General
-
Target
SpyHunter-5.15-6-5285-Installer.exe
-
Size
6.8MB
-
Sample
230827-g4ev7ahg6z
-
MD5
07386184c9f3ab2b533c73c854398805
-
SHA1
ed43d9745c5f8f91cf90003647ca983d7e0b037e
-
SHA256
87996cc12b3919fb370a67e45b037e0b75f1de66df8afcca060f0ac8e3464910
-
SHA512
c4c6caf978e93161c71e1b5391d210210fe35e640ea4bacc1dd3ecc812c71ad0b06fd2d45a2155a35f84803d17114e909b95df18407a9959167d07c7667afad6
-
SSDEEP
98304:S5lVuh2IHJm4PO1FFGlapRGR+Tj9GsYz40ng7ifP8roXtRCvrUEr7MkHkcZCDbhd:SPI1kt5TAWifPXtwUEX8D9H9
Static task
static1
Malware Config
Extracted
redline
nrava
77.91.124.82:19071
-
auth_value
43fe50e9ee6afb85588e03ac9676e2f7
Extracted
aurora
217.195.155.154:8081
Targets
-
-
Target
SpyHunter-5.15-6-5285-Installer.exe
-
Size
6.8MB
-
MD5
07386184c9f3ab2b533c73c854398805
-
SHA1
ed43d9745c5f8f91cf90003647ca983d7e0b037e
-
SHA256
87996cc12b3919fb370a67e45b037e0b75f1de66df8afcca060f0ac8e3464910
-
SHA512
c4c6caf978e93161c71e1b5391d210210fe35e640ea4bacc1dd3ecc812c71ad0b06fd2d45a2155a35f84803d17114e909b95df18407a9959167d07c7667afad6
-
SSDEEP
98304:S5lVuh2IHJm4PO1FFGlapRGR+Tj9GsYz40ng7ifP8roXtRCvrUEr7MkHkcZCDbhd:SPI1kt5TAWifPXtwUEX8D9H9
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Fabookie payload
-
Detects Healer an antivirus disabler dropper
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Creates new service(s)
-
Drops file in Drivers directory
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Defense Evasion
Modify Registry
5Impair Defenses
2Disable or Modify Tools
2Subvert Trust Controls
1Install Root Certificate
1