General
-
Target
d41a8bd001feda9ad29b5178cb438c2e23fc4fb9775929b3885fc54d424ef929
-
Size
206KB
-
Sample
220909-xdny6sghc3
-
MD5
5c69d5ee9d7956ca66e976cc14e4c1c6
-
SHA1
cd00f5c6d14b13b88444fe32dc85421189b213e5
-
SHA256
d41a8bd001feda9ad29b5178cb438c2e23fc4fb9775929b3885fc54d424ef929
-
SHA512
9cd5ff6d87f5d0963137fab0d9f310d9e9c6f28a579316204799151f4746e84a0c6460e8d364e9d97838fc5c04d719053b84f61845672ab7163c887871d44028
-
SSDEEP
3072:i7NgkVCsLxRBH2/5ye0uRcbnl++HwAPLko/Mjux:kxzLzBZe0uR0lnwqL4
Static task
static1
Behavioral task
behavioral1
Sample
d41a8bd001feda9ad29b5178cb438c2e23fc4fb9775929b3885fc54d424ef929.exe
Resource
win10-20220812-en
Malware Config
Extracted
raccoon
567d5bff28c2a18132d2f88511f07435
http://116.203.167.5/
http://195.201.248.58/
Extracted
redline
nam5
103.89.90.61:34589
-
auth_value
f23be8e9063fe5d0c6fc3ee8e7d565bd
Extracted
redline
1337
78.153.144.6:2510
-
auth_value
b0447922bcbc2eda83260a9e7a638f45
Extracted
raccoon
648192a8f8c7b4c365c1a151beb8badc
http://84.246.85.28/
Extracted
eternity
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
Targets
-
-
Target
d41a8bd001feda9ad29b5178cb438c2e23fc4fb9775929b3885fc54d424ef929
-
Size
206KB
-
MD5
5c69d5ee9d7956ca66e976cc14e4c1c6
-
SHA1
cd00f5c6d14b13b88444fe32dc85421189b213e5
-
SHA256
d41a8bd001feda9ad29b5178cb438c2e23fc4fb9775929b3885fc54d424ef929
-
SHA512
9cd5ff6d87f5d0963137fab0d9f310d9e9c6f28a579316204799151f4746e84a0c6460e8d364e9d97838fc5c04d719053b84f61845672ab7163c887871d44028
-
SSDEEP
3072:i7NgkVCsLxRBH2/5ye0uRcbnl++HwAPLko/Mjux:kxzLzBZe0uR0lnwqL4
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-