Overview

overview

10

Static

static

3

Evon.zip

windows10-2004-x64

1

Launcher.bat

windows10-2004-x64

10

log

windows10-2004-x64

1

lua51.dll

windows10-2004-x64

3

luajit.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Evon.zip

  • Size

    459KB

  • Sample

    240521-sjyy4sab4s

  • MD5

    6a41a30b4b63f81ae5e93e51d1f1c045

  • SHA1

    101d1b15eab07166428392c8980a157f1968b018

  • SHA256

    15c60b9188ef2cc9228ea576732f3b60eac10ca6e39f8a39956bad5722176650

  • SHA512

    4d10c2fd0a97bb498d4999c10061bf04e1348d14c914a648e2a4d178168c0a3a675e07f085a6c304e2a11b81d1e04a9994389bdee34118c917311d01a7986446

  • SSDEEP

    12288:iLSTkqudsU0Yz3jBL75xwc4XscIFl4zA6fzvBLskwRe:WSYquuKjRdxwr81FlQxfDxskV

Score
10/10
redlinediscoveryexecutioninfostealerspywarestealer

Malware Config

Targets

    • Target

      Evon.zip

    • Size

      459KB

    • MD5

      6a41a30b4b63f81ae5e93e51d1f1c045

    • SHA1

      101d1b15eab07166428392c8980a157f1968b018

    • SHA256

      15c60b9188ef2cc9228ea576732f3b60eac10ca6e39f8a39956bad5722176650

    • SHA512

      4d10c2fd0a97bb498d4999c10061bf04e1348d14c914a648e2a4d178168c0a3a675e07f085a6c304e2a11b81d1e04a9994389bdee34118c917311d01a7986446

    • SSDEEP

      12288:iLSTkqudsU0Yz3jBL75xwc4XscIFl4zA6fzvBLskwRe:WSYquuKjRdxwr81FlQxfDxskV

    Score
    1/10
    behavioral1

    • Target

      Launcher.bat

    • Size

      539B

    • MD5

      162d9e9294fb1ca66b2ef0808c37b3d0

    • SHA1

      c4c12026021484ae35ab529d2be4263435762a4b

    • SHA256

      6c4077874e378e3b7ff05dbe2063f0c7018f98bee429a4f4b2f8ffc7ff793d4b

    • SHA512

      f467ddf08d99ec1495f32a4eef8a43b3080d976e56ce569264b38e160e6e9655b44d84d1cb5a3ebcb223a802f9b914a28dee7bc51abce48c836f4a4abbb2da88

    Score
    10/10
    redlinediscoveryexecutioninfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      log

    • Size

      155KB

    • MD5

      ee48ea1bb05ba311a404f4ceb4dc260b

    • SHA1

      de40066072c928a1850298944fb561b3122476bd

    • SHA256

      6b60e51d5969097d58f1538d8af62e2c01196fb13b1cfef0413032b1c0bf799c

    • SHA512

      8d0e6b9f700a198e294ae6c20e92033581c4cc1340d2a17eb0e388fe205b79217478c15abeaef00173c3de07155aa5208f64c27b9ceaa0887147ac4ac16fcbc4

    • SSDEEP

      3072:aK7jsid/HtwyCBT2nPOT/DGvPo0KOHQ09ibJVwmJ6KvoK:HB6MbK10AMmJ6BK

    Score
    1/10
    behavioral3

    • Target

      lua51.dll

    • Size

      592KB

    • MD5

      3dff7448b43fcfb4dc65e0040b0ffb88

    • SHA1

      583cdab08519d99f49234965ffd07688ccf52c56

    • SHA256

      ff976f6e965e3793e278fa9bf5e80b9b226a0b3932b9da764bffc8e41e6cdb60

    • SHA512

      cdcbe0ec9ddd6b605161e3c30ce3de721f1333fce85985e88928086b1578435dc67373c3dc3492ed8eae0d63987cac633aa4099b205989dcbb91cbbfc8f6a394

    • SSDEEP

      12288:rs7/mj/73RaLHIW5BmUeUhoE4RgiF1q1bPIBKsg4Db0S:rc/u/7IoRnUKfq1Dl4DY

    Score
    3/10
    behavioral4

    • Target

      luajit.exe

    • Size

      89KB

    • MD5

      f9897435f1b4edc09a6ad72f77599124

    • SHA1

      162e440573e3b360e563e15dbf09a647dedb779d

    • SHA256

      ae478debf2a6ec13d48276b1a6b6fea362feb412f8b995611b28dd2e9be24078

    • SHA512

      56eb149c143521a3af8c44f52d3d14d885c030206a0de774fc895f6028d869f7d2f87c9b5bec5e13dd2ed3435c5872c40047ff0aae54c5a732a38408003ab72b

    • SSDEEP

      1536:Ee7h7q/J6K3nHC+AGUob2f0DBFPbPWNPWp350NHcHkDsWqxcd2ZPSAv:Ee7oU8HC+AGUu2abPbPWQpO8E0A2tSAv

    Score
    1/10
    behavioral5

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks