General
-
Target
37ae53ead74452038b0c77abd3302258.exe
-
Size
5KB
-
Sample
230819-mbcs1saf2y
-
MD5
37ae53ead74452038b0c77abd3302258
-
SHA1
a94fcde275f0cc5a6257591681eff73949006d62
-
SHA256
ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360
-
SHA512
5f43ab309aeda971eaad5beafc62d3a7170ba2c9e859f116d4e1242d0f42a22b0b69695d7e23b761b70d0cf2b122d775b7e3347de11a2ab7173f14cb8bdf053f
-
SSDEEP
96:1EKnowbuz1quz1Sluz1nj3x/64PVDUtLvNv8ScpF/kVzNt:1HnoY0q0Sl0npVV2Lvh8JKv
Static task
static1
Behavioral task
behavioral1
Sample
37ae53ead74452038b0c77abd3302258.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
37ae53ead74452038b0c77abd3302258.exe
Resource
win10v2004-20230703-en
Malware Config
Extracted
redline
94.142.138.147:23000
38.181.25.43:3325
-
auth_value
ccff08893879012905ea16489b7e8ced
Extracted
lokibot
http://194.55.224.9/fresh1/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://2.59.254.19/fresh2/five/fre.php
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
vidar
5.2
980843ac508a7fe8f556d42e4c5cfb54
https://t.me/odyssey_tg
https://steamcommunity.com/profiles/76561199541261200
-
profile_id_v2
980843ac508a7fe8f556d42e4c5cfb54
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.30 (KHTML, like Gecko) Chrome/115.0.1.0 Safari/537.30
Extracted
vidar
5.1
6ba937c4f557f3e5e256c94548f72a29
https://t.me/tatlimark
https://steamcommunity.com/profiles/76561199536605936
-
profile_id_v2
6ba937c4f557f3e5e256c94548f72a29
Targets
-
-
Target
37ae53ead74452038b0c77abd3302258.exe
-
Size
5KB
-
MD5
37ae53ead74452038b0c77abd3302258
-
SHA1
a94fcde275f0cc5a6257591681eff73949006d62
-
SHA256
ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360
-
SHA512
5f43ab309aeda971eaad5beafc62d3a7170ba2c9e859f116d4e1242d0f42a22b0b69695d7e23b761b70d0cf2b122d775b7e3347de11a2ab7173f14cb8bdf053f
-
SSDEEP
96:1EKnowbuz1quz1Sluz1nj3x/64PVDUtLvNv8ScpF/kVzNt:1HnoY0q0Sl0npVV2Lvh8JKv
-
Detect Fabookie payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
StormKitty payload
-
Async RAT payload
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1