General
-
Target
2aedfa0dfb06ef02b268ec62486e6f80
-
Size
4.0MB
-
Sample
231231-gpftyacgh8
-
MD5
2aedfa0dfb06ef02b268ec62486e6f80
-
SHA1
0e998e4a93dd1fd666aece318b77d9f1756d9c17
-
SHA256
bd175fda8c98a44237f8da7e02e48f6aaf00365bec2e7e38b7b42414bd888d95
-
SHA512
f5db800199bed799c593b779909364727824ed22076939e10fba0bd83b8dbecf772de34e9d7c9a083cbf734a52a8056b2c38817e52890bfae2f9a5e8dff1979f
-
SSDEEP
98304:y8DDoeOv58eCbmQKYSA/tEcDtXH0QdCbu1Vq7qd9tknkPzg:y8Poe6G0YSAzJBdCbCVqGntknE8
Static task
static1
Behavioral task
behavioral1
Sample
2aedfa0dfb06ef02b268ec62486e6f80.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2aedfa0dfb06ef02b268ec62486e6f80.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
nullmixer
http://watira.xyz/
Extracted
redline
pab3
185.215.113.15:61506
Extracted
smokeloader
pub5
Extracted
vidar
40
706
https://lenak513.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
cryptbot
knurxh28.top
moraku02.top
-
payload_url
http://sargym03.top/download.php?file=lv.exe
Targets
-
-
Target
2aedfa0dfb06ef02b268ec62486e6f80
-
Size
4.0MB
-
MD5
2aedfa0dfb06ef02b268ec62486e6f80
-
SHA1
0e998e4a93dd1fd666aece318b77d9f1756d9c17
-
SHA256
bd175fda8c98a44237f8da7e02e48f6aaf00365bec2e7e38b7b42414bd888d95
-
SHA512
f5db800199bed799c593b779909364727824ed22076939e10fba0bd83b8dbecf772de34e9d7c9a083cbf734a52a8056b2c38817e52890bfae2f9a5e8dff1979f
-
SSDEEP
98304:y8DDoeOv58eCbmQKYSA/tEcDtXH0QdCbu1Vq7qd9tknkPzg:y8Poe6G0YSAzJBdCbCVqGntknE8
-
CryptBot payload
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Vidar Stealer
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1