General
-
Target
GXPhmnNRPG_wynmove.js
-
Size
38KB
-
Sample
221025-ltrt8accb6
-
MD5
3dff90e5de574801e0a812ed337429eb
-
SHA1
1e0187f461e12cdc313640af5d5a82402f1fc121
-
SHA256
869125ed76969ba80597b88176721fe581d331a114f94e9906c8d152f7388ee3
-
SHA512
b77867ed63406be2a6c084141062bec420e37ea3862efa363cd460f098cb7a7faf83bf3d76a3abb9fbd7a595bf4a5b45913d0774d6cb982af60db713c25e42fb
-
SSDEEP
768:j3hbrMfo56OPGgF7aM4gF8wsZ1va/a9zcHEdYHzePb:7tRsS7aMPCwsZ14a9zcH+IzePb
Static task
static1
Malware Config
Extracted
C:\Users\Admin\Desktop\@Please_Read_Me@.txt
wannacry
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Extracted
redline
Test123ND
0.tcp.ngrok.io:11252
Extracted
darkcomet
Guest16
gameservice.ddns.net:4320
DC_MUTEX-WBUNVXD
-
InstallPath
AudioDriver\taskhost.exe
-
gencode
EWSsWwgyJrUD
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
AudioDriver
Extracted
wshrat
http://45.139.105.174:7670
Targets
-
-
Target
GXPhmnNRPG_wynmove.js
-
Size
38KB
-
MD5
3dff90e5de574801e0a812ed337429eb
-
SHA1
1e0187f461e12cdc313640af5d5a82402f1fc121
-
SHA256
869125ed76969ba80597b88176721fe581d331a114f94e9906c8d152f7388ee3
-
SHA512
b77867ed63406be2a6c084141062bec420e37ea3862efa363cd460f098cb7a7faf83bf3d76a3abb9fbd7a595bf4a5b45913d0774d6cb982af60db713c25e42fb
-
SSDEEP
768:j3hbrMfo56OPGgF7aM4gF8wsZ1va/a9zcHEdYHzePb:7tRsS7aMPCwsZ14a9zcH+IzePb
-
Modifies WinLogon for persistence
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Registry Run Keys / Startup Folder
1Hidden Files and Directories
1Defense Evasion
Modify Registry
4File Deletion
1Virtualization/Sandbox Evasion
1File Permissions Modification
1Hidden Files and Directories
1