General
-
Target
acf18a5101a64bfd0f85fb30564d126a3ad79e7457481b629735f6c45b73dbdf
-
Size
1.2MB
-
Sample
230316-m381jacg3v
-
MD5
c95cd910b317930555258d1996af1972
-
SHA1
0270dfd0516e61a636e858b5e48613829af7b156
-
SHA256
acf18a5101a64bfd0f85fb30564d126a3ad79e7457481b629735f6c45b73dbdf
-
SHA512
01c14aa06370ba9e452653218728e78e1aa8d74deabe96df71f90031774b6c896f45dd797dba8193c2e1661aea4bc99dad5510a312278895f12fe21fd1876f58
-
SSDEEP
24576:/yxfgKO8CGyNbi6O2FcRVY6f9vLnXFZ9eUYh8M2WIvNaNf:Kx4KpKQ6yzX39bWXN
Static task
static1
Behavioral task
behavioral1
Sample
acf18a5101a64bfd0f85fb30564d126a3ad79e7457481b629735f6c45b73dbdf.exe
Resource
win10-20230220-en
Malware Config
Extracted
redline
lint
193.233.20.28:4125
-
auth_value
0e95262fb78243c67430f3148303e5b7
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
redline
@REDLINEVIPCHAT Cloud (TG: @FATHEROFCARDERS)
151.80.89.234:19388
-
auth_value
56af49c3278d982f9a41ef2abb7c4d09
Extracted
redline
MatyWon2
85.31.54.216:43728
-
auth_value
abc9e9d7ec3024110589ea03bcfaaa89
Extracted
laplas
http://45.159.189.105
-
api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172
Targets
-
-
Target
acf18a5101a64bfd0f85fb30564d126a3ad79e7457481b629735f6c45b73dbdf
-
Size
1.2MB
-
MD5
c95cd910b317930555258d1996af1972
-
SHA1
0270dfd0516e61a636e858b5e48613829af7b156
-
SHA256
acf18a5101a64bfd0f85fb30564d126a3ad79e7457481b629735f6c45b73dbdf
-
SHA512
01c14aa06370ba9e452653218728e78e1aa8d74deabe96df71f90031774b6c896f45dd797dba8193c2e1661aea4bc99dad5510a312278895f12fe21fd1876f58
-
SSDEEP
24576:/yxfgKO8CGyNbi6O2FcRVY6f9vLnXFZ9eUYh8M2WIvNaNf:Kx4KpKQ6yzX39bWXN
-
Detects PseudoManuscrypt payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
PseudoManuscrypt
PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-