General
-
Target
02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef
-
Size
5.5MB
-
Sample
221015-y8bsrsgbcr
-
MD5
b89e1c694a9b7d2dfe7556220fc5c4b8
-
SHA1
7d63890f00ddc391797279d2eb68de1a746f4b3b
-
SHA256
02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef
-
SHA512
71cae5f99596325ca6cf2675c7f00c130d48d25fdda08ae1c3a0a3ca34a839b41c04087f4bee5fb170260ecd42233712abc7d2ccd00b352b629c6c992f1c54a7
-
SSDEEP
98304:H2mfSTVQzk+x/cX4gmva9miyobp84qJGANGozaclJejWpdjOGfJ0InK+:7Sp+x/cX/dmiyq84gE9c6KpdXfmIj
Static task
static1
Behavioral task
behavioral1
Sample
02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
privateloader
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
-
payload_url
https://vipsofts.xyz/files/mega.bmp
Extracted
raccoon
ce21570f8b07f4e68bfb7f44917635b1
http://135.148.104.11/
http://77.73.133.7/
Extracted
nymaim
45.15.156.54
85.31.46.167
Extracted
redline
nam6.2
103.89.90.61:34589
-
auth_value
4040fe7c77de89cf1a6f4cebd515c54c
Extracted
redline
141022_roz
europe.firstmillion.click:81
-
auth_value
5f7ee4b154c3bb6fe2606434552ee688
Extracted
redline
Nigh
80.66.87.20:80
-
auth_value
dab8506635d1dc134af4ebaedf4404eb
Targets
-
-
Target
02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef
-
Size
5.5MB
-
MD5
b89e1c694a9b7d2dfe7556220fc5c4b8
-
SHA1
7d63890f00ddc391797279d2eb68de1a746f4b3b
-
SHA256
02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef
-
SHA512
71cae5f99596325ca6cf2675c7f00c130d48d25fdda08ae1c3a0a3ca34a839b41c04087f4bee5fb170260ecd42233712abc7d2ccd00b352b629c6c992f1c54a7
-
SSDEEP
98304:H2mfSTVQzk+x/cX4gmva9miyobp84qJGANGozaclJejWpdjOGfJ0InK+:7Sp+x/cX/dmiyq84gE9c6KpdXfmIj
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detects Smokeloader packer
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-