General
-
Target
wallexe.exe
-
Size
4.2MB
-
Sample
230701-j71m6shd3z
-
MD5
ea191512e6ed56aa661ecb2deed1623e
-
SHA1
a2198ccd7d00ab727618ca2368f9f8c54b01c5d3
-
SHA256
2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7
-
SHA512
7658e27038f60aa13df49bf48ac90a13cf77ef7e88e16453964b44e1cf9669ad3d06884692288a67a1dd3ffee89ce35e55750227e913bd3193dcc666f8bb8419
-
SSDEEP
98304:sHejdaMKBnK2t4x+GwYIb4jYfCmAcZmPcxkk9cRj5MQL:sHGdaTBnK2tHG2UMdWGLcRWE
Static task
static1
Behavioral task
behavioral1
Sample
wallexe.exe
Resource
win7-20230621-en
Malware Config
Extracted
amadey
3.83
5.42.65.80/8bmeVwqx/index.php
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Extracted
smokeloader
up3
Extracted
redline
280623_rc_11
rcn.tuktuk.ug:11285
-
auth_value
7dbd026b7e6c26ab5e41958efd6a2a6e
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Targets
-
-
Target
wallexe.exe
-
Size
4.2MB
-
MD5
ea191512e6ed56aa661ecb2deed1623e
-
SHA1
a2198ccd7d00ab727618ca2368f9f8c54b01c5d3
-
SHA256
2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7
-
SHA512
7658e27038f60aa13df49bf48ac90a13cf77ef7e88e16453964b44e1cf9669ad3d06884692288a67a1dd3ffee89ce35e55750227e913bd3193dcc666f8bb8419
-
SSDEEP
98304:sHejdaMKBnK2t4x+GwYIb4jYfCmAcZmPcxkk9cRj5MQL:sHGdaTBnK2tHG2UMdWGLcRWE
-
Detect Fabookie payload
-
Glupteba payload
-
Modifies security service
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Modifies boot configuration data using bcdedit
-
XMRig Miner payload
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
3Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
2Impair Defenses
2Install Root Certificate
1Modify Registry
5Web Service
1