General
-
Target
3327cc6fb53096ad4d5cb9c64020823eebb56549fd8285f244e4d8e5bd478ef0.zip
-
Size
1.3MB
-
Sample
231124-s3meescc82
-
MD5
55d3b98e77224ba0978f0610ccee9902
-
SHA1
3fbb21ac388ad656ebe3835459dd1539b0250179
-
SHA256
ef5e3e47cc55641ba06e246d014163cfa560eb5b87c45109935c1c2c37fb7c8e
-
SHA512
4be2d8fec875b5c1f93fc6a8fb5881396d8b1252c5f69e900ed443082fee30a20ffc7a5c65a0e268990309a9346502f3ace167f7e79938254884411f67461536
-
SSDEEP
24576:k9PJDw9rvbVnJ6fQoxNGCTbDeOktBZEE5B4PYQyJZyw9fp0+NAFKeC4yUvMULq8+:k9+9rvRnJ6QoxN7veZtjn5BgYQyCwD00
Static task
static1
Behavioral task
behavioral1
Sample
3327cc6fb53096ad4d5cb9c64020823eebb56549fd8285f244e4d8e5bd478ef0.exe
Resource
win10v2004-20231023-en
Malware Config
Extracted
redline
horda
194.49.94.152:19053
Extracted
risepro
194.49.94.152
Extracted
smokeloader
2022
http://194.49.94.210/fks/index.php
Extracted
redline
@ytlogsbot
194.169.175.235:42691
Extracted
amadey
4.12
http://brodoyouevenlift.co.za
-
install_dir
ce3eb8f6b2
-
install_file
Utsysc.exe
-
strings_key
c5b804d7b4c8a99f5afb89e5203cf3ba
-
url_paths
/g9sdjScV2/index.php
/vdhe8ejs3/index.php
Targets
-
-
Target
3327cc6fb53096ad4d5cb9c64020823eebb56549fd8285f244e4d8e5bd478ef0.exe
-
Size
1.4MB
-
MD5
3c3dcd9577aa14984b2727cf9b4abd23
-
SHA1
63cda7e96fd1c59efd0b35f8c7baef9b61026004
-
SHA256
3327cc6fb53096ad4d5cb9c64020823eebb56549fd8285f244e4d8e5bd478ef0
-
SHA512
1f974189e4d5cadca0f29f7fcb8e02fa5a1abdf0e36bc7d950d4fa39289b88578d01f9677a1a272b66b285ad380bb763cb599880c092bddb287727410fa626f6
-
SSDEEP
24576:Zy8ml94AOkdt2T6uMbgSmNjhT14LV6Huamocy6xynKZRa38/Yv9OPYc:M8m3Tt1bgSWB1MV+SocLoKe3EYvAP
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1