General
-
Target
trigger.ps1
-
Size
1KB
-
Sample
240421-k82gjafg39
-
MD5
5fcdb4fa7e61d78e29e4d4bf133e2598
-
SHA1
af4d61908d471434a549e5cf6c9a103238775ac6
-
SHA256
d61fbda08affd7e9a483379765926df19fddadf3f713074d3bf677c3c070b9bf
-
SHA512
be2f0eaccff181c0820b7933b6b0115b102d5e978de6f3a2c16228ff4b502940d1796719f2fdb89b410e569a2fbfd3ae00a935c7e525d8fabb53eb4f1a4147da
Static task
static1
Malware Config
Extracted
redline
185.215.113.69:15544
-
auth_value
7160e72130b45fa8b8cd6c8031261220
Extracted
emotet
Epoch5
178.238.225.252:8080
139.196.72.155:8080
36.67.23.59:443
103.56.149.105:8080
37.44.244.177:8080
85.25.120.45:8080
202.134.4.210:7080
78.47.204.80:443
83.229.80.93:8080
93.104.209.107:8080
80.211.107.116:8080
165.22.254.236:8080
104.244.79.94:443
185.148.169.10:8080
190.145.8.4:443
175.126.176.79:8080
139.59.80.108:8080
188.165.79.151:443
128.199.217.206:443
64.227.55.231:8080
218.38.121.17:443
103.71.99.57:8080
103.224.241.74:8080
128.199.242.164:8080
85.214.67.203:8080
103.254.12.236:7080
46.101.98.60:8080
178.62.112.199:8080
210.57.209.142:8080
195.77.239.39:8080
103.126.216.86:443
82.98.180.154:7080
202.28.34.99:8080
174.138.33.49:7080
160.16.143.191:8080
51.75.33.122:443
103.41.204.169:8080
186.250.48.5:443
87.106.97.83:7080
118.98.72.86:443
196.44.98.190:8080
103.85.95.4:8080
62.171.178.147:8080
54.37.228.122:443
114.79.130.68:443
198.199.70.22:8080
Targets
-
-
Target
trigger.ps1
-
Size
1KB
-
MD5
5fcdb4fa7e61d78e29e4d4bf133e2598
-
SHA1
af4d61908d471434a549e5cf6c9a103238775ac6
-
SHA256
d61fbda08affd7e9a483379765926df19fddadf3f713074d3bf677c3c070b9bf
-
SHA512
be2f0eaccff181c0820b7933b6b0115b102d5e978de6f3a2c16228ff4b502940d1796719f2fdb89b410e569a2fbfd3ae00a935c7e525d8fabb53eb4f1a4147da
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-