General
-
Target
00C0934AF824603BEF01CE8A5D9FCBD0E97432C877D40.exe
-
Size
2.5MB
-
Sample
220827-t38s4adcel
-
MD5
7456a042d330c293f618181c1c52ee59
-
SHA1
27d8b878fb07d7a3f23955cfad710c702a4acc3e
-
SHA256
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
-
SHA512
62ad1abd683b1278a6d665f89c9fa9cffb02641b624c2716f7dea5de320405eb59e0fb1e301e228bb58d9202c8e32f89acd217a18850b6921148cf777bb7a101
-
SSDEEP
49152:EghS3ALwLVtkYDnz+ZSPIa1QVtpnjCzSeyBOLnY9y8/OMm9vqw:JhS2qVtkYDuHLjCnGOT4yiOMm9f
Static task
static1
Behavioral task
behavioral1
Sample
00C0934AF824603BEF01CE8A5D9FCBD0E97432C877D40.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
00C0934AF824603BEF01CE8A5D9FCBD0E97432C877D40.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
vidar
39.6
933
https://sslamlssa1.tumblr.com/
-
profile_id
933
Extracted
tofsee
svartalfheim.top
jotunheim.name
Extracted
redline
nam6.2
103.89.90.61:34589
-
auth_value
2276f4d8810e679413659a9576a6cdf4
Extracted
redline
ruzki9
176.113.115.146:9582
-
auth_value
0bc3fe6153667b0956cb33e6a376b53d
Targets
-
-
Target
00C0934AF824603BEF01CE8A5D9FCBD0E97432C877D40.exe
-
Size
2.5MB
-
MD5
7456a042d330c293f618181c1c52ee59
-
SHA1
27d8b878fb07d7a3f23955cfad710c702a4acc3e
-
SHA256
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
-
SHA512
62ad1abd683b1278a6d665f89c9fa9cffb02641b624c2716f7dea5de320405eb59e0fb1e301e228bb58d9202c8e32f89acd217a18850b6921148cf777bb7a101
-
SSDEEP
49152:EghS3ALwLVtkYDnz+ZSPIa1QVtpnjCzSeyBOLnY9y8/OMm9vqw:JhS2qVtkYDuHLjCnGOT4yiOMm9f
-
Detects Smokeloader packer
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
YTStealer payload
-
Detectes Phoenix Miner Payload
-
Vidar Stealer
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2New Service
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Install Root Certificate
1