General
-
Target
1ee04769dbc6bd6c1d9bb696c846840a
-
Size
1.0MB
-
Sample
231230-2ppr3agfh4
-
MD5
1ee04769dbc6bd6c1d9bb696c846840a
-
SHA1
ddb700fccdbc70c2decc3d89e046a7ea23ee47b5
-
SHA256
b484b76186c0e9c0d4f8719978a2235d0f580088562df853c837e296b1d837ed
-
SHA512
882622d528028fb9b572ca27d898df41cc29582b1e2e689ba74491d5e43291bb00acd49e079302237f7be5f54d392d784c1228d736e7de8a08d805d65b75fda0
-
SSDEEP
12288:qMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9/V5wsu/QRoJabsuCbacj:qnsJ39LyjbJkQFMhmC+6GD9feUr8
Static task
static1
Behavioral task
behavioral1
Sample
1ee04769dbc6bd6c1d9bb696c846840a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1ee04769dbc6bd6c1d9bb696c846840a.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
redline
65.21.62.31:49227
Extracted
quasar
1.3.0.0
Office04
shadhk.duckdns.org:4782
QSR_MUTEX_Z7EZg2hUinW3ScKhMN
-
encryption_key
DDAkOSo4mnzxgCHp9low
-
install_name
svchost.exe
-
log_directory
SysWOW82
-
reconnect_delay
5000
-
startup_key
SysWOW64
-
subdirectory
Startup
Targets
-
-
Target
1ee04769dbc6bd6c1d9bb696c846840a
-
Size
1.0MB
-
MD5
1ee04769dbc6bd6c1d9bb696c846840a
-
SHA1
ddb700fccdbc70c2decc3d89e046a7ea23ee47b5
-
SHA256
b484b76186c0e9c0d4f8719978a2235d0f580088562df853c837e296b1d837ed
-
SHA512
882622d528028fb9b572ca27d898df41cc29582b1e2e689ba74491d5e43291bb00acd49e079302237f7be5f54d392d784c1228d736e7de8a08d805d65b75fda0
-
SSDEEP
12288:qMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9/V5wsu/QRoJabsuCbacj:qnsJ39LyjbJkQFMhmC+6GD9feUr8
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Beds Protector Packer
Detects Beds Protector packer used to load .NET malware.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1