General
-
Target
ts.exe
-
Size
7.0MB
-
Sample
220914-veqs2sahc2
-
MD5
bf3260619b1692d02130c12cf3ed79ab
-
SHA1
c57c977254bf63052704f5acc2fd2c67eedd3ffb
-
SHA256
c7fa25f2c9d0c1edb55b3a214b69da8f1ae8515cdb2b15412133a6fcb643f0f6
-
SHA512
b5367c0e402209cbd43a0da40e2f82de6190bfbe146f05928a644cfe9812b8ffed0cd7dbf600b88bd5648e625d1122db0448b1f551a3408f7051ed77f68d9ca7
-
SSDEEP
98304:tNoOrhfhzTC7lQRSAWiF4ZkNfUB5lZ2hnLvxbHElMEo4fqU1DGD9GMqbncXwTv:TjfhnWSREdk2LGdElMxrU1DsTIMwTv
Malware Config
Extracted
privateloader
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
-
payload_url
https://vipsofts.xyz/files/mega.bmp
Extracted
redline
5
79.110.62.196:26277
-
auth_value
febe6965b41d2583ad2bb6b5aa23cfd5
Extracted
redline
nam6.2
103.89.90.61:34589
-
auth_value
4040fe7c77de89cf1a6f4cebd515c54c
Extracted
redline
ruzki14
176.113.115.146:9582
-
auth_value
688c6d70531c05d3fba22723e72366f6
Extracted
redline
@forceddd_lzt
5.182.36.101:31305
-
auth_value
91ffc3d776bc56b5c410d1adf5648512
Extracted
nymaim
208.67.104.97
85.31.46.167
Extracted
redline
3108_RUZKI
213.219.247.199:9452
-
auth_value
f71fed1cd094e4e1eb7ad1c53e542bca
Extracted
redline
@Fate1337LZT
185.106.92.226:40788
-
auth_value
d5b0c3e4b1aa22b78b0ce7bd07c3acd7
Extracted
redline
Zalupa123
185.241.54.113:31049
-
auth_value
6cfaf38d32211695743702fddac6cc88
Extracted
redline
81.161.229.143:27938
-
auth_value
6687e352a0604d495c3851d248ebf06f
Targets
-
-
Target
ts.exe
-
Size
7.0MB
-
MD5
bf3260619b1692d02130c12cf3ed79ab
-
SHA1
c57c977254bf63052704f5acc2fd2c67eedd3ffb
-
SHA256
c7fa25f2c9d0c1edb55b3a214b69da8f1ae8515cdb2b15412133a6fcb643f0f6
-
SHA512
b5367c0e402209cbd43a0da40e2f82de6190bfbe146f05928a644cfe9812b8ffed0cd7dbf600b88bd5648e625d1122db0448b1f551a3408f7051ed77f68d9ca7
-
SSDEEP
98304:tNoOrhfhzTC7lQRSAWiF4ZkNfUB5lZ2hnLvxbHElMEo4fqU1DGD9GMqbncXwTv:TjfhnWSREdk2LGdElMxrU1DsTIMwTv
Score1/10 -
-
-
Target
Install.exe
-
Size
715.3MB
-
MD5
71c8dbd53f77777dcc663c9bce5fe588
-
SHA1
66008a2ceac550c246645ff2d33734014645a8bb
-
SHA256
fc7b3fd579e40a691cddecc9eb413996d30ddbd8d78a9e483d015f09510fde1c
-
SHA512
ae972a7c810e59f3a566938f1a67c46c373ccd895ed6cd96fa87fba79ca60392bbf65913029ed9b671e4cbea8dfc47f4817a67734b60840fee03c816f5d62aef
-
SSDEEP
98304:gUgVBq1XrkDRvTH++2LDyli5l1H6lGGu6xuojjObjGsM5vCFKTyw:gUaBkQV+3LDyW6lGZrojj8nsaKT5
Score10/10-
NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
advapi32res.dll
-
Size
2KB
-
MD5
5f0cba32090f0a295ff21949d1d81dc3
-
SHA1
505fb000950d469ac57f208948061850732f933f
-
SHA256
b82b072342b08e2fb5fe97cb28a9c02289ad6ce501510f7e61eea0fd56297ee0
-
SHA512
8980043af0ee746bd3e2b684580e9edd3b1c6525c22add8ac54270abfed740897eb6392661727b30bba125feec1dbd046d11748293c7dd1054795410c9a29403
Score1/10 -
-
-
Target
fonts/Alakob.ttf
-
Size
80KB
-
MD5
5444bc745e7ed4c48fca3ec966348d83
-
SHA1
c207c04ac3c911bc9ab41527fb7f9bde38c34302
-
SHA256
2fbe2974774c313fada28762fa25641f7f58966632844496854f7386b9fb4fc3
-
SHA512
97fe730bf4e296347f44f35d8fb4327f9b65514bbf10ebb2ca34e334568f64e55245c0c84c2aa70c1db1cc5cf2232cba59048177e2b6f72a462ca3bd09c73199
-
SSDEEP
1536:PVpNLCyksGGnbex1Y73PYspairXb1Mrw3:PRLGvuj1b
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
fonts/AlaskanNights.ttf
-
Size
86KB
-
MD5
6023142ebf3036a781a79c411aaa0131
-
SHA1
a37c1f9d5d252f9b16fab911a13332229d735a8b
-
SHA256
5be4c4b438cb72291ce80ee536dbca19226a1801e7a8906cfc20d1e499f64da8
-
SHA512
e3f68ec5335de1eb058e26c023522a4747469572439c7c8b3b0cde84cd8d7a11385703ac40a5149eb626701af731522f67579841da30650078bc2edc24672f95
-
SSDEEP
1536:d5ydfOTA+yFfcMS/l9QY0CKrK9ngh6+QsTvDgGagGoJ0JjFmQ:d5gfAA+qfcMhY0CCcK6dOMG1GD
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
fonts/Arggotsc.ttf
-
Size
88KB
-
MD5
1a1ec864b6c0730c8be73b99a092bf46
-
SHA1
b621b1ef3365eeeb562073b7affd2177d63342a4
-
SHA256
85d7a5ef7867ab572048c9a4f422526f249da11f3236e8763a737d66df08e096
-
SHA512
8ac4b1b54c92ce4b7dd1c3419243f13cf5c1e7537b768db3306787223904083d562809fcb18ac26707f67518e05558bd9d89fab46a3500fbef3aaa5f9cb38617
-
SSDEEP
1536:yRpVPVxnzULhyM1toY7I+Q2+QZMDxRJyG7Syl/6JsOgTpqRkX5/qb5UB:yjVPV1zUVyYRQ2hZmRJyG7Syl/6J1gTZ
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
fonts/Army Condensed.ttf
-
Size
88KB
-
MD5
4fc2a69c1a58a479ea501641463dd19f
-
SHA1
080a97a955cbff3ee9d88e9dea0fda58a9aba354
-
SHA256
68a898d8fc09b12bccb1606df2f48f184af82299f29767f6c3df24f29a2194b3
-
SHA512
ecea227664e8a301822099277b70b9b6264bbd381cf11aa62dfc261bd5b22d2c6d38245a5797a065ae877e88f8f8a8e5265131bcf5faab96fc6d746b3b253e4c
-
SSDEEP
1536:W8AwW6ZnpojFGojMHgacRAaDug2FmoaatdxrnUxwa:W8e6ZnejFTjMHgacRAaDug2FmoaaTxr6
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
fonts/Army Thin.ttf
-
Size
88KB
-
MD5
9c0996fba26512ad5120010e385e208d
-
SHA1
37a752173b71a3a3e27a7c6ac825b69db622fba4
-
SHA256
b00dd75d282e11a2067bb8341c9c2b4a1c2ae5db3029e584d92a4549fb784d48
-
SHA512
c9fca09824a7192afb128c1b9cfcb1bf0c7e39ad1a269ddb4b271a65f7cb0b4d0d8a155f5485e32dc8c036fee9bfe29f11e97399632132c47514adf893574ed7
-
SSDEEP
1536:R2o690qRKBuTRKBoxIddKOyjgUq867OrUsw+gpG5I/:j690qYBuTYBoxIddKOyjgUI7OrU4gpGC
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
fonts/BELL.TTF
-
Size
82KB
-
MD5
1c4ab54d66597df75ca60fdce4f7d5a1
-
SHA1
39fc668abe9b5e8d4434645f4c5ada1f738918ec
-
SHA256
986a5b8bb70238e3c896e3113ef581df26204131f72d59fc12d2deef7ef89e4c
-
SHA512
70338679f8968b780e032adb22091ad4be837e6fa55aeef22f01b0c49712bd5b1f218c0406459bc2dde9210dec8d607987eb921cc2e46bd42f6cd36c69d6e91a
-
SSDEEP
1536:tL///OJG0BlR+xVunsAYRzVvtkA43C8qbgrQPJpS0D6K:tTOJG0BlTnsAYRzV4Sx0rQPJpS0H
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
fonts/BELLB.TTF
-
Size
80KB
-
MD5
f37324d3575c7132e330af3c8f08da17
-
SHA1
1e14164f2bf6d6972744642d0a6c8afce4d6daa4
-
SHA256
dcc8d42eebbab6822f736a7b99e1c9d6ee6861b247a19049bb33e5955d991dde
-
SHA512
80e2daad5319c8a732bec4eb5b7b62fd88979638df98e104688dd9747f0f4089f5a68e61509ce0c7a7590e1c73ad4564a41e97b7a8dd16d12947daa48935f743
-
SSDEEP
1536:EIIZKRcnuonqV3nVbISbjFameCNLs6EzeJFE1bXzyjVNfpS0vH:qn9nW3VbXTesWyYFXzyjlS0f
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
fonts/BELLI.TTF
-
Size
80KB
-
MD5
ba1290cbcb6aaa574890480e1c6aaae8
-
SHA1
ebf24824518b4acd20e83f7b92d6544b9e14c43e
-
SHA256
17b6e7689e333fea42b19d817427cecf95b86a340bb0af5babba3ab25e6a1b40
-
SHA512
2660f026b7bf8c5901ece717775b56209ff23fb2662395944b102c70a2b3af8cb6147d48dd110435a3f3ab317110ce03bcd9c937119f5fd9b28425f7a0970268
-
SSDEEP
1536:5aKaWffRTcCt7D5WNOfWzz1as3HYGuMzDMPcYEcRSbS0q:hfFc0n5WNgWzpawhuM/9YEiSbS0q
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
fonts/BOD_BI.TTF
-
Size
83KB
-
MD5
5bb67e55de4ee82aff5585b7bc7df099
-
SHA1
30c29ebba4511f7ffb96bc056bfb6531229011f4
-
SHA256
9729e2ae73b15871db606a18a48b8674ce2bae35d76a511d3510c4a9db2385ef
-
SHA512
51e91ff81bf05e2cd05d0caaf81f8ce6742d7ef9b8f7857daad2bbad085f419d6773c1bd664f040bf0028f51139046bb23589c1c66c3c4065dfd34d246c64c84
-
SSDEEP
1536:j0mROXFT8UwUDH49fe7/jtYMXVT4FBMDbsJ4/RG2luywo60qdlnHy721Mslt6l2G:wnXp8UwUDY9fC0gTqy4DnSK1MsN9uELO
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
fonts/BOD_BLAI.TTF
-
Size
81KB
-
MD5
88223fea14008bf33f1bd87cedf7abb2
-
SHA1
470db15feb2f73f379ea47eccee748e011f4d36c
-
SHA256
29854f6597ca7b46db601c7a2eb28c13e31ee0541c7a5a499581fdee8da1b1d5
-
SHA512
5297d0ef901282ac1af31aa32abac416938e1a825a7f0e6258cdf43c075ec579f874f79303904f09428101151ca475e7e9f1c038c44468d278393806d7335119
-
SSDEEP
1536:KlawylA41hhpjLRFJDG1ZkydlzGJ6j+qCNEcoUgKK7:aawylAIHw1ZkyDG6jIoUC7
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
fonts/BOD_I.TTF
-
Size
87KB
-
MD5
cec8a6834241575dcafba6d7504d64b8
-
SHA1
3d412b305c3d93474c9fe02f60a049a9e87aeaab
-
SHA256
960458b4c0851b8b9f1d047fe50f7fa01ddfbecaec692521d262660882e9596a
-
SHA512
9a3e79f5a04e6f0794099788c07330b97c4ab31e95df745cea9d5e8cbc7dba2a01a04dc4cbc7b93fcd76a7d1240f073f256ec7d5a9ce08d62312b01d4fd10e78
-
SSDEEP
1536:4AxM2frzSwDp3Qe0hmIyz9TJyCh1qaoDR9nbZ1v6jZCSpxiOvHdlGDw2taRkvwGv:4ARzSwN3QTld9iUGRDGweskvwNWV/wEt
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
fonts/CALISTB.TTF
-
Size
83KB
-
MD5
d267423924483ddc3dbb9e4e94199d59
-
SHA1
08bedc20a8afa111d9fa609e723142b336a69940
-
SHA256
1b3949401e310a5967a4c108bb9be49e28e69f73095ad088f783035e8f22d28f
-
SHA512
998f246a21daa1fd8afe678d1f088a1fd0c14d9b779631c70fd7f0a670ce72a1fa1fccfb3d910b519522092ed2d272a6b1b0d56980f5d4ab284ce362b98bdee0
-
SSDEEP
1536:NN4whnJ2yG51+b9Qfxr25cdoHxQdt52qcYSC/MZyfrX:37nJ2PsbOfQamR252qZSxyfrX
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
fonts/CALISTBI.TTF
-
Size
82KB
-
MD5
b8178488b4decb255bd3094b320600ac
-
SHA1
315bf5a35ef284a71fd90f304767c8d90d6883cd
-
SHA256
9b9e45f016b013d92c3caf1985db22f85e39c8b1f208636f9ac21f9c135239ce
-
SHA512
3e98e8484ba5ac6c1475af24ae9ae55045511a46baf250ca36d4bb2b64e74b67e9b58a289572ee2609662685ab7218cf8fee200400a417a310bd7b82f47af1e6
-
SSDEEP
1536:fAsN4DofckwriM3kM+cGEGjmU+xXXXozKbR5ITHpfLR8eXHVBGgIuBoQPeV9pfrr:fT0oYiMURcGEF7x3EKfiZRrfGgIsPsD/
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-