Overview

overview

10

Static

static

3

Download P...ar.exe

windows10-1703-x64

10

Download P...ar.exe

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6291da8d2b59a7c884c01166d9012fd2940229e45f277aedfdb2e54463ecdbce

  • Size

    1.6MB

  • Sample

    230627-p3x95sea98

  • MD5

    3781be98347bb3a124d9df725bb19fdd

  • SHA1

    08a7a9de6afa09f334992baeb0e2533a74aab6ff

  • SHA256

    6291da8d2b59a7c884c01166d9012fd2940229e45f277aedfdb2e54463ecdbce

  • SHA512

    6a7df2bef8ad1cbf1a7ee4c081efba87f7e3a8be786d946528a467bce71dbda7a82b1b5feb8beeda7793dcecfdfb64271881b2344ed6f711579d298a3988b875

  • SSDEEP

    24576:z7FUDowAyrTVE3U5F/ba3Kic6QL3E2vVsjECUAQT45deRV9Rkw:zBuZrEUK3KIy029s4C1eH9R

Score
10/10
gcleanernetsupportredlinezdiscoveryevasioninfostealerloaderpersistenceratspywarestealer

Malware Config

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Extracted

Family

redline

Botnet

Z

C2

n57b30a.info:81

Attributes
  • auth_value

    907a217c291f74c1a111fc9371fe2803

Targets

    • Target

      Download Photoshop 2022 3 rar.exe

    • Size

      1.6MB

    • MD5

      04214b463a60f638c7256b5b05f555c1

    • SHA1

      390fad21fc6c45699b4fd58645b3dbcf80dc4861

    • SHA256

      202883bd890c502446baa000acc68f8a0c3d6c5c1e3073300607d77b4981617d

    • SHA512

      b37773854d1198f88d6f6072448ffc9a308d9ce983417b76ac072658786ba737ad96ad253fa91b17a1221235ff5339654e14a2d7a0a8b0513bf744f46c00cdda

    • SSDEEP

      24576:s7FUDowAyrTVE3U5F/ba3Kic6QL3E2vVsjECUAQT45deRV9Rkw:sBuZrEUK3KIy029s4C1eH9T

    Score
    10/10
    gcleanerredlinezdiscoveryevasioninfostealerloaderpersistencespywarestealernetsupportrat

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Sets DLL path for service in the registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks