General
-
Target
09458e479a10c5c9df88148fab6557cb.exe
-
Size
2.7MB
-
Sample
220809-h3s7vsgfb3
-
MD5
09458e479a10c5c9df88148fab6557cb
-
SHA1
f495213826e5e9dd400374ee5d84d1d7b46a19ac
-
SHA256
daf37b9db90e49f7c8c30899951565491d54e15c794f193000e25fd3d98774d6
-
SHA512
aec3eeeb40ec243239cf55b24ffc333203e1efd6d00986b088b66ab474b52d2b6eb8989c36ab64164cd2b282784c16173e6ea5df1667ccdb4b42dda062c6f2df
Behavioral task
behavioral1
Sample
09458e479a10c5c9df88148fab6557cb.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
09458e479a10c5c9df88148fab6557cb.exe
Resource
win10v2004-20220721-en
Malware Config
Extracted
eternity
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
-
payload_urls
http://146.19.233.133/oblak.loc/w.exe
http://146.19.233.133/oblak.loc/win_32SR_Lib.exe, http://146.19.233.133/oblak.loc/win_32_Cl.exe, http://146.19.233.133/oblak.loc/win_32_LibRT.exe
Extracted
redline
213.226.123.155:2014
-
auth_value
0598b6406388ff69eafa98ec89e064a0
Targets
-
-
Target
09458e479a10c5c9df88148fab6557cb.exe
-
Size
2.7MB
-
MD5
09458e479a10c5c9df88148fab6557cb
-
SHA1
f495213826e5e9dd400374ee5d84d1d7b46a19ac
-
SHA256
daf37b9db90e49f7c8c30899951565491d54e15c794f193000e25fd3d98774d6
-
SHA512
aec3eeeb40ec243239cf55b24ffc333203e1efd6d00986b088b66ab474b52d2b6eb8989c36ab64164cd2b282784c16173e6ea5df1667ccdb4b42dda062c6f2df
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-