General
-
Target
95801511bd4b789e9d1049b2a80b42b6.bin
-
Size
1.5MB
-
Sample
231031-cv3tfaga4s
-
MD5
e109c0f4a414cb6928072f9eba84dd50
-
SHA1
526c4e5cf3bed4f6a0b2483ff370fe2125f7e77f
-
SHA256
0e2ad0074f07df1733b2cccb1561b06bfdb6058b110d6f4fef62f7fd85027748
-
SHA512
dbb318b786451ec6f980b7b5fc4375093f1c1c4674c11dfd79119636470cae3cea8d5bbd696f75bc91fedb5ea0c19652fb4dc79a78d3bf46cadaefaa47a09993
-
SSDEEP
24576:Pt6IYgjA8CDt5n8FuYcA0TYqH16/b2ss8PLoSLkwbfxNcs1Ks7FL6o91T:PTYgjoDcuYB0TYqHWF3hfx1Ki6c1T
Static task
static1
Behavioral task
behavioral1
Sample
9189c4b11db82506971a688f82e85eb2e2f1e7578836bee0589aba9def1ffe3a.exe
Resource
win10v2004-20231020-en
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
redline
kinza
77.91.124.86:19084
Extracted
redline
@ytlogsbot
194.169.175.235:42691
Extracted
smokeloader
up3
Extracted
redline
pixelnew
194.49.94.11:80
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
raccoon
6a6a005b9aa778f606280c5fa24ae595
http://195.123.218.98:80
http://31.192.23
-
user_agent
SunShineMoonLight
Targets
-
-
Target
9189c4b11db82506971a688f82e85eb2e2f1e7578836bee0589aba9def1ffe3a.exe
-
Size
1.5MB
-
MD5
95801511bd4b789e9d1049b2a80b42b6
-
SHA1
40399cd8377a0dbe2982f49715042311561ae5bf
-
SHA256
9189c4b11db82506971a688f82e85eb2e2f1e7578836bee0589aba9def1ffe3a
-
SHA512
ce8b32f1862382438636577c350752fe2d061b91b15adcc4ddf416ef8bd1d5a7561db5a8fb5051f69fa838319e36c4b57feac75413961ae4b3c63d71ad015316
-
SSDEEP
24576:zyQSrDO0MtPwpoU8gj7pkDC5aBlvUN/FA0WqmP4olgBLqXEtKA:GQSrDo4K9gjtkDrFfqhoylqo
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect ZGRat V1
-
Glupteba payload
-
Raccoon Stealer payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1