General
-
Target
HEUR-Trojan.Win32.Agent.gen-7a4df2fc82c0b553d.exe
-
Size
3.6MB
-
Sample
230119-de4apsad4z
-
MD5
ec9abf614ab015f26629f48c58492005
-
SHA1
dd6ab65305ec6a6540e430979d4701ee9a457dea
-
SHA256
7a4df2fc82c0b553d0b703f51635fd62cf02553706f942c66d752c1d8fae207b
-
SHA512
f39375b4714c9be8ddfdb75757cdd58765938fd4f268db4cf6cde312bda8ddf4734dbd18b1d503ec0d44451653a2ad6c2593acb7185c9150f9939e5e419762e5
-
SSDEEP
98304:JHnvuRxqSPepIcGYhdkqKcTujg5zWOAgopMai5NdfME3:JHvuRci6Icfhj6vOmpMdfx3
Malware Config
Extracted
nullmixer
http://razino.xyz/
Extracted
redline
ServAni
87.251.71.195:82
Extracted
vidar
39.4
706
https://sergeevih43.tumblr.com/
-
profile_id
706
Extracted
redline
Cana
176.111.174.254:56328
Extracted
redline
@new@2023
77.73.133.62:22344
-
auth_value
8284279aedaed026a9b7cb9c1c0be4e4
Extracted
raccoon
64b445f2d85b7aeb3d5c7b23112d6ac3
http://45.15.156.209/
Extracted
redline
Medi2
167.235.156.206:6218
-
auth_value
415e49528666a4468e12b696ddda231f
Extracted
redline
Dzokey1111111
82.115.223.9:15486
-
auth_value
a46fd18e8e0de86d363c12c2307db5e9
Extracted
redline
1
librchichelpai.shop:81
rniwondunuifac.shop:81
-
auth_value
b6c86adb7106e9ee7247628f59e06830
Extracted
redline
SlovarikTest2
82.115.223.9:15486
-
auth_value
74f576286d26c99e51edf3860e562ae6
Extracted
amadey
3.66
62.204.41.27/9djZdj09/index.php
Extracted
redline
andriii_ff
185.244.181.112:33056
-
auth_value
8caf20244d14f9f793741e94dc56017f
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.210.137.6:47909
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Extracted
redline
vertu
62.204.41.159:4062
-
auth_value
fcf83997f362e2cd45c3f3c30912dd41
Targets
-
-
Target
HEUR-Trojan.Win32.Agent.gen-7a4df2fc82c0b553d.exe
-
Size
3.6MB
-
MD5
ec9abf614ab015f26629f48c58492005
-
SHA1
dd6ab65305ec6a6540e430979d4701ee9a457dea
-
SHA256
7a4df2fc82c0b553d0b703f51635fd62cf02553706f942c66d752c1d8fae207b
-
SHA512
f39375b4714c9be8ddfdb75757cdd58765938fd4f268db4cf6cde312bda8ddf4734dbd18b1d503ec0d44451653a2ad6c2593acb7185c9150f9939e5e419762e5
-
SSDEEP
98304:JHnvuRxqSPepIcGYhdkqKcTujg5zWOAgopMai5NdfME3:JHvuRci6Icfhj6vOmpMdfx3
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Fabookie payload
-
Detects Smokeloader packer
-
Fabookie
Fabookie is facebook account info stealer.
-
Modifies Windows Defender Real-time Protection settings
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Nirsoft
-
Vidar Stealer
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Scripting
1Install Root Certificate
1