General
-
Target
1d10996b1670366c4454753d2622609b30e5d51ecaeea48617aa4e21ef89ec19
-
Size
1.2MB
-
Sample
231114-jckngahf22
-
MD5
1e3e899ff797e437376dca18ceb2561f
-
SHA1
d25de0a1e12d2b2ae94ea9a51969ef7842b2bce8
-
SHA256
1d10996b1670366c4454753d2622609b30e5d51ecaeea48617aa4e21ef89ec19
-
SHA512
2112690b4a7c4e9db11fdc930314acbeca0966935bb0ea92566dafb1a4c67ef166cb6284ed611bde5e7cd9209f4456ea3683bd56d0d8d4ff6971e141e384d442
-
SSDEEP
24576:Vyv+phvLiBpOw5gYnUMyQ9xWDZX/mI6VaqaTvUAC7DCLN+2:wv+pVgOqUMlzWDZX/mBcvUAC7WN
Static task
static1
Behavioral task
behavioral1
Sample
1d10996b1670366c4454753d2622609b30e5d51ecaeea48617aa4e21ef89ec19.exe
Resource
win10v2004-20231025-en
Malware Config
Extracted
redline
taiga
5.42.92.51:19057
Extracted
smokeloader
2022
http://5.42.92.190/fks/index.php
Extracted
redline
pixelfresh
194.49.94.11:80
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
raccoon
c78f27a0d43f29dbd112dbd9e387406b
http://31.192.237.23:80/
http://193.233.132.12:80/
-
user_agent
SunShineMoonLight
Targets
-
-
Target
1d10996b1670366c4454753d2622609b30e5d51ecaeea48617aa4e21ef89ec19
-
Size
1.2MB
-
MD5
1e3e899ff797e437376dca18ceb2561f
-
SHA1
d25de0a1e12d2b2ae94ea9a51969ef7842b2bce8
-
SHA256
1d10996b1670366c4454753d2622609b30e5d51ecaeea48617aa4e21ef89ec19
-
SHA512
2112690b4a7c4e9db11fdc930314acbeca0966935bb0ea92566dafb1a4c67ef166cb6284ed611bde5e7cd9209f4456ea3683bd56d0d8d4ff6971e141e384d442
-
SSDEEP
24576:Vyv+phvLiBpOw5gYnUMyQ9xWDZX/mI6VaqaTvUAC7DCLN+2:wv+pVgOqUMlzWDZX/mBcvUAC7WN
-
Detect Mystic stealer payload
-
Glupteba payload
-
Raccoon Stealer payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1