General
-
Target
iw4IH37.exe
-
Size
1.9MB
-
Sample
240205-gxmx8accf4
-
MD5
9417bd4c800b5f9d85d5eb312080a1d2
-
SHA1
dabb62a98b4a212acb6780c375138b8c542e021d
-
SHA256
01f55232dd6cee5dbba384652b141d31d543a52e61dc68370e96ec02876ecc03
-
SHA512
f76695081650ae22b16c137ff2a9f0428666fe14135c28faa79f4ec83b6248b20ba1139cd3c58becd86fe9246b2f39d9f8074b72ac0af944027fcd082f7b5718
-
SSDEEP
49152:tsUCXADuQi0+skHjQ7HCmhaVh7rU+zaDGT4wydhnvl:SvOuQi4ImimhaVlU+zcGfadl
Static task
static1
Behavioral task
behavioral1
Sample
iw4IH37.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
iw4IH37.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
risepro
194.49.94.152
Extracted
redline
horda
194.49.94.152:19053
Extracted
smokeloader
2022
http://194.49.94.210/fks/index.php
Targets
-
-
Target
iw4IH37.exe
-
Size
1.9MB
-
MD5
9417bd4c800b5f9d85d5eb312080a1d2
-
SHA1
dabb62a98b4a212acb6780c375138b8c542e021d
-
SHA256
01f55232dd6cee5dbba384652b141d31d543a52e61dc68370e96ec02876ecc03
-
SHA512
f76695081650ae22b16c137ff2a9f0428666fe14135c28faa79f4ec83b6248b20ba1139cd3c58becd86fe9246b2f39d9f8074b72ac0af944027fcd082f7b5718
-
SSDEEP
49152:tsUCXADuQi0+skHjQ7HCmhaVh7rU+zaDGT4wydhnvl:SvOuQi4ImimhaVlU+zcGfadl
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1