General

  • Target

    Doa Brbara 2008Drive1080pUptobox190190.zip

  • Size

    1.6MB

  • Sample

    230725-hw6jlsbh4s

  • MD5

    77dc52684257fa791c8d67b7b0a84aad

  • SHA1

    b55892aca588231dbc4ae082314f6241cc3f988c

  • SHA256

    dfcec7a7ec7a609e10bcd2cbbca6a8debd7dabe3b8cbe43795a7d3759b5da451

  • SHA512

    086da68d70f6d73522f0db3017671aa0a21e27276baf57037e8a5d18f6b61f66cff29f81323aed1ab1e16079df7c0c08e886497a338a1231528be6c33092048a

  • SSDEEP

    24576:z7FUDowAyrTVE3U5F/WUKic6QL3E2vVsjECUAQT45deRV9R5:zBuZrEUDKIy029s4C1eH9T

Malware Config

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Extracted

Family

redline

Botnet

0307

C2

n57b30a.info:81

Attributes
  • auth_value

    390c6775aa14de995353715489c650e9

Targets

    • Target

      Doa Brbara 2008Drive1080pUptobox190190.exe

    • Size

      1.6MB

    • MD5

      059f2f11ef4f997874b3af2e3f0198fa

    • SHA1

      134e20c6b659b91aa366dc55dd3f3c08b95f244c

    • SHA256

      5681dda7d6e2ff50cd99458efd8841c43bccdd31a96fab3dc589f2554fc751a7

    • SHA512

      3cede24e9f95beb0ac689d4997dae7e4c6c8ccc1345def4a1d2e21e247d1fcfb52d1443365e0e378e0b48339e765309ccf464102400fa4741b495e3c491899ee

    • SSDEEP

      24576:s7FUDowAyrTVE3U5F/WUKic6QL3E2vVsjECUAQT45deRV9RV:sBuZrEUDKIy029s4C1eH9H

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Modifies Windows Defender Real-time Protection settings

    • Modifies Windows Defender notification settings

    • Modifies security service

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Sets DLL path for service in the registry

    • Sets file execution options in registry

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Registers COM server for autorun

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Windows security modification

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks