Overview

overview

10

Static

static

LibreOffic...64.exe

windows7-x64

10

LibreOffic...64.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    LibreOffice_7.4.3_Win_x64.iso

  • Size

    300.4MB

  • Sample

    230126-eq4ahsdh7v

  • MD5

    5f8e85eb1beed28c3b9c89e588f97b86

  • SHA1

    f9d5736005eb7b53639e1d9c21eaba84d58ff624

  • SHA256

    4db1e1b89c6750b4e1b1fad00652b669fe03e8bef93711c46b6752c08466adbd

  • SHA512

    a900a2a7577b4c354fc033e8cd9113bd270e649cee7ece4fd874dbb0ef414f54b248b2e1374712aa1fcce8a6164a94b69014751eb05f1d0f626ce6a26a7aef06

  • SSDEEP

    12288:gbCG7F1wjOLak1PCgqaapo2RvxC1WyOPwQOhGwYyY9ZGyooo3RZNzBj7ww43vmOC:41ww4fmOa6IglK

Score
10/10
auroraredlineredlinediscoveryinfostealerpersistencespywarestealer

Malware Config

Extracted

Family

aurora

C2

79.137.133.225:8081

Extracted

Family

redline

Botnet

redline

C2

79.137.133.225:25999

Attributes
  • auth_value

    38284dbf15da9b4a9eaee0ef0d2b343f

Targets

    • Target

      LibreOffice_7.4.3_Win_x64.exe

    • Size

      300.4MB

    • MD5

      e2b9ea93192c7bfc79093a107e9ae5dc

    • SHA1

      db51ef38abed72a4f426a0af5a2e148f88dc4cfd

    • SHA256

      303d6ec037275eb07e4e9e37efe0e6e9dc0260ce41e2cb6b3838fcf177dd1cf6

    • SHA512

      dedd3d6d8140282eab2ac8243dce35d652e5753e980a318281443683b2bf1bffa3fec24466368f91d545b701f153933b26d820da15e25f39ed40f322153613d7

    • SSDEEP

      12288:WbCG7F1wjOLak1PCgqaapo2RvxC1WyOPwQOhGwYyY9ZGyooo3RZNzBj7ww43vmOC:m1ww4fmOa6IglK

    Score
    10/10
    auroraredlineredlinediscoveryinfostealerpersistencespywarestealer

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

      stealeraurora

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks