Overview
overview
10Static
static
3072894a720...70.exe
windows10-2004-x64
10075e0048e6...e5.exe
windows10-2004-x64
10131b78a330...7b.exe
windows10-2004-x64
1056b0ed98e3...54.exe
windows10-2004-x64
10807255749f...62.exe
windows7-x64
10807255749f...62.exe
windows10-2004-x64
108a8433aeba...ed.exe
windows10-2004-x64
108cae2c42df...9a.exe
windows7-x64
108cae2c42df...9a.exe
windows10-2004-x64
10d730c48963...34.exe
windows10-2004-x64
10e98954290c...65.exe
windows10-2004-x64
10General
-
Target
5e226d8262fc6a306a8623ff2317e80de04307b5a5893f24200377dfacb41830
-
Size
5.3MB
-
Sample
240522-w7kyyacb4s
-
MD5
1396e9bf5ea34d8e976dcb161addc42c
-
SHA1
93860d570b718d94f053b32c65945f7176d48380
-
SHA256
5e226d8262fc6a306a8623ff2317e80de04307b5a5893f24200377dfacb41830
-
SHA512
9e9cc252947474c5990f494136fd064c498fc240cfeea497d77f185edc6cad661a942a185d66bd7d2c563fd7c68894e2ecb01ce1584f7a538ee39b5baa8dc418
-
SSDEEP
98304:qlVMU2nmBPcY3/gzLs4f4Nmt1vsvMcOPBkkPskH0LNdTYVaSW2zR:jUrEoozLR4Nmt1EdOPBPsXLNkFR
Static task
static1
Behavioral task
behavioral1
Sample
072894a7206e62128b078f8cf245defd279d28624f577f7859cb03be552fdb70.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
075e0048e616f67de702a289e630f2df2651249474b3366d424d5bfefc2071e5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
131b78a330f033599e72f43b4c44a4ce16181a4de774a7e0ebc96fe998dea67b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
56b0ed98e3472c3ed4c501f9630c8e00fd98a17a99687541889c257dffc5d254.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
807255749f8cbfc2228481c6cd8cbe37517093850c1a0f3d0ed61f607efcae62.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
807255749f8cbfc2228481c6cd8cbe37517093850c1a0f3d0ed61f607efcae62.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe
Resource
win7-20240221-en
Behavioral task
behavioral9
Sample
8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
d730c48963f262ecbad13e78511797a739e647356a733f1239b17e16fc51cc34.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
e98954290c7c1115f81a9b91ee8f444cad7f016d85fb2d9b70793e27c9384365.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
redline
mrak
77.91.124.82:19071
-
auth_value
7d9a335ab5dfd42d374867c96fe25302
Extracted
amadey
3.87
59b440
http://77.91.68.18
-
install_dir
b40d11255d
-
install_file
saves.exe
-
strings_key
fa622dfc42544927a6471829ee1fa9fe
-
url_paths
/nice/index.php
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
04d170
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Extracted
amadey
3.89
fb0fb8
http://77.91.68.52
-
install_dir
fefffe8cea
-
install_file
explonde.exe
-
strings_key
916aae73606d7a9e02a1d3b47c199688
-
url_paths
/mac/index.php
Extracted
redline
horda
194.49.94.152:19053
Extracted
risepro
194.49.94.152
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
149.202.0.242:31728
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Targets
-
-
Target
072894a7206e62128b078f8cf245defd279d28624f577f7859cb03be552fdb70
-
Size
662KB
-
MD5
c66902f6e9a67c0b03be8ee68a49e552
-
SHA1
c7a090905d3218b36a5b88fef0e175cb3f0560fc
-
SHA256
072894a7206e62128b078f8cf245defd279d28624f577f7859cb03be552fdb70
-
SHA512
01be3aeb2981f8f97eedb0a919408ba83be2e4a425a47fa222bc4d46b629ee8c85967d655577816888fb58c6b8b748ff2f3692ec49713f3d0d52f7f2d19ae241
-
SSDEEP
12288:eMrGy90N4+eOGiq9xY9vsJpsBstw6QQrpqUx3N/+Rub/lb0GVLchc:kyFpuKgBI/rp3n/1Jchc
-
Detects Healer an antivirus disabler dropper
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
075e0048e616f67de702a289e630f2df2651249474b3366d424d5bfefc2071e5
-
Size
234KB
-
MD5
7dafcde60491fa34e526c8eaafac0f01
-
SHA1
d0c0ff3f2e2b66559d99dc660540f0a8dd83cc67
-
SHA256
075e0048e616f67de702a289e630f2df2651249474b3366d424d5bfefc2071e5
-
SHA512
75fed00edb3d5811cf0b70b07c789f59be7aad30579779dfa70376b82268b0e52d599792b741c954c97c8d8d10100d5cee7c3835d2250023b9060c329090d14c
-
SSDEEP
6144:KUy+bnr+5c3pxeXjyqu+Oeu+Oeu+OeuJZp5JZp5JZp5JZp5QgwAQgwAQgwAQSp0J:IMrWc3pxeXjyqu+Oeu+Oeu+OeuJZp5JO
-
Detects Healer an antivirus disabler dropper
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
131b78a330f033599e72f43b4c44a4ce16181a4de774a7e0ebc96fe998dea67b
-
Size
1.1MB
-
MD5
5647ef3ba33c2200403333d17e434856
-
SHA1
f695d37246239fd692e7fb044ca2a02ffaa104d9
-
SHA256
131b78a330f033599e72f43b4c44a4ce16181a4de774a7e0ebc96fe998dea67b
-
SHA512
d85b3bf66e482e08901d56f28472bd1f75fbcd4b70b27fa0582c234d71f186518fdb57b7a9bff7ae660c8d52f6eb763a696d96a384c9562a706390c5b6c55bda
-
SSDEEP
24576:3yIXRcd8lQUqMEcXP8iO7Eff2+uySHr/cZb8/T3TB5:CIhcdSQt0fc+2LUZb43t
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
56b0ed98e3472c3ed4c501f9630c8e00fd98a17a99687541889c257dffc5d254
-
Size
646KB
-
MD5
f6b5bede9b07bfce7ac3d693d5494761
-
SHA1
7433b82c21237a1a65994a7ae0843d5ee891ae92
-
SHA256
56b0ed98e3472c3ed4c501f9630c8e00fd98a17a99687541889c257dffc5d254
-
SHA512
485a0e0c14a0fdddf9936fbb65f5202989c20f707194bc2cd0af96a08ccc173f65089805aa1287dcdb9389f968f769b91b760f9c6bee379ea8b7822badb544c2
-
SSDEEP
12288:7Mruy90A+LXj+ipMEl92UTVK40hxLqrNuB5sZ75Ar+P9L:Vyy6ml92Ug4SGrNuBOZ72r+L
-
Detect Mystic stealer payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
807255749f8cbfc2228481c6cd8cbe37517093850c1a0f3d0ed61f607efcae62
-
Size
377KB
-
MD5
92c261fc96a068ae2a2835ee27a16f1e
-
SHA1
75e4e65827acaa4e0faa3f42632a53e011bbbd09
-
SHA256
807255749f8cbfc2228481c6cd8cbe37517093850c1a0f3d0ed61f607efcae62
-
SHA512
6a1a360b8719a31d2f83ef4dfee0abae102b55ff67284b65f061fb5afddca17d8e9307d5c240f50127ebc5483d230bfb2d4bd364b2d8fddc5b3c67dd27d5ada9
-
SSDEEP
6144:rB8vGHJfjmufItYYFrIPU88CcRAO6O82BldTjqPQo0y:rB8v8jmufI+YMgJZBlda0y
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of SetThreadContext
-
-
-
Target
8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed
-
Size
319KB
-
MD5
9ffe17af29c1d6b4a7c753348624c0a7
-
SHA1
e252ed955d1edfbc89afc53a0453b9af16b6fd4a
-
SHA256
8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed
-
SHA512
9dc8415111c176ba626eef704c4e3a4f3e2acceb46f529b359d811a6f0da154d1dd650493f0da812c38758ee5cb954ad3a88441e1bec0a5c987a5d3ebd9095ea
-
SSDEEP
6144:K8y+bnr+yp0yN90QEFrKEP3ve7yRfsK6KRFjEXtaBv7yZez3x81WO6:UMrGy90LKU/e7RK6KRdEXYp7YezB8kl
-
Detect Mystic stealer payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a
-
Size
254KB
-
MD5
6c76dfb25714e5941d70f7a275e75e5d
-
SHA1
5ed48c3c57d1abeece0b35d7bb85a6bf71ab385b
-
SHA256
8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a
-
SHA512
2aff7b21be560dcfeeafc9f7ed1ab0a1e10ebc2a0363a656e880d05e0c7f20030a8d44926ad72f395632ecd8bf441fe71538c81e7520d73bacf85017ab0f0d97
-
SSDEEP
3072:gHvq+7xq+eNvu2U1GA0B+t+ieyOR/VCY0rJ25o3BcJTcVVeosbVFlb9eAg0FujDL:gTD2Lr/V90d2WxjV/hAOIKVg/oPGCV
Score10/10-
Suspicious use of SetThreadContext
-
-
-
Target
d730c48963f262ecbad13e78511797a739e647356a733f1239b17e16fc51cc34
-
Size
805KB
-
MD5
7aeb09bb57206fc4c34cdceccc7ab340
-
SHA1
270c694409562e116dcdd44c5ce63b2a4f8bdccb
-
SHA256
d730c48963f262ecbad13e78511797a739e647356a733f1239b17e16fc51cc34
-
SHA512
bd548655a57783f2c34ba4c11bc595112840266de1d68f939e888b399a3329cce74d604de6bc0f9efd47c292d5804d76307c520aede442378893c4828ee3d619
-
SSDEEP
12288:qMrsy903vnIAAzzFM8VzjAJNRK47lnoj8eI4BOx4aBFrx9OX2EkDWWSMEidlk:SyyPIdzzW8psxLxno49N9CGpitb
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
e98954290c7c1115f81a9b91ee8f444cad7f016d85fb2d9b70793e27c9384365
-
Size
1.6MB
-
MD5
8730beb5e0481f045236541cbf84b0a6
-
SHA1
8e44b7bd8462feb51c116ab72cf6bb460f2c5ee4
-
SHA256
e98954290c7c1115f81a9b91ee8f444cad7f016d85fb2d9b70793e27c9384365
-
SHA512
2da9d6a2bec2b33332ae4c0a5739cc5fd19a4c2f011bb28f3c69eed8ca654336c570526ffc7b2530637577dce49e98a54f3512069212acd0dd16a323242c8b40
-
SSDEEP
24576:GyWdCALxR5STmSCSGz9FUkJ4RNGAWei3u7A2Lj2zPYTf8tAjbg:VWdCAfISSq7TAQIA2Lj2jKIA
-
Detect Mystic stealer payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1