General
-
Target
72a9a731d6a1237c6cc4cc3dd1b4cf2e1ddfdbed917c6f822b4c33d342366fc5
-
Size
1.8MB
-
Sample
240422-fy4fxsgd2t
-
MD5
733fce8af4aa232cb80b7d61fa272764
-
SHA1
1bcc5b6309f5ff21b3e7d69a26d65ab318d2e760
-
SHA256
72a9a731d6a1237c6cc4cc3dd1b4cf2e1ddfdbed917c6f822b4c33d342366fc5
-
SHA512
8d4384aa54bce3ab173fc9b2f8146e08499c2be3520b41a5a24cdc4fbc15f37ffae6287bc4e32337a5a617942c3d70f46e70d4400718c2097e3ec8ff0db728be
-
SSDEEP
49152:4MtlcinxPGTqYeF1mj5OkN8Si74S82w0WR34Hm6VeWN:4MM38NUYw0aVA
Static task
static1
Behavioral task
behavioral1
Sample
72a9a731d6a1237c6cc4cc3dd1b4cf2e1ddfdbed917c6f822b4c33d342366fc5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
72a9a731d6a1237c6cc4cc3dd1b4cf2e1ddfdbed917c6f822b4c33d342366fc5.exe
Resource
win10-20240404-en
Malware Config
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Extracted
redline
@OLEH_PSP
185.172.128.33:8970
Extracted
amadey
4.12
http://185.172.128.19
-
install_dir
cd1f156d67
-
install_file
Utsysc.exe
-
strings_key
0dd3e5ee91b367c60c9e575983554b30
-
url_paths
/ghsdh39s/index.php
Extracted
redline
LiveTraffic
4.184.225.183:30592
Extracted
redline
Test1234
185.215.113.67:26260
Extracted
stealc
http://52.143.157.84
-
url_path
/c73eed764cc59dcb.php
Extracted
lumma
https://affordcharmcropwo.shop/api
https://cleartotalfisherwo.shop/api
https://worryfillvolcawoi.shop/api
https://enthusiasimtitleow.shop/api
https://dismissalcylinderhostw.shop/api
https://diskretainvigorousiw.shop/api
https://communicationgenerwo.shop/api
https://pillowbrocccolipe.shop/api
Targets
-
-
Target
72a9a731d6a1237c6cc4cc3dd1b4cf2e1ddfdbed917c6f822b4c33d342366fc5
-
Size
1.8MB
-
MD5
733fce8af4aa232cb80b7d61fa272764
-
SHA1
1bcc5b6309f5ff21b3e7d69a26d65ab318d2e760
-
SHA256
72a9a731d6a1237c6cc4cc3dd1b4cf2e1ddfdbed917c6f822b4c33d342366fc5
-
SHA512
8d4384aa54bce3ab173fc9b2f8146e08499c2be3520b41a5a24cdc4fbc15f37ffae6287bc4e32337a5a617942c3d70f46e70d4400718c2097e3ec8ff0db728be
-
SSDEEP
49152:4MtlcinxPGTqYeF1mj5OkN8Si74S82w0WR34Hm6VeWN:4MM38NUYw0aVA
-
Detect ZGRat V1
-
Glupteba payload
-
Modifies firewall policy service
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Creates new service(s)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1