General
-
Target
6e57786483bbce691fe47bb58a694b604287491f5aef7680b707f13503d7d8d8.bin
-
Size
269KB
-
Sample
221116-zg4j5sch26
-
MD5
da26e014194bc09471cff4f7db14338c
-
SHA1
18be68122a35c61906730719870d505be3a98e9e
-
SHA256
6e57786483bbce691fe47bb58a694b604287491f5aef7680b707f13503d7d8d8
-
SHA512
1a793d1ba4d01b0ac33229b2321c556d933097d44258de27c90ce0f6999d57acd34b885572a279d4d6d8b70732e21e773aa5854421d54adba28611b4e070c63d
-
SSDEEP
3072:WXKp+4Ozq562I4CUAeJHk5UCrh5v2cNSI/ZZCKcs+MfCjM8vxshYM/h3qpZa9uDQ:+a+VoIX8k5x2cPZxV/CyhYrwVfX
Static task
static1
Behavioral task
behavioral1
Sample
6e57786483bbce691fe47bb58a694b604287491f5aef7680b707f13503d7d8d8.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
6e57786483bbce691fe47bb58a694b604287491f5aef7680b707f13503d7d8d8.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
redline
3m
jalocliche.xyz:81
chardhesha.xyz:81
-
auth_value
e7297ca71163c923562e84cf53f5dc0e
Extracted
vidar
55.7
1827
https://t.me/deadftx
https://www.ultimate-guitar.com/u/smbfupkuhrgc1
-
profile_id
1827
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
Extracted
raccoon
d8f44b07b06da3a90ad87ebc9249718c
http://79.137.205.87/
Extracted
asyncrat
Venom RAT 5.0.5
Client6
46.3.199.101:4449
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
true
-
install_file
Windows Security Shell.exe
-
install_folder
%AppData%
Targets
-
-
Target
6e57786483bbce691fe47bb58a694b604287491f5aef7680b707f13503d7d8d8.bin
-
Size
269KB
-
MD5
da26e014194bc09471cff4f7db14338c
-
SHA1
18be68122a35c61906730719870d505be3a98e9e
-
SHA256
6e57786483bbce691fe47bb58a694b604287491f5aef7680b707f13503d7d8d8
-
SHA512
1a793d1ba4d01b0ac33229b2321c556d933097d44258de27c90ce0f6999d57acd34b885572a279d4d6d8b70732e21e773aa5854421d54adba28611b4e070c63d
-
SSDEEP
3072:WXKp+4Ozq562I4CUAeJHk5UCrh5v2cNSI/ZZCKcs+MfCjM8vxshYM/h3qpZa9uDQ:+a+VoIX8k5x2cPZxV/CyhYrwVfX
-
Detect Amadey credential stealer module
-
Detects Smokeloader packer
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Async RAT payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-