General
-
Target
8547977480.zip
-
Size
34.2MB
-
Sample
221203-wg4ncscc33
-
MD5
2d80845d65f702b4c692e75b67f04b7a
-
SHA1
3aecbf1263d599dc24fe3c92bcad4c41e23bc955
-
SHA256
649c75d99b6d8e237d8a8d0142796fcbfa7381674628201f474b58039144ec2a
-
SHA512
9e2e77b037b815b660403aa9edfe9911301aed7fdd056a3a8b5ac7c229ff25b723acfc41d1d2d59aa8e0268564bce3d854dd9dae3e49917c4b294c1b08a695b6
-
SSDEEP
786432:dSwjjNxcsSEy6TYX9I9g56wCjlup1pGmlECm9S6N6zZ0cESSNU:dSUN+s81gwC+1pG4WS6Y0cNSe
Malware Config
Extracted
redline
nam6.1
103.89.90.61:34589
-
auth_value
5a3c8b8880f6d03e2acaaa0ba12776e3
Extracted
privateloader
208.67.104.60
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
-
payload_url
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
Extracted
raccoon
bd3a3a503834ef8e836d8a99d1ecff54
http://77.73.133.7/
Targets
-
-
Target
233f95c87f4930fc7608e264cf8be9d4ff0d5f073c411dc986c7aa8ac2055231
-
Size
3.5MB
-
MD5
d0c77a8d28ac7ed062de16103b7b7a9e
-
SHA1
2aff43098626864c0bbb1ab5463683321b54cdcd
-
SHA256
233f95c87f4930fc7608e264cf8be9d4ff0d5f073c411dc986c7aa8ac2055231
-
SHA512
05d6e0f5d3677e1cc268ecc1ad3d5e1b7925f61bfa0e91516805d19b44a776fc7bad0725809109ab62b73916d5bc92a09e22d8f4fdfa3e191347c2ba066a7120
-
SSDEEP
49152:bDLaXbiwy/9Zxi9wrxqeMho8OYetIqRLC4GBN0ILUMh+l4Im2ZvrOYa7DYya/Ku8:3OXzEnkGxqeQohS8LCR4kL7Hcdfro/o
Score8/10-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
-
-
Target
2d8ea1230d6d994febd35edec21f298efe7e1a2a6f75d00a691035980f30a5aa
-
Size
786KB
-
MD5
7185834758af3441e82bba85cd5b8ff0
-
SHA1
58520459530dcd3f840825b540d02b0a86590b86
-
SHA256
2d8ea1230d6d994febd35edec21f298efe7e1a2a6f75d00a691035980f30a5aa
-
SHA512
9a99d1a453a830b8c17e42e9c746b12483f3c9e8585e94e6a615b8d50cbf612610628670d8e261bab1450ed8ed7c1dac9ad7e04e1723a545325cbea098b734e8
-
SSDEEP
24576:26UqGLpGLMMMHMMMvMMZMMMKzbKXOMMHMMMvMMZMMMKzbKXT7GLMMMHMMMvMMZM0:Z6MMHMMMvMMZMMMFOMMHMMMvMMZMMMFi
Score10/10-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-
-
-
Target
34dba85bb25c6589d0a5befe607e52b82a740402b92dbb5989797a523fb7561a
-
Size
215KB
-
MD5
926677dc69319999351c0771c03ca302
-
SHA1
0d36a4435c234015d7c3207762b08c1924272753
-
SHA256
34dba85bb25c6589d0a5befe607e52b82a740402b92dbb5989797a523fb7561a
-
SHA512
3e34fb409fec7dbe39a6f3e19a0db3f97ac944dfa0c0ffecc00d5510285fe99f42ba80cb6a910f834cb7ba47b487329dc1facc168ce970de34a8e2a32c5abe42
-
SSDEEP
1536:8I47GyTGCwiSnmQUt0LB18rs5gc3H2KrmswOOF+xcYPit0AQ:8vGyYiSDnt18w5X3HrrmsQMxDqqAQ
Score8/10-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
463d0b090396ffa05d579521256e421080a955415554feebe490482551eb08ea
-
Size
8KB
-
MD5
fd1489c65b0d75f4cdc7b1f2634b5359
-
SHA1
f8431629d627f8dc13ca486e8b5d0a46f47d46fd
-
SHA256
463d0b090396ffa05d579521256e421080a955415554feebe490482551eb08ea
-
SHA512
e4fc02e1567e188caaf67ccd3a068e6b9db1c20b22a6949ec9ffd9d1a037afe36d744ac8c94a0fd5df55c7e2a51c10a9bcf05c3274175c8296cf16be718a99a2
-
SSDEEP
96:a9hcOxiPwrltSJ1+pa/4/pzzkZj6tfCIQJ25FsfQungwffm2gbFnU:avc4rvpPd4Z+t6BJyungwffPZ
Score1/10 -
-
-
Target
4bcf45bde8ef34c0afeea288098cf34da11c2748eead6cf4752db1a4a2e79c39
-
Size
720KB
-
MD5
deece2ef4fe8f9c0c587d67ecb2d1fa4
-
SHA1
cf7588cf77acd63a4ecf3f554e1672708ee4eaac
-
SHA256
4bcf45bde8ef34c0afeea288098cf34da11c2748eead6cf4752db1a4a2e79c39
-
SHA512
c062403aaccc83f090704f79540d22f4a6d7de7d18de1297d3170ebb9653a8e40ec3719e45f91782c2eb4829ba623aba3b3040ab716901dc81d939356a21ebd6
-
SSDEEP
12288:+SipcKrMXnVVLsx7i0ioWvVGYmp7aGEiN8ut/DIXIrVO6b04huXB1lyqmxlz4lVP:fipcKOnVVLsxXEir/DqIrVG4eyjbz4zP
Score1/10 -
-
-
Target
5292b8004f9078cfddbb45f7a0a1d0e6c84a958e43e602f43f8af4161983b6ce
-
Size
450KB
-
MD5
47d4b2fd7654ad71026eb66dd2aa5d97
-
SHA1
dabbda8e945fadee09c5bbee1b0ed9a4036038f5
-
SHA256
5292b8004f9078cfddbb45f7a0a1d0e6c84a958e43e602f43f8af4161983b6ce
-
SHA512
3412e220dfcfa4401b03e0ca36c55c03f65bc92016a5a52db625a16c4e1171b1305477e9b461f3aaffeafcae99ccfdf1c9e4729695007718469bda1d753f28f1
-
SSDEEP
6144:Z8fFQo+7Q0H3y+nvEGiBpYbgBUR4JttcBDlxdwpfxfBThM9eo1I7u0Kry2wej99u:ZYFiISM5jY9IfBTy9eo1dC
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Suspicious use of SetThreadContext
-
-
-
Target
6babc5b52d59c0b41e526f06b9e751aeef7ad6fc8b9eef5f56f95d4e3cded853
-
Size
3.4MB
-
MD5
4d536854aa5cbf1fc1c7d2cfc8ee65f6
-
SHA1
d29e0930c73e808b394c082e372033b0e57bc8b9
-
SHA256
6babc5b52d59c0b41e526f06b9e751aeef7ad6fc8b9eef5f56f95d4e3cded853
-
SHA512
1aa95fa137e5fc15b56f2155877f23e6609a440f22d143daff0436c0573ec75c528cb2a4af6d76b29085187ba2bc7ea105af65a89559445f248b466cd0079ad4
-
SSDEEP
49152:naJlbM2hKrp949JqBaaI8zAlhSQrhF0Cph4D4QGpUFCU/rc6jQ6qv/:Ei94AIRSQrhF0K2DX6U/rk
Score1/10 -
-
-
Target
85b73b7b3c9acc6648beb77ce878ebeea26a2a949bf17c3184f2bd4544d12b45
-
Size
4.8MB
-
MD5
854d5dfe2d5193aa4150765c123df8ad
-
SHA1
1b21d80c4beb90b03d795cf11145619aeb3a4f37
-
SHA256
85b73b7b3c9acc6648beb77ce878ebeea26a2a949bf17c3184f2bd4544d12b45
-
SHA512
48ed604ea966a35cc16631ce5da692bb236badafdb6d3d01ef3a27ab5a9c1ea6a19d6e8209c894ab292614cfbd355c2ca96401fd4dbb9a3abbfd886cddae77cc
-
SSDEEP
98304:GiIOIQKetb5uDv/tFAOoLKSIc5EP61wNYZiu7JfQmEM9:rIbCEA1EP614g9fQm59
Score10/10-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
8eb41b097a51665e2a51b7d055260ea06b5224123450a147080de0a0ebcb4fff
-
Size
7.3MB
-
MD5
83dbe0cb14f889e38fc0f8889842cf9d
-
SHA1
ded313ca908136000fd9e5f623dcf0974e2b5f30
-
SHA256
8eb41b097a51665e2a51b7d055260ea06b5224123450a147080de0a0ebcb4fff
-
SHA512
ad4bef13d8b816dc81b42e0a2983cedd8c1b66bb15ffff93d908dd8bb78621c2ec690c44dc01bffb3a378159c42c7552ebd27bdb889eb13351a85a26d61fbac6
-
SSDEEP
196608:91O0G+ffRqHIxpuBM9lsB1veokOefmev7+RND:3OL+ffRqoxpAQi0POcmez+LD
Score8/10-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef
-
Size
2.4MB
-
MD5
989cb0bfa4cc0bd8e8302f47add8e368
-
SHA1
515b82386397ec822edbce6f24a6c4b9d13b0344
-
SHA256
932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef
-
SHA512
9211bb8622c7dee790db4847a9095bfd8dc48d324a400f374ab42ce65c1e2295cc6392a16e031282f6b3fa29a1881487016c9b817e05d65420d7db41f4548583
-
SSDEEP
24576:pu4wFHPSaD/zXFRRhOnYQb6VOOmWC9+HW0MigJS3Cd+XHKrQD2YR:
Score8/10-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde
-
Size
6.3MB
-
MD5
ded964e022a37d93d434091ec75f9881
-
SHA1
e89a551ac1f19dc3838e21157667e2f98d84d06b
-
SHA256
9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde
-
SHA512
13f0873cc797eeb7a4a1606ea3dc95f0d1f96bf1dfad286ee3959f0b885426214c24c1ea2422a46191f78063b75200d7ad9065d5654a7758086a9e41f7cf75af
-
SSDEEP
196608:91OEVXHF+E/eq7QuIUVUMxVuAK1X84eu/k9RD13q:3OEVV+tq7Q7U62AAi84VkF13q
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Windows security bypass
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Windows security modification
-
Drops file in System32 directory
-
-
-
Target
9e147a3bb22a10fe3f032dda125b871c7892065a68acd85de372e4622ec2a753
-
Size
1.8MB
-
MD5
6df29a5803a4576a90b6d9cc44b622bc
-
SHA1
7bed517810e102847d8679aaa3a1caf7ae1a6064
-
SHA256
9e147a3bb22a10fe3f032dda125b871c7892065a68acd85de372e4622ec2a753
-
SHA512
38267fca5b28db2e85663bfe075307cfd66e8fd6c30303ad9840a1c04ab287232d700fbca506d837c2c927f46b738999a3de40747dd064ddf3a9dd025cf882a2
-
SSDEEP
24576:hQTh2cyxiz583hZprjumLzu2O7K8HzxemmF2ZvgsnJQ9q12BL7TLhn5c0ANTyKmz:15Q831o2cHtemmFoDQ9q12BLTh+0u+b
Score1/10 -
-
-
Target
bccfdc8e1ac04a684732b0011d6b512118d3b6fb5a249803cd2e87427a965296
-
Size
1.7MB
-
MD5
e9118e77017247f6e5d4046ce9dad8b6
-
SHA1
8204f61940dc697bf1d96e5a1625629ead242275
-
SHA256
bccfdc8e1ac04a684732b0011d6b512118d3b6fb5a249803cd2e87427a965296
-
SHA512
027a2e262975982f0de9a6be165b77edb037beca0ecfa38a3c4f63aae07416aa688767fd50cf0bf1a5c492d9ee6d04c72aefb3a90ae31a7de1ce088964f5bdaa
-
SSDEEP
49152:H6M6Zsl+0dOuD2rmHiSCYK64SDq2zPrBLNTyCrxw:H6pZskpuD+gGYa+zBL05
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
-
-
Target
bf5a9bb619ac4bdad9a043f41b3980bf442f3965564ce612ced3cb2352311fd7
-
Size
44KB
-
MD5
caef853daea33a8898555fee1d45e093
-
SHA1
f32005ded199e821ef77d501f8368a9dcc89c20c
-
SHA256
bf5a9bb619ac4bdad9a043f41b3980bf442f3965564ce612ced3cb2352311fd7
-
SHA512
b9e37d92c74d9b0677c1c7f8ca2e68fbda5d04b2ca206f6b5401d32073c798a827c6cf449ccecf9c6b58ed15b3ca18b4ba0b5c53c0566ca194affc5eb411a92b
-
SSDEEP
768:8jYeM17XpwE3sKfkCbJokUP/W1CqpBoa8PP:feW71D6xP/WIquPP
Score1/10 -
-
-
Target
d0017384df7b41aba785a35c92082d1460af89204cfae22e6173eaebe16b270a
-
Size
95.4MB
-
MD5
6d08fd7ee7d279585077bff3b77c9cf1
-
SHA1
09918a40856f17990378fcf280d3ce399d1bbdde
-
SHA256
d0017384df7b41aba785a35c92082d1460af89204cfae22e6173eaebe16b270a
-
SHA512
9673687f67aecefaeeb24104cea85632a89ca4533fe668a14a99cc05ff2fd0e399b8ff62c1716f933884bc160639ca9245fcfaf70dbc32cd8180e55808cf7e01
-
SSDEEP
96:wCuMxH2gn9Qr393iMMQGjHJvVkOoEV35quW/2viMffthpl4WUl4hbFnU:wCNn9Y95MLkOoEVFNviMfftl2
Score1/10 -
-
-
Target
d72aa8fe30b132afe13a9be90142550b530d9687aff41954bbd3503115f37489
-
Size
87KB
-
MD5
769df9e877f419beb20a34515a4b211f
-
SHA1
8de6ec68b339a3f8761703b20a3cfe1c4370f532
-
SHA256
d72aa8fe30b132afe13a9be90142550b530d9687aff41954bbd3503115f37489
-
SHA512
ef19bd14aac3260be66a30ff21fedf181ece14fb67e76546fa41b6462f2514645c0c2cd0a6244be1b03af71459114c66f28bc588eabaab3d340071a80aa8d8ea
-
SSDEEP
1536:VpQKRk5UqXbkb2bM5XiE6cuR0Zng71jahYQeEmus8jcd3WWn7q:r6rkb2b6S3cuREn0ahZeEmr3WWn7q
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
3Install Root Certificate
1Modify Registry
5Scripting
1Virtualization/Sandbox Evasion
1