General
-
Target
money generator.dat
-
Size
5KB
-
Sample
230604-x7lqxaea5x
-
MD5
8c72631836822bafd97a2bd198261322
-
SHA1
2f0975e53ce034637d83b3d8df4a30fd5db29c50
-
SHA256
be44bee1f8fe8f7a4aa42fc8e0c9e8ab37bd4e0a724a5e0d1f817c6cbf5f8745
-
SHA512
12240570eed4948d967dcec1dae5261c3a450a1b3c45b4f8df90c4a6499865d8f6e4df47f573abfb28e30495a00aa55de3e3b87b1193f527cc25ce958004c6c4
-
SSDEEP
96:BEumoTbuz1Kuz1yluz15dnX1GqDUtLv8e7cpRuw5bzNt:BvmoP0K0yl05J1Gq2Lv8ecRD9
Static task
static1
Behavioral task
behavioral1
Sample
money generator.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
money generator.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1
Extracted
https://www.drgenov.com/wp-content/uploads/debug2.ps1
Extracted
https://slpbridge.com/storage/images/debug2.ps1
Extracted
redline
diza
83.97.73.126:19046
-
auth_value
0d09b419c8bc967f91c68be4a17e92ee
Extracted
lokibot
http://194.180.48.58/morgan/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://171.22.30.147/chang2/five/fre.php
http://161.35.102.56/~nikol/?p=2132
Extracted
warzonerat
103.212.81.157:11011
Extracted
redline
1
185.215.113.37:31712
-
auth_value
1aa402727eb24d99bfd960d3d786f55d
Extracted
remcos
RemoteHost
pekonomia.duckdns.org:30861
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-B0VP4N
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
snakekeylogger
https://api.telegram.org/bot6184780923:AAHbCGrBU_2zg9A-73yTyKKCMGf1tkzUFbM/sendMessage?chat_id=759814203
Targets
-
-
Target
money generator.dat
-
Size
5KB
-
MD5
8c72631836822bafd97a2bd198261322
-
SHA1
2f0975e53ce034637d83b3d8df4a30fd5db29c50
-
SHA256
be44bee1f8fe8f7a4aa42fc8e0c9e8ab37bd4e0a724a5e0d1f817c6cbf5f8745
-
SHA512
12240570eed4948d967dcec1dae5261c3a450a1b3c45b4f8df90c4a6499865d8f6e4df47f573abfb28e30495a00aa55de3e3b87b1193f527cc25ce958004c6c4
-
SSDEEP
96:BEumoTbuz1Kuz1yluz15dnX1GqDUtLv8e7cpRuw5bzNt:BvmoP0K0yl05J1Gq2Lv8ecRD9
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Snake Keylogger payload
-
StormKitty payload
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
XMRig Miner payload
-
Async RAT payload
-
Warzone RAT payload
-
Downloads MZ/PE file
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
2Impair Defenses
1Scripting
1