Overview

overview

10

Static

static

7

Paypal-Byp...ew.exe

windows10-1703-x64

10

Paypal-Byp...67.lnk

windows10-1703-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Paypal-Bypass-New.rar

  • Size

    10.5MB

  • Sample

    220809-tvwhssedg5

  • MD5

    9b0aa0b40ad2b96fe32908f8b4b18977

  • SHA1

    04e520449b54a5b0399f656469818a5b52034139

  • SHA256

    7767cd4aee0256131839ae137da6f4bca9e6bc60924e0774f041a05ca3d7bc14

  • SHA512

    95fd8c174c815ed2882fd688c2c26614ec4cd2360fd350ef0bfe62e935006198f8272f904ad83513907c1fd516844e2ce8a1824412e5baa5cbf9a91a5f687ef2

Score
10/10
redlinecheatdiscoveryevasioninfostealerspywarestealerthemidatrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

5.161.137.166:6738

Targets

    • Target

      Paypal-Bypass-New/Paypal-Bypass-New.exe

    • Size

      3.1MB

    • MD5

      b5e3684462869bcdf57aee5552272e89

    • SHA1

      3cb0e09457929171dce9e74fee6fc529f543ed96

    • SHA256

      7a7997a3e431e72d22551e98f6d61ea902bdda5ed55690ee59b38b9f0944c869

    • SHA512

      0c5f285bd3edd5b4e96c7ec625171ccd9fbffd14ab0cbf942ca3cddc64dd086b9456ee4480cd487dacca251d5e435ff79e01ec6fc55c75009e033c375e5bd025

    Score
    10/10
    redlinecheatdiscoveryevasioninfostealerspywarestealerthemidatrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

    • Target

      Paypal-Bypass-New/assets/Freebitco.in/[BLTools Cracked By Grizzly] Full Logs/[0.00000003 BTC] SE[167E482B2B469B3A0B8F2F3ADCC05A2B] [2022-06-09T08_58_02.1967335+08_00]/FileGrabber/Users/necok/Desktop/Atomic Wallet.lnk

    • Size

      2KB

    • MD5

      3abd48e7bc60de9ba4f1dad18d318d95

    • SHA1

      f22d31945a483e428bcb922c4d2833bc679a3374

    • SHA256

      d15f9762335acc6aa4e676cb7410e14ae5a01345ad7890e0a70f9e349e5c4b2c

    • SHA512

      513446c7aba5b969847a27345f3d78a418dcb6a645b7dcaa4f9653da7bb34b21b71963a706ecdc41855b13d122914be48a7b72ec5a58830fa9b631c06fccfc2f

    Score
    3/10
    behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks