General
-
Target
13e413a4568a990323ad30a9c343690f9feca6c0dc6b85d677afeda24f4845be
-
Size
728KB
-
Sample
230923-3mzpxsah5v
-
MD5
1e8ae88342c77da04e9a8b2abc09ae51
-
SHA1
75f54d3db5a71c725673f3ad04b9291bcb49cb35
-
SHA256
13e413a4568a990323ad30a9c343690f9feca6c0dc6b85d677afeda24f4845be
-
SHA512
0de53aabe1c239e94580964dcee574290f02e9bb8a2067b6fb8f298f84764fe2b38989bf50ec21b15c0803a400ced95a456fee2560c4aaa188869e14ed5b2594
-
SSDEEP
12288:MMrEy90mSrj3+8M2uyvJR5AUIu1dwCMyTkuRrs4JdhEFOj1BGgtXtsvd:AyEboSJJP1bMKy4Jdnj1Ad
Static task
static1
Behavioral task
behavioral1
Sample
13e413a4568a990323ad30a9c343690f9feca6c0dc6b85d677afeda24f4845be.exe
Resource
win10v2004-20230915-en
Malware Config
Extracted
redline
nanya
77.91.124.82:19071
-
auth_value
640aa5afe54f566d8795f0dc723f8b52
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
fabookie
http://app.nnnaajjjgc.com/check/safe
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Targets
-
-
Target
13e413a4568a990323ad30a9c343690f9feca6c0dc6b85d677afeda24f4845be
-
Size
728KB
-
MD5
1e8ae88342c77da04e9a8b2abc09ae51
-
SHA1
75f54d3db5a71c725673f3ad04b9291bcb49cb35
-
SHA256
13e413a4568a990323ad30a9c343690f9feca6c0dc6b85d677afeda24f4845be
-
SHA512
0de53aabe1c239e94580964dcee574290f02e9bb8a2067b6fb8f298f84764fe2b38989bf50ec21b15c0803a400ced95a456fee2560c4aaa188869e14ed5b2594
-
SSDEEP
12288:MMrEy90mSrj3+8M2uyvJR5AUIu1dwCMyTkuRrs4JdhEFOj1BGgtXtsvd:AyEboSJJP1bMKy4Jdnj1Ad
-
Detect Fabookie payload
-
Detect rhadamanthys stealer shellcode
-
Glupteba payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
XMRig Miner payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-