General
-
Target
c7fc20c01100e5b4caccbf3bd1a6b06155c74d9b34bd237b8a8c9e5ed1e11fb7
-
Size
1.3MB
-
Sample
221005-nhpa3aedcl
-
MD5
c88a42556d57f53bca0d78e1add0ec7d
-
SHA1
f95845e0ba60dcabc821ffff41a2a69e532a63e4
-
SHA256
c7fc20c01100e5b4caccbf3bd1a6b06155c74d9b34bd237b8a8c9e5ed1e11fb7
-
SHA512
6aec4b8cd848c2831fe09a3c945a3024425c623d99d2b4f7979e2de5ccaab80a1213f46dea1e8d55fbdfcf6d6ee397c55d0b636830e3557f651578ef58bb8024
-
SSDEEP
24576:18kH+O5MMsj/8oJ0HOgwzMIdEyaXC772Q9NXw2/wPOjdGxY:1hHZ5MMpoJOp+MIVai7Tq24GjdGS
Behavioral task
behavioral1
Sample
c7fc20c01100e5b4caccbf3bd1a6b06155c74d9b34bd237b8a8c9e5ed1e11fb7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c7fc20c01100e5b4caccbf3bd1a6b06155c74d9b34bd237b8a8c9e5ed1e11fb7.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
eternity
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
-
payload_urls
http://panel.clientarea.host/1/w99.exe
http://ndmit.com/test/401.exe, http://ndmit.com/test/0078.exe
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ReadMe.txt
http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?401OYJTDOYJ
https://yip.su/2QstD5
Extracted
redline
0078
78.47.93.94:6083
-
auth_value
ab8b122b08ded264f18e29cf12135ad5
Extracted
C:\odt\ReadMe.txt
http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?401DFGIKLNP
https://yip.su/2QstD5
Targets
-
-
Target
c7fc20c01100e5b4caccbf3bd1a6b06155c74d9b34bd237b8a8c9e5ed1e11fb7
-
Size
1.3MB
-
MD5
c88a42556d57f53bca0d78e1add0ec7d
-
SHA1
f95845e0ba60dcabc821ffff41a2a69e532a63e4
-
SHA256
c7fc20c01100e5b4caccbf3bd1a6b06155c74d9b34bd237b8a8c9e5ed1e11fb7
-
SHA512
6aec4b8cd848c2831fe09a3c945a3024425c623d99d2b4f7979e2de5ccaab80a1213f46dea1e8d55fbdfcf6d6ee397c55d0b636830e3557f651578ef58bb8024
-
SSDEEP
24576:18kH+O5MMsj/8oJ0HOgwzMIdEyaXC772Q9NXw2/wPOjdGxY:1hHZ5MMpoJOp+MIVai7Tq24GjdGS
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-