General
-
Target
ab31ce3d8435d9d31eb80309924c56a9.exe
-
Size
792KB
-
Sample
240203-wlvw1shebr
-
MD5
ab31ce3d8435d9d31eb80309924c56a9
-
SHA1
60f1f567faffa6a38fa482ea4483255827ec06d5
-
SHA256
d4fb8d5a5a69af75715a025e51606825e4f17ca9ffa264979853f08a689b867b
-
SHA512
e5feeb7fd610879e680be3b97c7c108521c81aa910e350f2e11172f8136f7df43ec0ca44d3353b25cf7c370a3445909f9d74a12249a75b85547ebc7fcfb658af
-
SSDEEP
12288:2BghBmftb1V6Lnmo7YNQN2YcKify3iHPuXBY7CHW6+gjfOoNb9up:2Bscftb+LnvwQgsiK3zXBon9iZNA
Static task
static1
Behavioral task
behavioral1
Sample
ab31ce3d8435d9d31eb80309924c56a9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ab31ce3d8435d9d31eb80309924c56a9.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
amadey
4.15
http://185.215.113.68
-
install_dir
d887ceb89d
-
install_file
explorhe.exe
-
strings_key
7cadc181267fafff9df8503e730d60e1
-
url_paths
/theme/index.php
Extracted
risepro
193.233.132.62:50500
Extracted
redline
@PixelsCloud
94.156.67.230:13781
Extracted
amadey
http://185.215.113.68
-
strings_key
7cadc181267fafff9df8503e730d60e1
-
url_paths
/theme/index.php
Extracted
redline
LiveTrafic
20.79.30.95:33223
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Extracted
redline
@oni912
45.15.156.209:40481
Targets
-
-
Target
ab31ce3d8435d9d31eb80309924c56a9.exe
-
Size
792KB
-
MD5
ab31ce3d8435d9d31eb80309924c56a9
-
SHA1
60f1f567faffa6a38fa482ea4483255827ec06d5
-
SHA256
d4fb8d5a5a69af75715a025e51606825e4f17ca9ffa264979853f08a689b867b
-
SHA512
e5feeb7fd610879e680be3b97c7c108521c81aa910e350f2e11172f8136f7df43ec0ca44d3353b25cf7c370a3445909f9d74a12249a75b85547ebc7fcfb658af
-
SSDEEP
12288:2BghBmftb1V6Lnmo7YNQN2YcKify3iHPuXBY7CHW6+gjfOoNb9up:2Bscftb+LnvwQgsiK3zXBon9iZNA
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry
-
Stops running service(s)
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Defense Evasion
Virtualization/Sandbox Evasion
2Modify Registry
2Impair Defenses
1File and Directory Permissions Modification
1