General
-
Target
File.zip
-
Size
6.4MB
-
Sample
220903-vq3a8aacbp
-
MD5
72a9f4e777d2f5046a47a5d580986444
-
SHA1
3d64114624dc2f1c96485cb7c193ea95fab4f731
-
SHA256
ec4bf6cfc55df437a044d2f779cfd3619ddc96d4c7c5cb6621f38e9e30ec1041
-
SHA512
23eddd86be0fed3f86de09378c55f85b0e47f967432edb079abb242fb046693c8d58734a32784e65729ca538e5492dddc18c498c7986b88da4302bb9420395ec
-
SSDEEP
196608:Tjfhn41BNL8oYEzjTy1vt2Dv4WoeUnpxQS+i+:vZn41B95j2vt2sci+
Behavioral task
behavioral1
Sample
Install.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Install.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
langs/Hungarian.ps1
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
langs/Hungarian.ps1
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
langs/Korean.ps1
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
langs/Korean.ps1
Resource
win10v2004-20220812-en
Malware Config
Extracted
privateloader
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
-
payload_url
https://vipsofts.xyz/files/mega.bmp
Extracted
raccoon
ad82482251879b6e89002f532531462a
http://89.185.85.53/
Extracted
redline
@forceddd_lzt
5.182.36.101:31305
-
auth_value
91ffc3d776bc56b5c410d1adf5648512
Targets
-
-
Target
Install.exe
-
Size
435.0MB
-
MD5
2a27acc2f6b26b15d6d839d43a6b6bc0
-
SHA1
661dca9bd343226ae54da0e21f12ef1e181b1776
-
SHA256
006fd40f696d274a44535fcf35d6130445842b148115db48c5b859a8519cdc77
-
SHA512
ebf8bfdf7529429a400ad39d473da0e43752c6cd16dffaadd067e38b3e0c9991664217d15931a73f7f78a0160cdbd4f5710699d2f293c1638ae8d1ed5f7940ee
-
SSDEEP
98304:Ak/AHdxT8BEU8MkJwe65adTX4a2tYsUxKr76hwrrKqdSlwrWL:Ak/i8jkJjLd8a2UxIzGwyL
-
Detects Smokeloader packer
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
YTStealer payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
langs/Hungarian.ini
-
Size
107KB
-
MD5
7591df7fae4342cbc7a0706e1b28e87b
-
SHA1
825e88ad498e8713522f5aef3b21ee01d6fa8b41
-
SHA256
fe9997629d296908247a2e82da6c369e2ea7eb4c87b12fc7c8d3ecb3e6fc320d
-
SHA512
8f58c6fbaf5ea140a3ecbbc88cbf4bdd0e0ba3fbdf169f4b7cb831094a47a6ead103f89fc07748f91d1396ebd13c7ebcc90a316f0eb203ff4c86a50be5cd3ca4
-
SSDEEP
3072:UaKBsDgGod8NAH4iyf8kXrLfKgL6YhL+L3yGU:73X
Score1/10 -
-
-
Target
langs/Korean.ini
-
Size
91KB
-
MD5
efae0c78be2abe2920c78b9d4785ab45
-
SHA1
8c0799fb68852cb071bbe260deb4ab357bd5f4ed
-
SHA256
ad556989f6e4a683d9668e41d2d7175b7b46847c2eef26188b9075fc600d0132
-
SHA512
44737be4d4bd0f93ca3e986c89102612932f3749b8e9b89446a567cff60ceb856b4bd7380da7fe3f1809579e6ec2162d0cdd4a217935a4961c6b36a482dd4ac8
-
SSDEEP
768:wPYhkzQl6qE7rY+xuPAsyKVmq8Ag8lyWqFk5ziCfsg8S+EZNlWJ7lxyBiCWfbMav:HSzQlc7siCmq8AFlBmLfbNA2Nt7osVP
Score1/10 -