Overview

overview

10

Static

static

vvv.exe

windows7-x64

10

vvv.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    vvv.exe

  • Size

    241KB

  • Sample

    220918-2evkkagehm

  • MD5

    aca124c45a891c1ef397d8f417321b18

  • SHA1

    df65ba744946b458692d3b9e8a7c751f5ce4905d

  • SHA256

    f8d62ab41ce1346a6b65b18bab3b87d35143ccdcf680628738c22817987efd70

  • SHA512

    979ddbe803c338022650aec8c1c9f90dbb0285e1c1cafcd0c2061bbb4e9ea73b01ecae8ee24da109d943d8a935a26281b595d5aa08e8b47133b12f1094f458d8

  • SSDEEP

    6144:L7OMdwUrnuMego2pbulGRd63fU9U79ltVswVmv/8bD0N:L7OMd1rFslGGc9U7m

Score
10/10
redlineytstealercrypt_cryptexinfostealerspywarestealerupx

Malware Config

Extracted

Family

redline

Botnet

Crypt_Cryptex

C2

194.36.177.60:81

Attributes
  • auth_value

    695fd213fb1982a368936f037db38e54

Targets

    • Target

      vvv.exe

    • Size

      241KB

    • MD5

      aca124c45a891c1ef397d8f417321b18

    • SHA1

      df65ba744946b458692d3b9e8a7c751f5ce4905d

    • SHA256

      f8d62ab41ce1346a6b65b18bab3b87d35143ccdcf680628738c22817987efd70

    • SHA512

      979ddbe803c338022650aec8c1c9f90dbb0285e1c1cafcd0c2061bbb4e9ea73b01ecae8ee24da109d943d8a935a26281b595d5aa08e8b47133b12f1094f458d8

    • SSDEEP

      6144:L7OMdwUrnuMego2pbulGRd63fU9U79ltVswVmv/8bD0N:L7OMd1rFslGGc9U7m

    Score
    10/10
    redlineytstealercrypt_cryptexinfostealerspywarestealerupx

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • YTStealer

      YTStealer is a malware designed to steal YouTube authentication cookies.

      stealerytstealer

    • YTStealer payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks