General
-
Target
ce3993c6502318bfad72fc090f838aa8d4a1b95014a9c44bd02719095d1ce173.bin
-
Size
275KB
-
Sample
221116-2s5yfshc3t
-
MD5
3e92acfb76900335c937d4c57222df54
-
SHA1
34d61562d48654f5d73a87bc5003f72c3480335d
-
SHA256
ce3993c6502318bfad72fc090f838aa8d4a1b95014a9c44bd02719095d1ce173
-
SHA512
8869b5e10bfff1c25dcd3ce38d396db2cef826225aa962a62c6a32ef30e487adbe752c1bef7034256b87d2be1668c57d369c2498758f3274a6a058a83ab01c39
-
SSDEEP
6144:eZvwC/sOmk+PeYnkfsbn44Ax0jrwVfquS:erceekfE4xx0jd
Static task
static1
Behavioral task
behavioral1
Sample
ce3993c6502318bfad72fc090f838aa8d4a1b95014a9c44bd02719095d1ce173.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ce3993c6502318bfad72fc090f838aa8d4a1b95014a9c44bd02719095d1ce173.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
vidar
55.7
1827
https://t.me/deadftx
https://www.ultimate-guitar.com/u/smbfupkuhrgc1
-
profile_id
1827
Extracted
redline
srt
79.137.194.32:5050
-
auth_value
aa909053b818f9a5d8a2020f5036f351
Extracted
raccoon
d8f44b07b06da3a90ad87ebc9249718c
http://79.137.205.87/
Extracted
vidar
55.7
1754
https://t.me/deadftx
https://www.ultimate-guitar.com/u/smbfupkuhrgc1
-
profile_id
1754
Targets
-
-
Target
ce3993c6502318bfad72fc090f838aa8d4a1b95014a9c44bd02719095d1ce173.bin
-
Size
275KB
-
MD5
3e92acfb76900335c937d4c57222df54
-
SHA1
34d61562d48654f5d73a87bc5003f72c3480335d
-
SHA256
ce3993c6502318bfad72fc090f838aa8d4a1b95014a9c44bd02719095d1ce173
-
SHA512
8869b5e10bfff1c25dcd3ce38d396db2cef826225aa962a62c6a32ef30e487adbe752c1bef7034256b87d2be1668c57d369c2498758f3274a6a058a83ab01c39
-
SSDEEP
6144:eZvwC/sOmk+PeYnkfsbn44Ax0jrwVfquS:erceekfE4xx0jd
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Amadey credential stealer module
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-