General
-
Target
HEUR-Trojan-Spy.Win32.Fbkatz.gen-cfc689df6491.exe
-
Size
765KB
-
Sample
221112-rrfl3abd9w
-
MD5
57c02a0959b93b5a87874a92b39604bc
-
SHA1
a9a27f5458c7f128f4e49e19e439047fa0189e9b
-
SHA256
cfc689df6491f5e7ff691170453230df1bed374d19fa8ac9e4e48770892f70f7
-
SHA512
c7294a4fbb4d2d1aaf94ef3c4f999726aacc00580a33c0adaadac7c76664c8ecc23d588fce5f91889b4cbb6683183b15837948ca91eb55c240873ff025bca1e4
-
SSDEEP
12288:v+YWt/xf+OeO+OeNhBBhhBBOsdVrmykJpcHRQMRTFhu26loXKHEu4uLv78BtR5XL:v+YxKnJGbZ6HXv78BtR5XMBt6OHTbOHT
Behavioral task
behavioral1
Sample
HEUR-Trojan-Spy.Win32.Fbkatz.gen-cfc689df6491.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
HEUR-Trojan-Spy.Win32.Fbkatz.gen-cfc689df6491.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
redline
neruzki
193.106.191.22:47242
-
auth_value
be14ae67c6dd227f622680a27ea42452
Extracted
tofsee
svartalfheim.top
jotunheim.name
Extracted
redline
@andriii_f
185.173.36.94:31511
-
auth_value
6eb1d25f0a98fab37914f41dd85e7bb0
Extracted
redline
new1112
jalocliche.xyz:81
chardhesha.xyz:81
-
auth_value
d92fcba8819ec720f4048de7be06a75d
Extracted
vidar
55.6
1679
https://t.me/seclab_new
https://raw.githubusercontent.com/sebekeloytfu/simple-bash-scripts/master/calculator.sh
-
profile_id
1679
Extracted
nymaim
45.139.105.171
85.31.46.167
Extracted
redline
boy
77.73.134.241:4691
-
auth_value
a91fa8cc2cfaefc42a23c03faef44bd3
Extracted
redline
@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)
151.80.89.233:13553
-
auth_value
fbee175162920530e6bf470c8003fa1a
Extracted
raccoon
dbffbdbc9786a5c270e6dd2d647e18ea
http://79.137.205.87/
Targets
-
-
Target
HEUR-Trojan-Spy.Win32.Fbkatz.gen-cfc689df6491.exe
-
Size
765KB
-
MD5
57c02a0959b93b5a87874a92b39604bc
-
SHA1
a9a27f5458c7f128f4e49e19e439047fa0189e9b
-
SHA256
cfc689df6491f5e7ff691170453230df1bed374d19fa8ac9e4e48770892f70f7
-
SHA512
c7294a4fbb4d2d1aaf94ef3c4f999726aacc00580a33c0adaadac7c76664c8ecc23d588fce5f91889b4cbb6683183b15837948ca91eb55c240873ff025bca1e4
-
SSDEEP
12288:v+YWt/xf+OeO+OeNhBBhhBBOsdVrmykJpcHRQMRTFhu26loXKHEu4uLv78BtR5XL:v+YxKnJGbZ6HXv78BtR5XMBt6OHTbOHT
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2New Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1Scripting
1Install Root Certificate
1