General
-
Target
bbfbd5e6e412c19d29e66e14e66d2ac17826d8e440c8a5e23ac1f168647d6710
-
Size
1.4MB
-
Sample
230824-x77y5sfb63
-
MD5
51080909d5bb4a64407981b1e8fba2cd
-
SHA1
6f6f98908bb6d8354fce7ecfb9fb8d2d9ab719e2
-
SHA256
bbfbd5e6e412c19d29e66e14e66d2ac17826d8e440c8a5e23ac1f168647d6710
-
SHA512
821b11ac1a322e22145f2b706452a76a759917a9b864eb8895565d3e7087c5fc5df0c3e0a77f89b962ee8c6b07a5d982d3808260c836ff50f96439c6fbb67d83
-
SSDEEP
24576:HyluJf+4TobbfshQa6tXwpB0tq+37aaRqo1Y23WOhFqVhs8dX2sx0p:SlgDkbbfsUtgr0I+LJ0oP1hFwrdXR6
Static task
static1
Behavioral task
behavioral1
Sample
bbfbd5e6e412c19d29e66e14e66d2ac17826d8e440c8a5e23ac1f168647d6710.exe
Resource
win10v2004-20230703-en
Malware Config
Extracted
amadey
3.87
77.91.68.18/nice/index.php
193.233.255.9/nasa/index.php
Extracted
redline
gven
77.91.124.73:19071
-
auth_value
908340353d6d12e92e29e32af0803d3f
Extracted
redline
5.75.144.229:80
-
auth_value
9be6c1360ed66f1d94d2f8db4e9bfe4c
Extracted
amadey
3.83
5.42.65.80/8bmeVwqx/index.php
Extracted
smokeloader
up3
Targets
-
-
Target
bbfbd5e6e412c19d29e66e14e66d2ac17826d8e440c8a5e23ac1f168647d6710
-
Size
1.4MB
-
MD5
51080909d5bb4a64407981b1e8fba2cd
-
SHA1
6f6f98908bb6d8354fce7ecfb9fb8d2d9ab719e2
-
SHA256
bbfbd5e6e412c19d29e66e14e66d2ac17826d8e440c8a5e23ac1f168647d6710
-
SHA512
821b11ac1a322e22145f2b706452a76a759917a9b864eb8895565d3e7087c5fc5df0c3e0a77f89b962ee8c6b07a5d982d3808260c836ff50f96439c6fbb67d83
-
SSDEEP
24576:HyluJf+4TobbfshQa6tXwpB0tq+37aaRqo1Y23WOhFqVhs8dX2sx0p:SlgDkbbfsUtgr0I+LJ0oP1hFwrdXR6
-
Detect Fabookie payload
-
Detects Healer an antivirus disabler dropper
-
Glupteba payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Stops running service(s)
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1