General
-
Target
6893b02790bcdf6147f8c7f3dc244326d726b74e08bdb5d873e517773795524c
-
Size
1.8MB
-
Sample
240401-2c6j2shd67
-
MD5
ae5155e6115555727338febe0d615422
-
SHA1
94079f0ee2737e96d6fda05e316a2bb2ff457e18
-
SHA256
6893b02790bcdf6147f8c7f3dc244326d726b74e08bdb5d873e517773795524c
-
SHA512
73629eb962c3227015815e55ac14055a1834110f8823db91452138f654a0686887b8f31c6b8e47669a5f5ff043f722b782b7b90257f1fab4fc541a0318b01db3
-
SSDEEP
24576:qSBH1asok+2t8hj5TU8P4+680nalN3Ya2FKsJ5HSlnuyBh4MNaTiX0sbpkOsz0oe:H8sok0hj5TU8Q7XfHQuyr4MMT80P
Static task
static1
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
redline
Jok123
185.215.113.67:26260
Extracted
redline
LiveTraffic
4.185.137.132:1632
Extracted
redline
@OLEH_PSP
185.172.128.33:8970
Targets
-
-
Target
6893b02790bcdf6147f8c7f3dc244326d726b74e08bdb5d873e517773795524c
-
Size
1.8MB
-
MD5
ae5155e6115555727338febe0d615422
-
SHA1
94079f0ee2737e96d6fda05e316a2bb2ff457e18
-
SHA256
6893b02790bcdf6147f8c7f3dc244326d726b74e08bdb5d873e517773795524c
-
SHA512
73629eb962c3227015815e55ac14055a1834110f8823db91452138f654a0686887b8f31c6b8e47669a5f5ff043f722b782b7b90257f1fab4fc541a0318b01db3
-
SSDEEP
24576:qSBH1asok+2t8hj5TU8P4+680nalN3Ya2FKsJ5HSlnuyBh4MNaTiX0sbpkOsz0oe:H8sok0hj5TU8Q7XfHQuyr4MMT80P
-
Detect ZGRat V1
-
Glupteba payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-