General
-
Target
5903b4d5a7cbd5816d4a9128cb69570b.exe
-
Size
1.4MB
-
Sample
221109-x3scwsbec2
-
MD5
5903b4d5a7cbd5816d4a9128cb69570b
-
SHA1
2180d6f65a664f71c85762a3c4c5db7163b66c73
-
SHA256
e7f968d64655db242cdc6330cf399c3b5e635b63b2ba734d5e2c2eee5986e9be
-
SHA512
86b0b6c80562cfec59b73562ce37bc51cc49521f1e2feca728f172377c9f5b645e8e66dd99756c0aef86dfd1380d71ff2f51fd755839e6f3dcd5f063519a8b40
-
SSDEEP
24576:9jahaFL5GiByK/RMAs5WHi044+yO0VrVdvGUhdVlfNukuc5WEnzW/GC1eR9rmAzd:9+h2L5GiByK/+Azi04nyrVrnzblfkhgb
Static task
static1
Behavioral task
behavioral1
Sample
5903b4d5a7cbd5816d4a9128cb69570b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5903b4d5a7cbd5816d4a9128cb69570b.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
-
payload_urls
https://raroford3242.xyz/myupdate.exe
https://raroford3242.xyz/Sklmsstregens.vbs, https://raroford3242.xyz/remcexecrypt.exe, https://raroford3242.xyz/redlcryp.exe, https://raroford3242.xyz/racoocry.exe
https://raroford3242.xyz/myupdate.exe
https://raroford3242.xyz/myupdate.exe
Extracted
remcos
RemoteHost
157.90.145.151:1441
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
onhyxlqy.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
gftlbusy-PLYPFW
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
redline
157.90.145.151:14075
-
auth_value
197a8d2e248bee4495c3db7cbfdf6d3d
Targets
-
-
Target
5903b4d5a7cbd5816d4a9128cb69570b.exe
-
Size
1.4MB
-
MD5
5903b4d5a7cbd5816d4a9128cb69570b
-
SHA1
2180d6f65a664f71c85762a3c4c5db7163b66c73
-
SHA256
e7f968d64655db242cdc6330cf399c3b5e635b63b2ba734d5e2c2eee5986e9be
-
SHA512
86b0b6c80562cfec59b73562ce37bc51cc49521f1e2feca728f172377c9f5b645e8e66dd99756c0aef86dfd1380d71ff2f51fd755839e6f3dcd5f063519a8b40
-
SSDEEP
24576:9jahaFL5GiByK/RMAs5WHi044+yO0VrVdvGUhdVlfNukuc5WEnzW/GC1eR9rmAzd:9+h2L5GiByK/+Azi04nyrVrnzblfkhgb
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-