General

  • Target

    Hide My IP 7.1.371 Multilingual Premium VPN + Key.exe

  • Size

    14.8MB

  • Sample

    230723-svwccsfb6y

  • MD5

    606fe5a9bff02693a4d4f5249f7ce569

  • SHA1

    9fe3896263ce795178c632b4d2a00a16f02837d0

  • SHA256

    48fd982c48494efc15346b6868da0a646612173011287b776e0b825dc5d4d5b9

  • SHA512

    f5d07084671622f1f0078bb1c4abb75524431c10322e10446ac340c6150a0393972bc94c6783dfaa69135b098632a1c1f87b96e75a880aaf43844130bee508b9

  • SSDEEP

    393216:0APQ+1OwHq1APQ+1OLHq8APQ+1OLHqmo91:hPMITPMjMPMj+

Malware Config

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Extracted

Family

redline

Botnet

0307

C2

n57b30a.info:81

Attributes
  • auth_value

    390c6775aa14de995353715489c650e9

Targets

    • Target

      Hide My IP 7.1.371 Multilingual Premium VPN + Key.exe

    • Size

      14.8MB

    • MD5

      606fe5a9bff02693a4d4f5249f7ce569

    • SHA1

      9fe3896263ce795178c632b4d2a00a16f02837d0

    • SHA256

      48fd982c48494efc15346b6868da0a646612173011287b776e0b825dc5d4d5b9

    • SHA512

      f5d07084671622f1f0078bb1c4abb75524431c10322e10446ac340c6150a0393972bc94c6783dfaa69135b098632a1c1f87b96e75a880aaf43844130bee508b9

    • SSDEEP

      393216:0APQ+1OwHq1APQ+1OLHq8APQ+1OLHqmo91:hPMITPMjMPMj+

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Sets DLL path for service in the registry

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks