General
-
Target
a507d9b7459be7da333d8b2ca288c600bf7497fbb860b.exe
-
Size
2.4MB
-
Sample
220809-skk4msdff7
-
MD5
e32a7fae572280716c85d41555752b52
-
SHA1
1dd67b49e05612a245de0ffe93523e4ea460f8ab
-
SHA256
a507d9b7459be7da333d8b2ca288c600bf7497fbb860b8c57189a4c00a09a3c3
-
SHA512
52a5ae096e92809d88254f86127cf62e4d55962b05e26a2b648f6879ab973fdea9a18279c12ba907fa9015fd542da122445d899f337500e911e58ba0b4b63963
Behavioral task
behavioral1
Sample
a507d9b7459be7da333d8b2ca288c600bf7497fbb860b.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
a507d9b7459be7da333d8b2ca288c600bf7497fbb860b.exe
Resource
win10v2004-20220721-en
Malware Config
Extracted
eternity
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
-
payload_urls
http://146.19.233.133/oblak.loc/w.exe
http://146.19.233.133/oblak.loc/win_32SR_Lib.exe, http://146.19.233.133/oblak.loc/win_32_Cl.exe, http://146.19.233.133/oblak.loc/win_32_LibRT.exe
Extracted
redline
213.226.123.155:2014
-
auth_value
0598b6406388ff69eafa98ec89e064a0
Targets
-
-
Target
a507d9b7459be7da333d8b2ca288c600bf7497fbb860b.exe
-
Size
2.4MB
-
MD5
e32a7fae572280716c85d41555752b52
-
SHA1
1dd67b49e05612a245de0ffe93523e4ea460f8ab
-
SHA256
a507d9b7459be7da333d8b2ca288c600bf7497fbb860b8c57189a4c00a09a3c3
-
SHA512
52a5ae096e92809d88254f86127cf62e4d55962b05e26a2b648f6879ab973fdea9a18279c12ba907fa9015fd542da122445d899f337500e911e58ba0b4b63963
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-