General
-
Target
0156847d51e71ced1a4a8871fc89b85d.exe
-
Size
4.3MB
-
Sample
220809-jh321afadk
-
MD5
0156847d51e71ced1a4a8871fc89b85d
-
SHA1
1d381d4d63f5a3ad9691fb427dca82290ca379d0
-
SHA256
b8b162b8e561df015f29ea5282830830a427b041f4146676fbd4ed321bf69ac4
-
SHA512
5ae78265b582c043335ea0eab8630e72a5fe5bee4d7e8a0348de4204047e88db4eb574403f9c74868b3ce57b85e498202dd1dc7841c94f0a6133d1c43ea13578
Behavioral task
behavioral1
Sample
0156847d51e71ced1a4a8871fc89b85d.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
0156847d51e71ced1a4a8871fc89b85d.exe
Resource
win10v2004-20220721-en
Malware Config
Extracted
eternity
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
-
payload_urls
http://146.19.233.133/oblak.loc/w.exe
http://146.19.233.133/oblak.loc/win_32SR_Lib.exe, http://146.19.233.133/oblak.loc/win_32_Cl.exe, http://146.19.233.133/oblak.loc/win_32_LibRT.exe
Extracted
redline
213.226.123.155:2014
-
auth_value
0598b6406388ff69eafa98ec89e064a0
Targets
-
-
Target
0156847d51e71ced1a4a8871fc89b85d.exe
-
Size
4.3MB
-
MD5
0156847d51e71ced1a4a8871fc89b85d
-
SHA1
1d381d4d63f5a3ad9691fb427dca82290ca379d0
-
SHA256
b8b162b8e561df015f29ea5282830830a427b041f4146676fbd4ed321bf69ac4
-
SHA512
5ae78265b582c043335ea0eab8630e72a5fe5bee4d7e8a0348de4204047e88db4eb574403f9c74868b3ce57b85e498202dd1dc7841c94f0a6133d1c43ea13578
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-