General
-
Target
28279700ea94d813966f59c22789c85b.exe
-
Size
152KB
-
Sample
220926-leq95sbean
-
MD5
28279700ea94d813966f59c22789c85b
-
SHA1
93e05da209fb86c4bfa261e2d901730ec045130d
-
SHA256
b4b3e1a2ac1fc40f877c13268abdcc295f043c8bf8ce2886cf9cdab16fb81edd
-
SHA512
f815c349ccc452d8d7f27764e4f16b6a6ba78449b8efc81e6487965dbc78fcf922f4406cf8578bd55877cdce64ddcd26254f5da8023ec2b0bac74d62bdf2ced2
-
SSDEEP
3072:zfErG58pPwxe0MMRrDc8jsBxGBJjMS4B45x:APwcMtVsBxMOB
Static task
static1
Behavioral task
behavioral1
Sample
28279700ea94d813966f59c22789c85b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
28279700ea94d813966f59c22789c85b.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @mr_golds)
77.73.134.27:7161
-
auth_value
4b2de03af6b6ac513ac597c2e6c1ad51
Extracted
redline
@youlie_lzt
89.23.96.53:31875
-
auth_value
4d6a429b89f6e4f0b0ed2ed92c2fd492
Targets
-
-
Target
28279700ea94d813966f59c22789c85b.exe
-
Size
152KB
-
MD5
28279700ea94d813966f59c22789c85b
-
SHA1
93e05da209fb86c4bfa261e2d901730ec045130d
-
SHA256
b4b3e1a2ac1fc40f877c13268abdcc295f043c8bf8ce2886cf9cdab16fb81edd
-
SHA512
f815c349ccc452d8d7f27764e4f16b6a6ba78449b8efc81e6487965dbc78fcf922f4406cf8578bd55877cdce64ddcd26254f5da8023ec2b0bac74d62bdf2ced2
-
SSDEEP
3072:zfErG58pPwxe0MMRrDc8jsBxGBJjMS4B45x:APwcMtVsBxMOB
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-