General
-
Target
0f1dee01d2a2e6a6c562213166f280c9588e18ff451fa133df97d5a78fb64c55
-
Size
4.4MB
-
Sample
221028-s9yq2agab9
-
MD5
ad9f15afa8ff9044a73b5a9b5d7f9391
-
SHA1
7668d0efde9c23e767820d61667657ba95510f1d
-
SHA256
0f1dee01d2a2e6a6c562213166f280c9588e18ff451fa133df97d5a78fb64c55
-
SHA512
6280bd41500bd196162f5dd0bfdc17aa94e0e53fc028e43d16cd1d322966fb145fdf6d0999bf243019ffaa7cb8e03e94d5ebfcaed23cd33e21923046007a98e0
-
SSDEEP
98304:xcrrnqoHZWw7nRWDDJdHqjq+XjX/dNV4n9bbiLXdbCvLUBsKKAIW9:xcrTFF7RWDXAxvG9qLOLUCKpIW9
Static task
static1
Behavioral task
behavioral1
Sample
0f1dee01d2a2e6a6c562213166f280c9588e18ff451fa133df97d5a78fb64c55.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0f1dee01d2a2e6a6c562213166f280c9588e18ff451fa133df97d5a78fb64c55.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
nullmixer
http://motiwa.xyz/
Extracted
redline
DomAni
ergerr3.top:80
Extracted
vidar
39.4
706
https://sergeevih43.tumblr.com/
-
profile_id
706
Extracted
redline
dzkey
193.106.191.19:47242
-
auth_value
52a449fd61ad73c3abc266d47c699ceb
Extracted
tofsee
svartalfheim.top
jotunheim.name
Extracted
nymaim
45.139.105.171
85.31.46.167
Targets
-
-
Target
0f1dee01d2a2e6a6c562213166f280c9588e18ff451fa133df97d5a78fb64c55
-
Size
4.4MB
-
MD5
ad9f15afa8ff9044a73b5a9b5d7f9391
-
SHA1
7668d0efde9c23e767820d61667657ba95510f1d
-
SHA256
0f1dee01d2a2e6a6c562213166f280c9588e18ff451fa133df97d5a78fb64c55
-
SHA512
6280bd41500bd196162f5dd0bfdc17aa94e0e53fc028e43d16cd1d322966fb145fdf6d0999bf243019ffaa7cb8e03e94d5ebfcaed23cd33e21923046007a98e0
-
SSDEEP
98304:xcrrnqoHZWw7nRWDDJdHqjq+XjX/dNV4n9bbiLXdbCvLUBsKKAIW9:xcrTFF7RWDXAxvG9qLOLUCKpIW9
-
Detect Fabookie payload
-
Detects Smokeloader packer
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Nirsoft
-
Vidar Stealer
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2New Service
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Scripting
1Install Root Certificate
1