General

  • Target

    0156847d51e71ced1a4a8871fc89b85d.exe

  • Size

    4.3MB

  • Sample

    220809-jlczzsfafn

  • MD5

    0156847d51e71ced1a4a8871fc89b85d

  • SHA1

    1d381d4d63f5a3ad9691fb427dca82290ca379d0

  • SHA256

    b8b162b8e561df015f29ea5282830830a427b041f4146676fbd4ed321bf69ac4

  • SHA512

    5ae78265b582c043335ea0eab8630e72a5fe5bee4d7e8a0348de4204047e88db4eb574403f9c74868b3ce57b85e498202dd1dc7841c94f0a6133d1c43ea13578

Malware Config

Extracted

Family

eternity

C2

http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion

Attributes
  • payload_urls

    http://146.19.233.133/oblak.loc/w.exe

    http://146.19.233.133/oblak.loc/win_32SR_Lib.exe, http://146.19.233.133/oblak.loc/win_32_Cl.exe, http://146.19.233.133/oblak.loc/win_32_LibRT.exe

Extracted

Family

redline

C2

213.226.123.155:2014

Attributes
  • auth_value

    0598b6406388ff69eafa98ec89e064a0

Targets

    • Target

      0156847d51e71ced1a4a8871fc89b85d.exe

    • Size

      4.3MB

    • MD5

      0156847d51e71ced1a4a8871fc89b85d

    • SHA1

      1d381d4d63f5a3ad9691fb427dca82290ca379d0

    • SHA256

      b8b162b8e561df015f29ea5282830830a427b041f4146676fbd4ed321bf69ac4

    • SHA512

      5ae78265b582c043335ea0eab8630e72a5fe5bee4d7e8a0348de4204047e88db4eb574403f9c74868b3ce57b85e498202dd1dc7841c94f0a6133d1c43ea13578

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Eternity

      Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks