General
-
Target
HeartsOFIronIV.rar
-
Size
15KB
-
Sample
220906-mlpwbsgfek
-
MD5
b8762a8dba88b4b9831597fb4cb27831
-
SHA1
7cf57c1a0ad12c81bb9adb3f5633d4012b947a2c
-
SHA256
a22afac108297e7090f54cf79abd4aa49d837195ebe3464be6718b2ab100864d
-
SHA512
a457e60d332c5bfd7792896f41b31270b446d6dba09966be7882af936abdf5f94163f71bad7061c1da3a1a5bdce998ed09ab2892f7b9f49e5723fa4b07738a96
-
SSDEEP
384:RCs3M67tAq6YWWrYRf23N5aR0Sx7EvZe3Sl8UTfL1dKhIDPD6n03c9:DM67+PW8Rf23rfy3YTxdKVec9
Static task
static1
Behavioral task
behavioral1
Sample
HeartsOFIronIV.bat
Resource
win7-20220812-en
Malware Config
Extracted
redline
log
195.3.223.79:33189
Targets
-
-
Target
HeartsOFIronIV.bat
-
Size
24KB
-
MD5
067a03764ac51fe3e7836f7f1ee6a7f6
-
SHA1
02a9c4e98ba5804b0a94f5464ff03efa3498684d
-
SHA256
ba17971c13364a2b00efc656bea093538063b5c54c6247e0c0013c5a191c5317
-
SHA512
1b94ec243386560465d27c7a5e1f12a438ce0bce351bdef72a10de1dbfad1a7d0f09156502726a76ae744a21143d13a9297320937b3924bd9ba639792d3908e6
-
SSDEEP
384:RrQOabFKKGgSjC1YuuVdLYyWPyIPsBvdQYb6WE+7EHoDunxFaM6:FQfSe3aYy7mGH7pEmuvaM6
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies security service
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Possible privilege escalation attempt
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-