Overview

overview

10

Static

static

1

04c1b9ea5b...39.exe

windows7-x64

10

04c1b9ea5b...39.exe

windows10-2004-x64

10

Resubmissions

23-02-2023 14:06

230223-reh7eshh41 10

12-01-2023 21:04

230112-zw3w6aba39 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.zip

  • Size

    13.4MB

  • Sample

    230223-reh7eshh41

  • MD5

    35dc42a422a763d61cdf19cee9b5f48a

  • SHA1

    b2f51efcd7dc3f8a10d0362890c392757596222a

  • SHA256

    10690042b3461639b7006aeac45cda45c4461ad5b4e0edc890821e7e26f6f803

  • SHA512

    0870d6c281b1e8f32f86e47515a923a0e40ef2504e5feb756c8b1d9d69f6b2045395225d1fc9629f88e464352f8d4770de19d91cbc420a44913f625bf85db976

  • SSDEEP

    393216:Sm7B/v/9sSMftFD0dzOmiZbfwOx+gyOiuUB5:S8/v/yLaOmi1LypuUT

Score
10/10
fabookiegluptebapseudomanuscryptredlinebharatdiscoverydropperevasioninfostealerloaderpersistencerootkitspywarestealervmprotect

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://nassarplastic.com/wp-content/config_20.ps1

Extracted

Family

redline

Botnet

bharat

C2

77.73.134.15:43250

Attributes
  • auth_value

    c5ff30d03db4d68f2e19663887b8c4cb

Targets

    • Target

      04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839

    • Size

      13.6MB

    • MD5

      0b1677efbd5bce8a2f526817d47db0d0

    • SHA1

      b2c894a6326de4e936041fd91297290ba418e80b

    • SHA256

      04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839

    • SHA512

      a9424d510e3404e74c324689eedf10bdf3eac4faf995d58ecb12bd3240d5dfc2bdf384219211853494e029021786228a0bdc3d692c9d316edbbadf7444a7f1db

    • SSDEEP

      196608:l3y+7MIsF/TG94kw++haZt65oEsmQs7pktIaAxaWy+vMpfCfG5TkAld96eSGQ685:ZvmFlk14aZtcpdtvMgu5TkqSGQE9Rc

    Score
    10/10
    fabookiegluptebapseudomanuscryptredlinebharatdropperevasioninfostealerloaderspywarestealervmprotectdiscoverypersistencerootkit

    • Detect Fabookie payload

    • Detects PseudoManuscrypt payload

      loader

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PseudoManuscrypt

      PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

      loaderpseudomanuscrypt

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Modifies boot configuration data using bcdedit

    • Blocklisted process makes network request

    • Modifies Windows Firewall

      evasion

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

      rootkitevasion

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks