General

  • Target

    time.exe

  • Size

    11KB

  • Sample

    240110-gy6rqabcd8

  • MD5

    d2e9696ec235cec72512dec6e9ce5935

  • SHA1

    dccd11c272d2fa2e700e7b8b51fa6a9a89f9f3ea

  • SHA256

    0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455

  • SHA512

    573cdf5ac0ebacb05b5043c062d237c7ddf202816b04b3938ab3059f0bb5ef9979c17d04ff869cf86646a87b8df0e40f8d2f4955ba13165c8adbfc1d8b2f138a

  • SSDEEP

    192:gzlJOMaLAN+QHzdV4z1ULU87glpK/b26J46667nh5:6lJOM3+qzqULU870gJEM

Malware Config

Extracted

Family

redline

Botnet

2024

C2

195.20.16.103:20440

Extracted

Family

stealc

C2

http://185.172.128.79

Attributes
  • url_path

    /3886d2276f6914c4.php

rc4.plain

Targets

    • Target

      time.exe

    • Size

      11KB

    • MD5

      d2e9696ec235cec72512dec6e9ce5935

    • SHA1

      dccd11c272d2fa2e700e7b8b51fa6a9a89f9f3ea

    • SHA256

      0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455

    • SHA512

      573cdf5ac0ebacb05b5043c062d237c7ddf202816b04b3938ab3059f0bb5ef9979c17d04ff869cf86646a87b8df0e40f8d2f4955ba13165c8adbfc1d8b2f138a

    • SSDEEP

      192:gzlJOMaLAN+QHzdV4z1ULU87glpK/b26J46667nh5:6lJOM3+qzqULU870gJEM

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Detect ZGRat V1

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Tasks