General
-
Target
9ac4be38637f17483f3b54a09a1a5af0e753b394546621337c7dd1d3613f9b45
-
Size
603KB
-
Sample
230203-mz476sef22
-
MD5
1d5c91e93d5daa882ea28c5e3c985018
-
SHA1
385c2c38d59c7b55a8d12bd99ad417de50dd7da3
-
SHA256
9ac4be38637f17483f3b54a09a1a5af0e753b394546621337c7dd1d3613f9b45
-
SHA512
18c28534f06f4afbb6372c2873fda4fda6748a6d9dc0a02d277ea12c1b607b79c77c7d6631b078e82136c49ae9975997497b864c30f41a3db362039fb5013aa3
-
SSDEEP
12288:/nmWQGvhT0qfqcEtOTy9IRJqzHaIGBUTx2UhE/yq8PAx5BAQi:/m6vB0qfMOaWe7GGx2ojIx5B5i
Static task
static1
Behavioral task
behavioral1
Sample
9ac4be38637f17483f3b54a09a1a5af0e753b394546621337c7dd1d3613f9b45.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
redline
redko
62.204.41.170:4179
-
auth_value
9bcf7b0620ff067017d66b9a5d80b547
Extracted
amadey
3.66
193.233.20.4/t6r48nSa/index.php
62.204.41.88/9vdVVVjsw/index.php
Extracted
redline
temposs6678
82.115.223.9:15486
-
auth_value
af399e6a2fe66f67025541cf71c64313
Extracted
redline
gonka
62.204.41.170:4179
-
auth_value
f017b1096da5cc257f8ca109051c5fbb
Extracted
redline
@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)
151.80.89.233:13553
-
auth_value
fbee175162920530e6bf470c8003fa1a
Extracted
amadey
3.65
77.73.134.27/8bmdh3Slb2/index.php
Extracted
redline
bigdick
185.254.37.212:80
-
auth_value
88290259fe8dc49da48b125d03e6788c
Extracted
redline
85.31.44.66:17742
-
auth_value
e9a89e5b72a729171b1655add99ee280
Extracted
redline
Inkida
195.201.30.165:80
-
auth_value
29132c501e296827c0ca24c0850430ea
Extracted
remcos
Crypt
185.225.73.67:1050
-
audio_folder
576ruythg6534trewf
-
audio_path
%WinDir%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
76y5trfed675ytg.exe
-
copy_folder
kjhgfdc
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
654ytrf654trf654ytgref.dat
-
keylog_flag
false
-
keylog_folder
67yrtg564tr6754yter
-
mouse_option
false
-
mutex
89765y4tergfw6587ryute-80UMP1
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
67y4htergf65trgewfd654tyrfg
-
screenshot_path
%Temp%
-
screenshot_time
10
-
startup_value
6754ytr756ytr7654yretg8765uyt
-
take_screenshot_option
true
-
take_screenshot_time
5
-
take_screenshot_title
bank
Targets
-
-
Target
9ac4be38637f17483f3b54a09a1a5af0e753b394546621337c7dd1d3613f9b45
-
Size
603KB
-
MD5
1d5c91e93d5daa882ea28c5e3c985018
-
SHA1
385c2c38d59c7b55a8d12bd99ad417de50dd7da3
-
SHA256
9ac4be38637f17483f3b54a09a1a5af0e753b394546621337c7dd1d3613f9b45
-
SHA512
18c28534f06f4afbb6372c2873fda4fda6748a6d9dc0a02d277ea12c1b607b79c77c7d6631b078e82136c49ae9975997497b864c30f41a3db362039fb5013aa3
-
SSDEEP
12288:/nmWQGvhT0qfqcEtOTy9IRJqzHaIGBUTx2UhE/yq8PAx5BAQi:/m6vB0qfMOaWe7GGx2ojIx5B5i
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect rhadamanthys stealer shellcode
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
5Disabling Security Tools
3Bypass User Account Control
1Scripting
1