General
-
Target
26f3ab3022c32610a89a7299d0074351.exe
-
Size
5MB
-
Sample
221115-q5tkeaaa4z
-
MD5
26f3ab3022c32610a89a7299d0074351
-
SHA1
b5937933f35fe44805887dcee9488b60f0ef8493
-
SHA256
3c4f456e84a4b82254480d17bd6db4c0a9ae6259e085b362b10183a82956d1ba
-
SHA512
05901445ac3b15e09e9c452979496542c8a61a64a0deb1560868cae3d86ba39d8f9ab9e30f7859db3548d6368f6fbe078646f6e5981b8730ae9160eacc9e4fb4
-
SSDEEP
98304:dIRDHjQTy8c7ZKwF0nI9D6HKM8dG70bpAf:dIRH8cvOJmG7epAf
Behavioral task
behavioral1
Sample
26f3ab3022c32610a89a7299d0074351.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
26f3ab3022c32610a89a7299d0074351.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
privateloader
208.67.104.60
Extracted
tofsee
svartalfheim.top
jotunheim.name
Extracted
vidar
55.7
937
https://t.me/deadftx
https://www.ultimate-guitar.com/u/smbfupkuhrgc1
-
profile_id
937
Extracted
redline
boy
77.73.134.241:4691
-
auth_value
a91fa8cc2cfaefc42a23c03faef44bd3
Extracted
nymaim
45.139.105.171
85.31.46.167
Extracted
redline
neruz
193.106.191.27:47242
-
auth_value
0169a8759f3c9be473f782b96a6ff704
Extracted
redline
@andriii_ff
185.173.36.94:31511
-
auth_value
525a7ad8080b3552f2f7735af7644111
Targets
-
-
Target
26f3ab3022c32610a89a7299d0074351.exe
-
Size
5MB
-
MD5
26f3ab3022c32610a89a7299d0074351
-
SHA1
b5937933f35fe44805887dcee9488b60f0ef8493
-
SHA256
3c4f456e84a4b82254480d17bd6db4c0a9ae6259e085b362b10183a82956d1ba
-
SHA512
05901445ac3b15e09e9c452979496542c8a61a64a0deb1560868cae3d86ba39d8f9ab9e30f7859db3548d6368f6fbe078646f6e5981b8730ae9160eacc9e4fb4
-
SSDEEP
98304:dIRDHjQTy8c7ZKwF0nI9D6HKM8dG70bpAf:dIRH8cvOJmG7epAf
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
New Service
1Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Virtualization/Sandbox Evasion
1Scripting
1Modify Registry
2Install Root Certificate
1