Overview
overview
10Static
static
-warcraft-...I7.exe
windows7-x64
10-warcraft-...I7.exe
windows10-2004-x64
10.............exe
windows7-x64
7.............exe
windows10-2004-x64
10Warcracft ...up.exe
windows7-x64
7Warcracft ...up.exe
windows10-2004-x64
1Warcracft ...up.exe
windows7-x64
7Warcracft ...up.exe
windows10-2004-x64
7General
-
Target
Warcracft III Reforged+Keygen+CD Keys.rar
-
Size
30.2MB
-
Sample
221024-zmn2msaeen
-
MD5
03bf9239a1c35ef0f6f162180499167f
-
SHA1
b1921d4747ed0ca08ecb31dda5b57079dcd6085d
-
SHA256
3c806eec38fc8565c942fe0a79331bf3215989d494bb3d5fa8d8057dcef58e03
-
SHA512
6cd7a438a05c940649e8202e392318905e5785a0476a10388aa62081cdca2de9d9ede2045fb6fbabd116ad7b785b10c4970d0536fea8f945c5510db27c346273
-
SSDEEP
786432:eQaNznirxs9+seaiiI0Ppr91OLvHh99br84AEEuDW:eQSzB9+sPiD0Pn1Uvh99brhTDW
Static task
static1
Behavioral task
behavioral1
Sample
-warcraft-tft-keygen-F82Z5I7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
-warcraft-tft-keygen-F82Z5I7.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
.............exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
.............exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
Warcracft III Reforged/StarCraft-Setup.exe
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
Warcracft III Reforged/StarCraft-Setup.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
Warcracft III Reforged/Warcraft III Reforged™ Setup.exe
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
Warcracft III Reforged/Warcraft III Reforged™ Setup.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
redline
BirjNewAntibank2
79.137.197.136:23532
-
auth_value
a4e87a0b1505745bcd9e72d045f1ba5c
Targets
-
-
Target
-warcraft-tft-keygen-F82Z5I7.exe
-
Size
9.5MB
-
MD5
a959e89b1669d9657223e0708e60edca
-
SHA1
5e6113b81512f75f7138994a72e7d1152ebbab05
-
SHA256
fb3d286faee2cf6345988d4dd8c025688075e425a64c311439bed5d54461b0ab
-
SHA512
bb183aede190f9886d18ee002ffaae6e66e485a4f8d0123887e37b622c63685f35f7beda400ea4118770491e962a48d401e29e9ed64f584e30b02df367702aba
-
SSDEEP
196608:AW6aE7Lojzz2jXtfoZ08YKvF0n3mOr0ikl8UuYOOKDHoazb9keDC:OZ7Lszz2jX6ixKvF0n2Oo8wEDPkf
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Drops desktop.ini file(s)
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
.............exe
-
Size
3.9MB
-
MD5
1c9d03acc5ce4d1565e01418e2892087
-
SHA1
345be215d0017d06a3934150105389730038fa69
-
SHA256
bdb03d50cba10bbbaea2409521c515d15f3e674e6ccabbadfec319bdc08cd1ea
-
SHA512
1442ad0b3af4fddc1c6980426a25f6d2c4b033902b8cc42596ad0077385ca3d56e4fed4517a61fe4d5b5b185b34030196ac9c5dcc61d93fd48292aed2b7998e8
-
SSDEEP
49152:gnHn5pXUXb6c9YuoHjAbDiYFpIDckO4iNQxgei6HQR9sXafgkDFMVR9C1UhPJXMS:45pEXOc9AH8FpQrDgeJrBiCV2HXq
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Possible privilege escalation attempt
-
Registers COM server for autorun
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
Warcracft III Reforged/StarCraft-Setup.exe
-
Size
4.8MB
-
MD5
0f66a5bbb9a1e750d98c9529d0a5f7d4
-
SHA1
6d6ae5c4096c03a83e97f290ec5bbc55753b9ba7
-
SHA256
527111caf8051bff0e019113faf2258b2fe5b8b7dae0e93b68d20d04ed19995a
-
SHA512
331ea370cddeb2942ab3756338c74ad3ea988c5d1df840fa0e5ad94a08066a5d2c28a98ab0a1a7841f00850eacddce31e4f7871e96002f69d080e0c4668746b7
-
SSDEEP
98304:djp5CzCWby2H8sh8nIKWc9fDmuqMR1GNe/GXh:r52r0fSuqHX
Score7/10-
Loads dropped DLL
-
-
-
Target
Warcracft III Reforged/Warcraft III Reforged™ Setup.exe
-
Size
10.6MB
-
MD5
69ed233958e8c23382060102217b22d4
-
SHA1
5084e3104dd3da0b3614aba1e2d7c1357a9dcc14
-
SHA256
fcd4dd0cd7f49f879cb94cdb263af2ab149e1b817ce59b10a13db9f338f47cfa
-
SHA512
5e157735442f1ed596a7faeea66ee5e5cd2f1546a036962f7d349e71196810fa07ff3201113a9f90db8878272099ab05d5e2be88efa0470e982c238bf382c272
-
SSDEEP
196608:wuDdEGOylRlbMN34CJAk6t5/ooYzxVAruqZY/5slZSFOW6sqgCkujAnZZ:wqdxOqJQ4Xk6tivzzYNq5slcOBsbyjAf
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-