Resubmissions

17/07/2024, 09:50

240717-lty9asyclc 3

10/04/2024, 23:28

240410-3fzfkseb99 10

General

  • Target

    Exitlag Cracked 16.1v.rar

  • Size

    4.2MB

  • Sample

    240410-3fzfkseb99

  • MD5

    451806c60f6f0c52cbb49026d4e14d89

  • SHA1

    8463cb0297d3e3b9bd28713d1ed75ef4d78b887a

  • SHA256

    090f2f668799ba806d6e5ec31bf7ff1fd39b7260f129f4d6a944decae0f04df9

  • SHA512

    e59a94c974f32d2e275d97add0a1eac8fdf794db008f0ecd69835ff120afd93e446852849e30f1bf598c57305891cf7d536b645e91dccd01c07dfe2679465cff

  • SSDEEP

    49152:uMKPSGs1uhQvK+8UU2JyWIpeHWf/j6fVThnaYvWG/W7FWmOEa4u2Q/L16JyFH7QE:JAsli2UpcWf/jcs3FVQh603pUrAeA

Malware Config

Extracted

Family

redline

Botnet

@Ebursteamss

C2

45.15.156.167:80

Targets

    • Target

      Exitlag Cracked 16.1v.rar

    • Size

      4.2MB

    • MD5

      451806c60f6f0c52cbb49026d4e14d89

    • SHA1

      8463cb0297d3e3b9bd28713d1ed75ef4d78b887a

    • SHA256

      090f2f668799ba806d6e5ec31bf7ff1fd39b7260f129f4d6a944decae0f04df9

    • SHA512

      e59a94c974f32d2e275d97add0a1eac8fdf794db008f0ecd69835ff120afd93e446852849e30f1bf598c57305891cf7d536b645e91dccd01c07dfe2679465cff

    • SSDEEP

      49152:uMKPSGs1uhQvK+8UU2JyWIpeHWf/j6fVThnaYvWG/W7FWmOEa4u2Q/L16JyFH7QE:JAsli2UpcWf/jcs3FVQh603pUrAeA

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • XMRig Miner payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks