General
-
Target
v2_file_x86x64.rar
-
Size
10.0MB
-
Sample
240420-r7jzesbe41
-
MD5
f55d4e6678451a6f75bdb83d3b1336c7
-
SHA1
9d3ca8fb3a661342812add29c2d7caf53eab9fe6
-
SHA256
486ca0c7b2c67e899d74392deb9bd609d41b185b0364b7c161f8d2d042a31786
-
SHA512
fb11cf3365bcd40f9ff8ea41d02fa163be3b00d83478e172db8896341bcef17ea3a32782d23044a1bbc4882e7ab28ff2b6954dcc3ec7029ce715157e247028be
-
SSDEEP
196608:YnoSG07h96IWydRfrmpbaKF7hiDY5D0/7qCrDaBKGtWM2IBFMSUv6YBe:CZhdsIWydhGHiDBO0+B86FJ3
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20240221-en
Malware Config
Extracted
stealc
http://185.172.128.23
-
url_path
/f993692117a3fda2.php
Extracted
vidar
https://steamcommunity.com/profiles/76561199673019888
https://t.me/irfail
-
user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
5.42.65.50:33080
Targets
-
-
Target
setup.exe
-
Size
759.0MB
-
MD5
a3a3e8990cefc370fc3c3db21603f21e
-
SHA1
43363d10f946a9dba9b4f004bc961bd3991029e5
-
SHA256
239c9656f60b14ee7ab89da649d1411c8d1fa2d5fa1d687e61e5680674ff279b
-
SHA512
d543fb6072c3e25e6a67a6a7a904cb9f9ce1c48774fadc09f8e1c147c1467a5ef73f6b1b81850bb0a28a3653834c31c8acb1be88543f467a1e6f32dffd9c3e9e
-
SSDEEP
98304:u5mpCa1OHSR+XHb3Poj+eKiW6ytGwWXW:GWCamxbw6/iCww
-
Detect Vidar Stealer
-
Detect ZGRat V1
-
Glupteba payload
-
Modifies firewall policy service
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Defense Evasion
Modify Registry
2Virtualization/Sandbox Evasion
1Impair Defenses
1Disable or Modify System Firewall
1Subvert Trust Controls
1Install Root Certificate
1