General
-
Target
09c22c3901e19f445a5d172e98d1ae53.exe
-
Size
2.4MB
-
Sample
220809-pp2qeaacem
-
MD5
09c22c3901e19f445a5d172e98d1ae53
-
SHA1
ddba9778bea6313cb4d62b64107c5a43ecbd6fd8
-
SHA256
0af4243d29cc211b18071fdacf963a1dbfea5ff09bd9b947d4d021e80fabccd4
-
SHA512
77303c5a65d50abeaa596f00f029de69388b7fbc137d8d4c1ea992db2bd7a2b8e8138e5ba2ddf3c537305f40509e706f7ee07446325fe7b205ac19af32a1e24d
Behavioral task
behavioral1
Sample
09c22c3901e19f445a5d172e98d1ae53.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
09c22c3901e19f445a5d172e98d1ae53.exe
Resource
win10v2004-20220721-en
Malware Config
Extracted
eternity
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
-
payload_urls
http://146.19.233.133/oblak.loc/w.exe
http://146.19.233.133/oblak.loc/win_32SR_Lib.exe, http://146.19.233.133/oblak.loc/win_32_Cl.exe, http://146.19.233.133/oblak.loc/win_32_LibRT.exe
Extracted
redline
213.226.123.155:2014
-
auth_value
0598b6406388ff69eafa98ec89e064a0
Targets
-
-
Target
09c22c3901e19f445a5d172e98d1ae53.exe
-
Size
2.4MB
-
MD5
09c22c3901e19f445a5d172e98d1ae53
-
SHA1
ddba9778bea6313cb4d62b64107c5a43ecbd6fd8
-
SHA256
0af4243d29cc211b18071fdacf963a1dbfea5ff09bd9b947d4d021e80fabccd4
-
SHA512
77303c5a65d50abeaa596f00f029de69388b7fbc137d8d4c1ea992db2bd7a2b8e8138e5ba2ddf3c537305f40509e706f7ee07446325fe7b205ac19af32a1e24d
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-