Overview

overview

10

Static

static

10

0x00070000...55.exe

windows7-x64

10

0x00070000...55.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0x00070000000139ff-155.dat

  • Size

    1.0MB

  • Sample

    220806-q3s6vsfcem

  • MD5

    e44b6cb9e7111de178fbabf3ac1cba76

  • SHA1

    b15d8d52864a548c42a331a574828824a65763ff

  • SHA256

    c74894fe98864ade516c9e54f2258a23ed451feadfa2de53a7c626385b549b22

  • SHA512

    24129e1de024d61bcc23654450f416307be3e7911de2baced47476e02cd7df737ce012f379eb0ea5d84367113619f53d6a80971ccc652a569d6b494150bbb6bf

Score
10/10
nymaimprivateloaderredlineinstallruzkiruzki 10evasioninfostealerloaderpersistencespywarestealerthemidatrojanupx

Malware Config

Extracted

Family

redline

Botnet

install

C2

31.41.244.109:3590

Attributes
  • auth_value

    eb23a0ca5a38a3bf1eb16b2f08524f35

Extracted

Family

nymaim

C2

208.67.104.9

212.192.241.16

Extracted

Family

redline

C2

194.36.177.7:39556

Attributes
  • auth_value

    37f7baab2f9c2105ad605cd792dbb4ca

Extracted

Family

redline

Botnet

ruzki

C2

193.106.191.165:39482

Attributes
  • auth_value

    71a0558c0eea274a5bd617ea85786884

Extracted

Family

redline

Botnet

ruzki 10

C2

185.106.92.235:12654

Attributes
  • auth_value

    bd55c8a28ef77f4992002099164ebe01

Targets

    • Target

      0x00070000000139ff-155.dat

    • Size

      1.0MB

    • MD5

      e44b6cb9e7111de178fbabf3ac1cba76

    • SHA1

      b15d8d52864a548c42a331a574828824a65763ff

    • SHA256

      c74894fe98864ade516c9e54f2258a23ed451feadfa2de53a7c626385b549b22

    • SHA512

      24129e1de024d61bcc23654450f416307be3e7911de2baced47476e02cd7df737ce012f379eb0ea5d84367113619f53d6a80971ccc652a569d6b494150bbb6bf

    Score
    10/10
    nymaimredlineinstallruzkiruzki 10evasioninfostealerspywarestealerthemidatrojanupxprivateloaderloaderpersistence

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NyMaim

      NyMaim is a malware with various capabilities written in C++ and first seen in 2013.

      trojannymaim

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

1
T1089

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks