General
-
Target
17ee93b40d1746f9d99cf8521a2ab566.bin
-
Size
1.8MB
-
Sample
240514-bdrt6sdc67
-
MD5
37ebe519deea32b48f8cd5173c85dc6a
-
SHA1
ee5a0d827b9f69453c9927ba4f73199107338f75
-
SHA256
5a385c25beb70fc35b900bd712aeb9c5065004b5266ea6591c69c225e9bafae4
-
SHA512
39de6168bab3df75e7bdc7c1c512ed07c87b86d34e0933ee12ce7136aaac0065bf13b946cbbcc3f233889fc00dcdb7cb051e0c13000eb9e7bc96a72c1117663e
-
SSDEEP
49152:nC6nRluXTZuAN5BpPcR1flhcW4XE0ApY3+SRH7vw9qlA:DRluXlhN5Bpw2E0l+O72
Static task
static1
Malware Config
Extracted
amadey
4.20
http://5.42.96.7
-
install_dir
7af68cdb52
-
install_file
axplons.exe
-
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
-
url_paths
/zamo7h/index.php
Extracted
redline
1
185.215.113.67:26260
Extracted
xworm
127.0.0.1:7000
beshomandotestbesnd.run.place:7000
-
Install_directory
%ProgramData%
-
install_file
taskmgr.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Targets
-
-
Target
49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe
-
Size
1.8MB
-
MD5
17ee93b40d1746f9d99cf8521a2ab566
-
SHA1
371e878e7c8ff19a0f8771aefef9aeb6e28c2b87
-
SHA256
49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468
-
SHA512
21f8f6cf4d58775e4498bb1bb86437c30494d633da800ef3427bce4d7e4877018752fb091eb4627ccb0d14bc9f45afd199c752fceb1f4202d2b9d94efc6d01a7
-
SSDEEP
49152:8sQSR2lQIeqdglI171gF3r4W9q9wx//0WRwcm0:H9CQIe6gKmbZ9ywpD
-
Detect Xworm Payload
-
Glupteba payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Creates new service(s)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2