Resubmissions
13-06-2023 15:08
230613-sh5ehagg67 1012-06-2023 12:37
230612-ptx8sacc46 1009-06-2023 19:42
230609-yevzjsea3z 1008-06-2023 16:59
230608-vhg1bahg5z 1007-06-2023 18:26
230607-w3ealaec62 1007-06-2023 18:23
230607-w1vjsseg31 1006-06-2023 14:12
230606-rjb9nsea66 1005-06-2023 13:48
230605-q395dagh57 1002-06-2023 11:55
230602-n3t22sbe8z 1030-05-2023 13:02
230530-p98pfsaa3x 10General
-
Target
a.bin
-
Size
5KB
-
Sample
230530-p98pfsaa3x
-
MD5
8ce1f6882edc51f701bbe648e40dd133
-
SHA1
496b3df4657e9d11df14a8ad267061d97249b511
-
SHA256
188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae
-
SHA512
5826ea307fa12db5a8005fae8758314c0810e956ead3504fda7cadaccdbe737d609dfdfdc51996ab2eb350eae20398f8fbb97b16aa01f2af373c1ba20767d7d6
-
SSDEEP
48:6jtGAK8lb9ivcfaFSfkQLJhyPFlL8thCb/IExQpwOulavTqXSfbNtm:OI0iUaakQqDgtmQpmsvNzNt
Static task
static1
Behavioral task
behavioral1
Sample
a.exe
Resource
win10-20230220-en
Malware Config
Extracted
https://slpbridge.com/storage/images/debug2.ps1
Extracted
lokibot
http://194.180.48.58/web/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
smokeloader
2022
http://polinamailserverip.ru/
http://lamazone.site/
http://criticalosl.tech/
http://maximprofile.net/
http://zaliphone.com/
http://humanitarydp.ug/
http://zaikaopentra.com.ug/
http://zaikaopentra-com-ug.online/
http://infomalilopera.ru/
http://jskgdhjkdfhjdkjhd844.ru/
http://jkghdj2993jdjjdjd.ru/
http://kjhgdj99fuller.ru/
http://azartnyjboy.com/
http://zalamafiapopcultur.eu/
http://hopentools.site/
http://kismamabeforyougo.com/
http://kissmafiabeforyoudied.eu/
http://gondurasonline.ug/
http://nabufixservice.name/
http://filterfullproperty.ru/
http://alegoomaster.com/
http://freesitucionap.com/
http://droopily.eu/
http://prostotaknet.net/
http://zakolibal.online/
http://verycheap.store/
Extracted
redline
dusa
83.97.73.127:19045
-
auth_value
ee896466545fedf9de5406175fb82de5
Extracted
xworm
10.0.2.15:5555
TNZstVyCMYPlDDeU
-
install_file
ms-update.exe
Extracted
redline
dix
77.91.124.251:19065
-
auth_value
9b544b3d9c88af32e2f5bf8705f9a2fb
Extracted
redline
diza
185.161.248.37:4138
-
auth_value
0d09b419c8bc967f91c68be4a17e92ee
Extracted
redline
Redline
85.31.54.183:18435
-
auth_value
50837656cba6e4dd56bfbb4a61dadb63
Targets
-
-
Target
a.bin
-
Size
5KB
-
MD5
8ce1f6882edc51f701bbe648e40dd133
-
SHA1
496b3df4657e9d11df14a8ad267061d97249b511
-
SHA256
188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae
-
SHA512
5826ea307fa12db5a8005fae8758314c0810e956ead3504fda7cadaccdbe737d609dfdfdc51996ab2eb350eae20398f8fbb97b16aa01f2af373c1ba20767d7d6
-
SSDEEP
48:6jtGAK8lb9ivcfaFSfkQLJhyPFlL8thCb/IExQpwOulavTqXSfbNtm:OI0iUaakQqDgtmQpmsvNzNt
-
Detects Stealc stealer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Downloads MZ/PE file
-
Sets file execution options in registry
-
Executes dropped EXE
-
Loads dropped DLL
-
Registers COM server for autorun
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-