General
-
Target
12dc82a693eb598eb3aa521ffe54dc77.bin
-
Size
3.9MB
-
Sample
230626-bdawnafd68
-
MD5
8ca0a189d5ee54533ca29fe6ee8a50d5
-
SHA1
b728083c60830f98deefd3bed307ab5320a9e5a3
-
SHA256
307c3e20e65556cfe4c2c0e0864a6b71fe0bb56cf8c3e1fc26890cf849925705
-
SHA512
c9550fa42b5a501a1c30ce9b13cb3bd02170d455c219fd0db5fb64f7bc27045348c72e2e10cb5d488396c6c62df36f5bbd0aa7730c5c096bdc518f1c6bcb2ff8
-
SSDEEP
98304:0M7D+OFUg0qT2h57pxMKPx6FOimQzHbeyGpNFtU4s5xWyBrhKGW0r:h+HZR5XMKPgOimQzHDsNbmtf9r
Static task
static1
Behavioral task
behavioral1
Sample
7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe
Resource
win7-20230621-en
Malware Config
Extracted
amadey
3.83
5.42.65.80/8bmeVwqx/index.php
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
redline
240623_rcn_11
rcn.tuktuk.ug:11285
-
auth_value
c3b2a1ea22f94130d13c3d3e2ab4dedf
Targets
-
-
Target
7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe
-
Size
4.3MB
-
MD5
12dc82a693eb598eb3aa521ffe54dc77
-
SHA1
f572e6ab69a35c374e8f8fba29f1b2d56972c9b2
-
SHA256
7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad
-
SHA512
b893c111eea7dd9ac358f8a664e9d28edb97e467e94b035412d7e3bf03ac27d8ac3d9fc4a89fc60a0481ae01a5e26f13956b0d43288e8f899784be87db87dda2
-
SSDEEP
98304:pZ8hpFxCj6kwJqphl6hBpNjPb2TX2LWMBL/m:pZCC5pP6h5TyD2LWMBT
-
Detect Fabookie payload
-
Glupteba payload
-
Modifies security service
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Modifies boot configuration data using bcdedit
-
XMRig Miner payload
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
3Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
5Disabling Security Tools
2Impair Defenses
2Install Root Certificate
1