General
-
Target
Setup_soft.exe
-
Size
6.4MB
-
Sample
230123-x1h2fage91
-
MD5
34ed962ae522fd0a6327b23fa8932cf2
-
SHA1
20bddced3bf506f535efe74cdd32ddf44a159352
-
SHA256
1a2de110248c93889768657273bdab9972b89b6b0dac8b2c83cdf2f5d45f80f6
-
SHA512
2a47fcef7c88dbd072de0e9e17d45c4663c1ede05ad881ec3772dc6af30eb07fe40d0a912d91a94c9b5cf7b4399c1a67503e2c6a58c07f2814e8f8e97eb2e444
-
SSDEEP
98304:Y5I5x3omArylYOI5CAaT+dPas2Yv0zcBWc1fldTRwaykXf1:15xqyoaT+dPB2mwq7T5bXf
Static task
static1
Behavioral task
behavioral1
Sample
Setup_soft.exe
Resource
win7-20220812-en
Malware Config
Extracted
amadey
3.65
83.217.11.7/8vcWxwwx3/index.php
Extracted
redline
95.217.146.176:4281
-
auth_value
a909e2aaecf96137978fea4f86400b9b
Targets
-
-
Target
Setup_soft.exe
-
Size
6.4MB
-
MD5
34ed962ae522fd0a6327b23fa8932cf2
-
SHA1
20bddced3bf506f535efe74cdd32ddf44a159352
-
SHA256
1a2de110248c93889768657273bdab9972b89b6b0dac8b2c83cdf2f5d45f80f6
-
SHA512
2a47fcef7c88dbd072de0e9e17d45c4663c1ede05ad881ec3772dc6af30eb07fe40d0a912d91a94c9b5cf7b4399c1a67503e2c6a58c07f2814e8f8e97eb2e444
-
SSDEEP
98304:Y5I5x3omArylYOI5CAaT+dPas2Yv0zcBWc1fldTRwaykXf1:15xqyoaT+dPB2mwq7T5bXf
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-