General
-
Target
Minecraft.keygen.by.cat.bin.zip
-
Size
14.1MB
-
Sample
230415-t7c7zsgd3x
-
MD5
ebff0a2737f2ad4b084934d265bf7818
-
SHA1
5ba83e9347209caa5d7f0a602fefd79c24bd494c
-
SHA256
22d2bc247b02a9ffc0f0b5843dad7ee88c2599ead0136bcd65f36df27e0fa8e4
-
SHA512
4fb2625a9533b7dce65401896202566c6f5183b8db018f940823bfecdbf1e7496ad16505f41345b9497b72df2b05aa3e427e88d0c51a0e331c38f68bb9e017fc
-
SSDEEP
393216:IKqqlxJEqShwWgb5uOczfXrqH1EXbmDCUkJa:1nJEqtZczfX+H14mOUkI
Static task
static1
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
socelars
https://hueduy.s3.eu-west-1.amazonaws.com/dkfjrg725/
Extracted
redline
nam3
103.89.90.61:18728
-
auth_value
64b900120bbceaa6a9c60e9079492895
Extracted
redline
4
31.41.244.134:11643
-
auth_value
a516b2d034ecd34338f12b50347fbd92
Extracted
redline
@tag12312341
62.204.41.144:14096
-
auth_value
71466795417275fac01979e57016e277
Extracted
redline
185.215.113.46:8223
-
auth_value
1c36b510dbc8ee0265942899b008d972
Extracted
gcleaner
208.67.104.97
212.192.241.16
Targets
-
-
Target
Minecraft.keygen.by.cat.bin
-
Size
14.2MB
-
MD5
53b6e86dceab78b1fd41076b86be6cc4
-
SHA1
855524589dac86f1a6e9eff45f5b08f3e5195034
-
SHA256
a6bb4031f4f28bafd8e88002bdd2d7690f92019a67e19ffb4348e1b055f1e835
-
SHA512
dad4b782e840d93d90dc471e0317287ce2b619ca56396c95484ba7bb9b18e90117564e2b494db3fb9e980b09a83ed42d3f5b2f8487e2af9b07cb84f111d7c9b7
-
SSDEEP
393216:p5sMl5v2VK5PDXARPwh9HBC6TsAL0KT+Dfy4bymG:p5sMl5uIPbARPwzHBpTsALjCJymG
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Raccoon Stealer payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Socelars payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-