General
-
Target
File.zip
-
Size
6.4MB
-
Sample
220903-sk3npabdb7
-
MD5
72a9f4e777d2f5046a47a5d580986444
-
SHA1
3d64114624dc2f1c96485cb7c193ea95fab4f731
-
SHA256
ec4bf6cfc55df437a044d2f779cfd3619ddc96d4c7c5cb6621f38e9e30ec1041
-
SHA512
23eddd86be0fed3f86de09378c55f85b0e47f967432edb079abb242fb046693c8d58734a32784e65729ca538e5492dddc18c498c7986b88da4302bb9420395ec
-
SSDEEP
196608:Tjfhn41BNL8oYEzjTy1vt2Dv4WoeUnpxQS+i+:vZn41B95j2vt2sci+
Behavioral task
behavioral1
Sample
Install.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Install.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
Readme.txt
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
Readme.txt
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
langs/English.ini
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
langs/English.ini
Resource
win10v2004-20220812-en
Malware Config
Extracted
privateloader
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
-
payload_url
https://vipsofts.xyz/files/mega.bmp
Extracted
raccoon
ad82482251879b6e89002f532531462a
http://89.185.85.53/
Extracted
redline
@forceddd_lzt
5.182.36.101:31305
-
auth_value
91ffc3d776bc56b5c410d1adf5648512
Targets
-
-
Target
Install.exe
-
Size
435.0MB
-
MD5
2a27acc2f6b26b15d6d839d43a6b6bc0
-
SHA1
661dca9bd343226ae54da0e21f12ef1e181b1776
-
SHA256
006fd40f696d274a44535fcf35d6130445842b148115db48c5b859a8519cdc77
-
SHA512
ebf8bfdf7529429a400ad39d473da0e43752c6cd16dffaadd067e38b3e0c9991664217d15931a73f7f78a0160cdbd4f5710699d2f293c1638ae8d1ed5f7940ee
-
SSDEEP
98304:Ak/AHdxT8BEU8MkJwe65adTX4a2tYsUxKr76hwrrKqdSlwrWL:Ak/i8jkJjLd8a2UxIzGwyL
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Readme.txt
-
Size
4KB
-
MD5
1ee7a6180885e54720bf71be04b03825
-
SHA1
140d28bd53ce8645882ed17b17e90347b9cf262a
-
SHA256
ce47c8d9d3eb0493a79aedf6f61c21ef7369f9a1725064ddd74538a02011841a
-
SHA512
14d9f69d0d3ba5375d6fe8a1f6d7b15d8e0bcb6161d335883d8db5a309b802e14086bb25e92da234f2a7fddf11ff92d9226f6a2e61a93bf22b4891203daf8212
-
SSDEEP
96:oVN+hxywresod226jfbHjbW5qGmokRQg2HmLUodWXLiQw://re9A2qbDbW5MdRUHmLvdW72
Score1/10 -
-
-
Target
langs/English.ini
-
Size
107KB
-
MD5
525ce1c02ca53f9c63cb697ed3aae899
-
SHA1
9ddc2763d9dd663f3cb0febf0d580e21c52c2f18
-
SHA256
0f9d467f6bb6f682c0d1351b26038950c73720f2bfc0741ec1c7bfab2046d75f
-
SHA512
734d599d839b1266c42f340e044243ae30d1859d314eed7738f72f59201d19359f1ac6ee0cac8bfef4a0a2b8f2232a4f1f33336770c8c43f929c1bef162d2317
-
SSDEEP
1536:5S5Ybl8/lKlXiF3y24FMuRvV5I7BohUT1:xxXiVQV5uJ1
Score1/10 -