General
-
Target
oneetx.exe
-
Size
198KB
-
Sample
230702-ajgeysbc4z
-
MD5
a64a886a695ed5fb9273e73241fec2f7
-
SHA1
363244ca05027c5beb938562df5b525a2428b405
-
SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
-
SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
SSDEEP
3072:lWgR9+o+G2K47yLk6E9EzwHxFTTDYUSNt2kLu5gf7or7wy+wXRcWfnPjt:lWu+5a4ukZSwH/TT2NE4u5gTovv
Behavioral task
behavioral1
Sample
oneetx.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
oneetx.exe
Resource
win10v2004-20230621-en
Malware Config
Extracted
amadey
3.83
5.42.65.80/8bmeVwqx/index.php
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
redline
280623_rc_11
rcn.tuktuk.ug:11285
-
auth_value
7dbd026b7e6c26ab5e41958efd6a2a6e
Targets
-
-
Target
oneetx.exe
-
Size
198KB
-
MD5
a64a886a695ed5fb9273e73241fec2f7
-
SHA1
363244ca05027c5beb938562df5b525a2428b405
-
SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
-
SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
SSDEEP
3072:lWgR9+o+G2K47yLk6E9EzwHxFTTDYUSNt2kLu5gf7or7wy+wXRcWfnPjt:lWu+5a4ukZSwH/TT2NE4u5gTovv
-
Glupteba payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Modifies boot configuration data using bcdedit
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
2Impair Defenses
2Install Root Certificate
1Modify Registry
4