdb98a4aa237d1c7b4963a5815cd51f8e85d49013
-
SHA512
21d02b657dabc8ecc499a31b557510822dc45b4b90b858522ba0bbae66b9394e75c5347fa01eb5ec61d2d29b95e8f96f505ded400d9af993bcc613394c61cff0
Static task
static1
Behavioral task
behavioral1
Sample
d679480608237f232180bbccdb98a4aa237d1c7b4963a5815cd51f8e85d49013.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
redline
1
38.17.53.140:30686
-
auth_value
7d4c8895c781964b1dd3b37efbb922d8
Extracted
redline
193.233.193.49:11906
-
auth_value
ad5cd49e075db8527ecb265d0bf18710
Extracted
redline
22
104.168.175.185:24296
-
auth_value
d1d25fcea68896739206f4633c252b31
Extracted
redline
1399237859
37.235.54.26:8362
Extracted
redline
@mahouny23
194.36.177.26:16686
-
auth_value
1e6a07738976b205f98e69f03924461d
Extracted
eternity
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
Extracted
vidar
53.1
324
https://t.me/tg_dailyrunnings
https://mastodon.online/@olegf9844g
-
profile_id
324
Targets
-
-
Target
d679480608237f232180bbccdb98a4aa237d1c7b4963a5815cd51f8e85d49013
-
Size
359KB
-
MD5
6c296ac4e759e49b1a4354664adf9e62
-
SHA1
c1aad4f7250a9e46e995dd5be6c83156dc78d42a
-
SHA256
d679480608237f232180bbccdb98a4aa237d1c7b4963a5815cd51f8e85d49013
-
SHA512
21d02b657dabc8ecc499a31b557510822dc45b4b90b858522ba0bbae66b9394e75c5347fa01eb5ec61d2d29b95e8f96f505ded400d9af993bcc613394c61cff0
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detects Eternity stealer
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-