Overview

overview

10

Static

static

10

D7F94C05F6...B9.exe

windows7-x64

10

D7F94C05F6...B9.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    D7F94C05F6D679EA0DF97E773EE754166ECEE640BD2B9.exe

  • Size

    1.0MB

  • Sample

    230201-z1573scc69

  • MD5

    7ecbba643628f94ba19830291265d89c

  • SHA1

    03cf7509b4864f9d7f47ef65a47560083c4446e1

  • SHA256

    d7f94c05f6d679ea0df97e773ee754166ecee640bd2b93e2b533bab9568cae84

  • SHA512

    2926e805d5e21b6a99a1ac7b817a65f9611a7152563a4e0b58fe76c389297c4e64dbc7fb301d95d94592f3db4a2cc818a9283ce7db471b89c7d3e0af3ca2ee6a

  • SSDEEP

    1536:aqsAPqX6lbG6jejoigIL43Ywzi0Zb78ivombfexv0ujXyyed2pteulgS6pw:IeA6YL+zi0ZbYe1g0ujyzd1w

Score
10/10
dcratredline24.01bldiscoveryinfostealerratspywarestealer

Malware Config

Extracted

Family

redline

Botnet

BL

C2

193.233.49.109:22285

Extracted

Family

redline

Botnet

24.01

C2

37.220.86.164:29170

Attributes
  • auth_value

    1c7f0aa21138601b5201a3a4a0123991

Targets

    • Target

      D7F94C05F6D679EA0DF97E773EE754166ECEE640BD2B9.exe

    • Size

      1.0MB

    • MD5

      7ecbba643628f94ba19830291265d89c

    • SHA1

      03cf7509b4864f9d7f47ef65a47560083c4446e1

    • SHA256

      d7f94c05f6d679ea0df97e773ee754166ecee640bd2b93e2b533bab9568cae84

    • SHA512

      2926e805d5e21b6a99a1ac7b817a65f9611a7152563a4e0b58fe76c389297c4e64dbc7fb301d95d94592f3db4a2cc818a9283ce7db471b89c7d3e0af3ca2ee6a

    • SSDEEP

      1536:aqsAPqX6lbG6jejoigIL43Ywzi0Zb78ivombfexv0ujXyyed2pteulgS6pw:IeA6YL+zi0ZbYe1g0ujyzd1w

    Score
    10/10
    dcratredline24.01bldiscoveryinfostealerratspywarestealer

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks