General
-
Target
https://github.com/Matteo204/Hwid-Spoofer-Apex-Legends-Valorant-Warzone-Rust-Spoofer/blob/main/Spoofer%20Project%20Cocoainad/YosifSpoofe%20Game%E2%80%AEnls..scr
-
Sample
221028-t5wasagehk
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Matteo204/Hwid-Spoofer-Apex-Legends-Valorant-Warzone-Rust-Spoofer/blob/main/Spoofer%20Project%20Cocoainad/YosifSpoofe%20Game%E2%80%AEnls..scr
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
https://github.com/Matteo204/Hwid-Spoofer-Apex-Legends-Valorant-Warzone-Rust-Spoofer/blob/main/Spoofer%20Project%20Cocoainad/YosifSpoofe%20Game%E2%80%AEnls..scr
Resource
win10v2004-20220812-en
Malware Config
Extracted
asyncrat
0.5.7B
SecurityHealthSeurvice
217.64.31.3:8437
SecurityHealthSeurvice
-
delay
3
-
install
false
-
install_file
SecurityHealthSeurvice.exe
-
install_folder
%AppData%
Extracted
redline
dEFENDER
20.19.164.86:22616
Extracted
asyncrat
0.5.7B
System Guard Runtime
85.105.88.221:2531
System Guard Runtime
-
delay
3
-
install
false
-
install_file
System Guard Runtime
-
install_folder
%AppData%
Targets
-
-
Target
https://github.com/Matteo204/Hwid-Spoofer-Apex-Legends-Valorant-Warzone-Rust-Spoofer/blob/main/Spoofer%20Project%20Cocoainad/YosifSpoofe%20Game%E2%80%AEnls..scr
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Async RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-