General
-
Target
1a8911253a58c87f88292cf3345d292838ef8eab.rl
-
Size
1.8MB
-
Sample
240226-sca9gagh43
-
MD5
ae958708e0be8f0c0911e450cf71dc52
-
SHA1
1a8911253a58c87f88292cf3345d292838ef8eab
-
SHA256
4b44ce9da2d83d7fbd6238e6350ab35ec8a49b7a286c5270a299aaf41a5568dd
-
SHA512
1a9fa2d8e17b767ec9e706f9f648d792e323fb5dbd526c6e3a00e5bab92794aeaf65c9f31a3cdf92389115f8fa08fcede5589f41e9bc2b4472ced5cecc520df3
-
SSDEEP
24576:CNl8jdsS/zt0irzPPos/NdV17PW59ZN2mh4LIndj2wUtVzC2K/jODet4FZj5u5Fi:DjeS7t0goK17O55h4LwKwEK/jl2ovyf
Static task
static1
Behavioral task
behavioral1
Sample
1a8911253a58c87f88292cf3345d292838ef8eab.exe
Resource
win7-20240215-en
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
redline
@oni912
45.15.156.209:40481
Extracted
amadey
4.17
http://185.215.113.32
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
gcleaner
185.172.128.90
5.42.64.3
5.42.65.115
Extracted
lumma
https://triangleseasonbenchwj.shop/api
https://gemcreedarticulateod.shop/api
https://secretionsuitcasenioise.shop/api
https://claimconcessionrebe.shop/api
https://liabilityarrangemenyit.shop/api
Targets
-
-
Target
1a8911253a58c87f88292cf3345d292838ef8eab.rl
-
Size
1.8MB
-
MD5
ae958708e0be8f0c0911e450cf71dc52
-
SHA1
1a8911253a58c87f88292cf3345d292838ef8eab
-
SHA256
4b44ce9da2d83d7fbd6238e6350ab35ec8a49b7a286c5270a299aaf41a5568dd
-
SHA512
1a9fa2d8e17b767ec9e706f9f648d792e323fb5dbd526c6e3a00e5bab92794aeaf65c9f31a3cdf92389115f8fa08fcede5589f41e9bc2b4472ced5cecc520df3
-
SSDEEP
24576:CNl8jdsS/zt0irzPPos/NdV17PW59ZN2mh4LIndj2wUtVzC2K/jODet4FZj5u5Fi:DjeS7t0goK17O55h4LwKwEK/jl2ovyf
-
Glupteba payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Detect binaries embedding considerable number of MFA browser extension IDs.
-
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables Discord URL observed in first stage droppers
-
Detects executables containing URLs to raw contents of a Github gist
-
Detects executables containing artifacts associated with disabling Widnows Defender
-
Detects executables packed with unregistered version of .NET Reactor
-
Detects executables referencing many varying, potentially fake Windows User-Agents
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
UPX dump on OEP (original entry point)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1