General
-
Target
8df3fc31864f4287b6d32c45abceca88434faffbfd21b04a44e23bead8fc8a67
-
Size
164KB
-
Sample
221117-j7wzzsea24
-
MD5
23a098ef3d64c214c48c59c2a73ccaa6
-
SHA1
307f90cdf7cfd6abd1fad4c32428db1decc84d16
-
SHA256
8df3fc31864f4287b6d32c45abceca88434faffbfd21b04a44e23bead8fc8a67
-
SHA512
931bf3fa7fe012e412bd1f174b1af0b0c217ac2d60ce17aaa18782a0a896320a5f7207a8e3f9e7b8e1a7e0d7daa702f66e2cc2ce13d334be8f2e094b2d2b6815
-
SSDEEP
3072:wg+kKPTPk6mAY3kjt5LRsP8JrLWMpz15AiVXhhROmcSbEcN8gYu9Wk6DuD:nqpml3yRsP8JrfpZ5FXhhRgGNVt
Static task
static1
Behavioral task
behavioral1
Sample
8df3fc31864f4287b6d32c45abceca88434faffbfd21b04a44e23bead8fc8a67.exe
Resource
win10-20220812-en
Malware Config
Extracted
vidar
55.7
1827
https://t.me/deadftx
https://www.ultimate-guitar.com/u/smbfupkuhrgc1
-
profile_id
1827
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
Targets
-
-
Target
8df3fc31864f4287b6d32c45abceca88434faffbfd21b04a44e23bead8fc8a67
-
Size
164KB
-
MD5
23a098ef3d64c214c48c59c2a73ccaa6
-
SHA1
307f90cdf7cfd6abd1fad4c32428db1decc84d16
-
SHA256
8df3fc31864f4287b6d32c45abceca88434faffbfd21b04a44e23bead8fc8a67
-
SHA512
931bf3fa7fe012e412bd1f174b1af0b0c217ac2d60ce17aaa18782a0a896320a5f7207a8e3f9e7b8e1a7e0d7daa702f66e2cc2ce13d334be8f2e094b2d2b6815
-
SSDEEP
3072:wg+kKPTPk6mAY3kjt5LRsP8JrLWMpz15AiVXhhROmcSbEcN8gYu9Wk6DuD:nqpml3yRsP8JrfpZ5FXhhRgGNVt
-
Detect Amadey credential stealer module
-
Detects Smokeloader packer
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-