Resubmissions
15-04-2024 19:48
240415-yjb28sgh2y 1015-04-2024 19:06
240415-xsd3hsdf75 715-04-2024 19:02
240415-xpws6afh4x 1015-04-2024 18:45
240415-xecmjadd57 1015-04-2024 18:42
240415-xcbbpaff61 1015-04-2024 18:39
240415-xaqctsff5v 1015-04-2024 18:35
240415-w8gb5sff3w 1015-04-2024 18:27
240415-w315csfe2x 1015-04-2024 18:23
240415-w1w3mafd5t 715-04-2024 18:10
240415-wsg9hach35 7General
-
Target
archive-150424-06_04_17.rar
-
Size
3.4MB
-
Sample
240415-xpws6afh4x
-
MD5
d0789073c6342c5778ac61debb57ea10
-
SHA1
e444b28b30b72ef696d1bf2822bd7b98f034cff6
-
SHA256
298882eef447afb08c134245d29d689feb30431a4c8595da619f2038f6d8b615
-
SHA512
b17a0a71e3e6cfd543c154567af888b7028005d89d50defddac5c09d36786c3887474f1d1355f055068a86bd1594acd876dc4c00087e9a0fde20d2fd7556ddda
-
SSDEEP
98304:1ID9NQfNUp9P4QAIwMCSeLbSkdr7Jw1KXXsgg5PXTdSQ:qsN/m/CS417J5HlKdH
Behavioral task
behavioral1
Sample
archive-150424-06_04_17.rar
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
hash.bin
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
setup.exe
Resource
win10-20240404-en
Malware Config
Extracted
vidar
https://steamcommunity.com/profiles/76561199673019888
https://t.me/irfail
https://t.me/de17fs
https://steamcommunity.com/profiles/76561199667616374
-
user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Extracted
risepro
193.233.132.253:50500
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
5.42.65.50:33080
Extracted
gcleaner
185.172.128.90
5.42.65.64
-
url_path
/advdlc.php
Extracted
lumma
https://greetclassifytalk.shop/api
https://entitlementappwo.shop/api
https://economicscreateojsu.shop/api
https://pushjellysingeywus.shop/api
https://absentconvicsjawun.shop/api
https://suitcaseacanehalk.shop/api
https://bordersoarmanusjuw.shop/api
https://mealplayerpreceodsju.shop/api
https://wifeplasterbakewis.shop/api
Targets
-
-
Target
archive-150424-06_04_17.rar
-
Size
3.4MB
-
MD5
d0789073c6342c5778ac61debb57ea10
-
SHA1
e444b28b30b72ef696d1bf2822bd7b98f034cff6
-
SHA256
298882eef447afb08c134245d29d689feb30431a4c8595da619f2038f6d8b615
-
SHA512
b17a0a71e3e6cfd543c154567af888b7028005d89d50defddac5c09d36786c3887474f1d1355f055068a86bd1594acd876dc4c00087e9a0fde20d2fd7556ddda
-
SSDEEP
98304:1ID9NQfNUp9P4QAIwMCSeLbSkdr7Jw1KXXsgg5PXTdSQ:qsN/m/CS417J5HlKdH
Score3/10 -
-
-
Target
hash.bin
-
Size
171KB
-
MD5
0bedec1e0e6bafddd2c73b3c985bf489
-
SHA1
02e07ff6415046e366943d273dc1e921a69e92f3
-
SHA256
771a893e114d405bcabff6d2624c4e16a9c173ba532c65990a30716146845d83
-
SHA512
520d7962e9f45f5eff6dac25986a24120601b620586bc279055cac1a01673af8a1f296d2974ef4fcc5f6518f3af2fe416f7cacd1e1405fb3b1c70a7d69ab670c
-
SSDEEP
3072:2S0o3Mdva34ru3iUFdwJ2Lzcbpx8dAMuj60G8rV71iRvXwkYFF0k4/fwQcp9HJT:27oc9Y9T2JlAKzjZ/VKPYb8fwpJT
Score3/10 -
-
-
Target
setup.exe
-
Size
700.0MB
-
MD5
6d23d8dee5299700881a3e484eef8a9c
-
SHA1
43b0c7e5bea63447ef78225d76fb47c6b29a4381
-
SHA256
9383433f5dd673392f5dc01b0a8e84e063bf182cdb46fa49000a0b890f448240
-
SHA512
c98754f41c3f094dc4d39f486c9ac0b6f91977258ba1a347c0914c00e47bf995398a5c4572a8ea5d529a28c12a71b6bfb09869bd9187416e31978440b33a4e87
-
SSDEEP
49152:GnjzX9RG5mnTDunfqNMP9Pyz6DMPCMTbzdZEmqyXVSY+wfdH1rFuzi56M/cH1oYI:OD9cSfX69PvQP1vFqyXHvsnM/PbQi
-
Detect Vidar Stealer
-
Detect ZGRat V1
-
Modifies firewall policy service
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Creates new service(s)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Defense Evasion
Modify Registry
2Virtualization/Sandbox Evasion
1Impair Defenses
2Disable or Modify System Firewall
1Subvert Trust Controls
1Install Root Certificate
1