General

  • Target

    d41a8bd001feda9ad29b5178cb438c2e23fc4fb9775929b3885fc54d424ef929

  • Size

    206KB

  • Sample

    220909-xdny6sghc3

  • MD5

    5c69d5ee9d7956ca66e976cc14e4c1c6

  • SHA1

    cd00f5c6d14b13b88444fe32dc85421189b213e5

  • SHA256

    d41a8bd001feda9ad29b5178cb438c2e23fc4fb9775929b3885fc54d424ef929

  • SHA512

    9cd5ff6d87f5d0963137fab0d9f310d9e9c6f28a579316204799151f4746e84a0c6460e8d364e9d97838fc5c04d719053b84f61845672ab7163c887871d44028

  • SSDEEP

    3072:i7NgkVCsLxRBH2/5ye0uRcbnl++HwAPLko/Mjux:kxzLzBZe0uR0lnwqL4

Malware Config

Extracted

Family

raccoon

Botnet

567d5bff28c2a18132d2f88511f07435

C2

http://116.203.167.5/

http://195.201.248.58/

rc4.plain

Extracted

Family

redline

Botnet

nam5

C2

103.89.90.61:34589

Attributes
  • auth_value

    f23be8e9063fe5d0c6fc3ee8e7d565bd

Extracted

Family

redline

Botnet

1337

C2

78.153.144.6:2510

Attributes
  • auth_value

    b0447922bcbc2eda83260a9e7a638f45

Extracted

Family

raccoon

Botnet

648192a8f8c7b4c365c1a151beb8badc

C2

http://84.246.85.28/

rc4.plain

Extracted

Family

eternity

C2

http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion

Targets

    • Target

      d41a8bd001feda9ad29b5178cb438c2e23fc4fb9775929b3885fc54d424ef929

    • Size

      206KB

    • MD5

      5c69d5ee9d7956ca66e976cc14e4c1c6

    • SHA1

      cd00f5c6d14b13b88444fe32dc85421189b213e5

    • SHA256

      d41a8bd001feda9ad29b5178cb438c2e23fc4fb9775929b3885fc54d424ef929

    • SHA512

      9cd5ff6d87f5d0963137fab0d9f310d9e9c6f28a579316204799151f4746e84a0c6460e8d364e9d97838fc5c04d719053b84f61845672ab7163c887871d44028

    • SSDEEP

      3072:i7NgkVCsLxRBH2/5ye0uRcbnl++HwAPLko/Mjux:kxzLzBZe0uR0lnwqL4

    • Eternity

      Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks