General
-
Target
Alien C++ Cryper.exe
-
Size
614KB
-
Sample
230317-by4dpsfg8y
-
MD5
6d7be98d68c6b3d8ea8c55da493b568e
-
SHA1
71ec3454cef1f3e4a90fe2688e9bfd0e0f9c2cea
-
SHA256
6ecbc0d9795b7fa1869f113c5a05fca4d8ff17f2312ac8f973277989cf64a67b
-
SHA512
e2c5729d028f3821823cba3d4da7fe36eb71cc184fde8314a59eeddb52f1e51bcaf0f996b4b7398ae800a052cf715320ebc6bde29dcfa400a45b7c179a1f1282
-
SSDEEP
12288:+DzeNryR43tPVX38vhtUM4Th09oAt4CsyXwLLzl71M+zuBP1d3owmDYS:0ze0RM6ht8mq0rSLzl72qufd4wMY
Static task
static1
Behavioral task
behavioral1
Sample
Alien C++ Cryper.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Alien C++ Cryper.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
asyncrat
0.5.7B
Wars
95.173.247.110:8806
Wars
-
delay
3
-
install
true
-
install_file
Winder.exe
-
install_folder
%AppData%
Extracted
redline
Muck
52.232.8.179:37764
Extracted
asyncrat
0.5.7B
DefenderSmartScren
217.64.31.3:8437
DefenderSmartScren
-
delay
3
-
install
false
-
install_file
SecurityHealtheurvice.exe
-
install_folder
%AppData%
Extracted
asyncrat
0.5.7B
SecurityDefenderProtokol
88.248.18.120:33918
SecurityDefenderProtokol
-
delay
3
-
install
false
-
install_file
SecurityDefenderProtokol.exe
-
install_folder
%AppData%
Extracted
asyncrat
1.0.7
217.64.31.3:9742
WindowsDefenderSmarttScreen
-
delay
1
-
install
false
-
install_file
WindowsDefenderSmarttScreen.exe
-
install_folder
%AppData%
Targets
-
-
Target
Alien C++ Cryper.exe
-
Size
614KB
-
MD5
6d7be98d68c6b3d8ea8c55da493b568e
-
SHA1
71ec3454cef1f3e4a90fe2688e9bfd0e0f9c2cea
-
SHA256
6ecbc0d9795b7fa1869f113c5a05fca4d8ff17f2312ac8f973277989cf64a67b
-
SHA512
e2c5729d028f3821823cba3d4da7fe36eb71cc184fde8314a59eeddb52f1e51bcaf0f996b4b7398ae800a052cf715320ebc6bde29dcfa400a45b7c179a1f1282
-
SSDEEP
12288:+DzeNryR43tPVX38vhtUM4Th09oAt4CsyXwLLzl71M+zuBP1d3owmDYS:0ze0RM6ht8mq0rSLzl72qufd4wMY
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Async RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-