General
-
Target
c72e4609d983d00a134de721f0bedb7e53ab8820ca9d5e8b3d0bf1f689df02d3
-
Size
4.0MB
-
Sample
221028-tan8zsgac4
-
MD5
64337f7ed5dabf14a8d22d6579543016
-
SHA1
f744316d4a5d4c59c34bbac889a333d0e3e58e3d
-
SHA256
c72e4609d983d00a134de721f0bedb7e53ab8820ca9d5e8b3d0bf1f689df02d3
-
SHA512
4c6522db0cadc8715e3b8b2cf3d35d979d74c401dfd6d72b3176f43252eab9f907d07885f1efd67bd3e6c7686d6107537ee23392c4a138ad85aee7201756587a
-
SSDEEP
98304:JMG0rgsJ+jy5+wSDM7gbhbwt4wuOyCFfyDy9w1LQtQbQ9c/xX:JrjjyknOgFwtwOyWfyHIQbhp
Static task
static1
Behavioral task
behavioral1
Sample
c72e4609d983d00a134de721f0bedb7e53ab8820ca9d5e8b3d0bf1f689df02d3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c72e4609d983d00a134de721f0bedb7e53ab8820ca9d5e8b3d0bf1f689df02d3.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
nullmixer
http://motiwa.xyz/
Extracted
redline
DomAni
ergerr3.top:80
Extracted
tofsee
svartalfheim.top
jotunheim.name
Extracted
redline
dzkey
193.106.191.19:47242
-
auth_value
52a449fd61ad73c3abc266d47c699ceb
Extracted
redline
1310
79.137.192.57:48771
-
auth_value
feb5f5c29913f32658637e553762a40e
Extracted
nymaim
45.139.105.171
85.31.46.167
Extracted
redline
6.4
103.89.90.61:34589
-
auth_value
a7a3522462b1f9687c4ead2995816370
Extracted
redline
Andriii_ff
185.173.36.94:31511
-
auth_value
0318e100e6da39f286482d897715196b
Extracted
vidar
55.3
937
https://t.me/slivetalks
https://c.im/@xinibin420
-
profile_id
937
Extracted
redline
new1028
denestyenol.xyz:81
exirdonanos.xyz:81
-
auth_value
66c880a01e6ecc352ab1447a048f2697
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.89.201.21:7161
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Targets
-
-
Target
c72e4609d983d00a134de721f0bedb7e53ab8820ca9d5e8b3d0bf1f689df02d3
-
Size
4.0MB
-
MD5
64337f7ed5dabf14a8d22d6579543016
-
SHA1
f744316d4a5d4c59c34bbac889a333d0e3e58e3d
-
SHA256
c72e4609d983d00a134de721f0bedb7e53ab8820ca9d5e8b3d0bf1f689df02d3
-
SHA512
4c6522db0cadc8715e3b8b2cf3d35d979d74c401dfd6d72b3176f43252eab9f907d07885f1efd67bd3e6c7686d6107537ee23392c4a138ad85aee7201756587a
-
SSDEEP
98304:JMG0rgsJ+jy5+wSDM7gbhbwt4wuOyCFfyDy9w1LQtQbQ9c/xX:JrjjyknOgFwtwOyWfyHIQbhp
-
Detect Fabookie payload
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Nirsoft
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-