General
-
Target
84056f0ddc342942d07c8a50214f2ab493e74adea8c9ce125de4d7ee35bc6efe.exe
-
Size
3.0MB
-
Sample
240423-bxrnhsba9z
-
MD5
d0189cdd22cfaa374b55017aa04d9399
-
SHA1
6661f132b1e119f5c93357b0320651ea88fcda18
-
SHA256
84056f0ddc342942d07c8a50214f2ab493e74adea8c9ce125de4d7ee35bc6efe
-
SHA512
9a8149a0f7d6b33df3a92976a892da3638a02e35ebb6494bd7aaf01638a619a14325fec5667a2fb164a89f7eaf6a9c47fe8f687d7b70cc8903ccbb13f07f4f81
-
SSDEEP
49152:zBS0q9ZcpcbbCMg4OywrgnoS2pnMEbmwk3XqT1S5I/iziNl1andabnpddVE:NGOaTU2AdZIq1SiiaEdabnpddVE
Static task
static1
Behavioral task
behavioral1
Sample
84056f0ddc342942d07c8a50214f2ab493e74adea8c9ce125de4d7ee35bc6efe.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
84056f0ddc342942d07c8a50214f2ab493e74adea8c9ce125de4d7ee35bc6efe.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
redline
37.220.87.13:48790
-
auth_value
ad9ddedcc84f0f07f1c53ae5fd0df093
Targets
-
-
Target
84056f0ddc342942d07c8a50214f2ab493e74adea8c9ce125de4d7ee35bc6efe.exe
-
Size
3.0MB
-
MD5
d0189cdd22cfaa374b55017aa04d9399
-
SHA1
6661f132b1e119f5c93357b0320651ea88fcda18
-
SHA256
84056f0ddc342942d07c8a50214f2ab493e74adea8c9ce125de4d7ee35bc6efe
-
SHA512
9a8149a0f7d6b33df3a92976a892da3638a02e35ebb6494bd7aaf01638a619a14325fec5667a2fb164a89f7eaf6a9c47fe8f687d7b70cc8903ccbb13f07f4f81
-
SSDEEP
49152:zBS0q9ZcpcbbCMg4OywrgnoS2pnMEbmwk3XqT1S5I/iziNl1andabnpddVE:NGOaTU2AdZIq1SiiaEdabnpddVE
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect ZGRat V1
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Detects executables packed with SmartAssembly
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1