General
-
Target
QQ bypass.rar
-
Size
2.0MB
-
Sample
240708-mnes5svdml
-
MD5
84f8fe2f72d94e391517635f268c8c48
-
SHA1
e27d4433baf22b629f627d93f72d19849d8c2274
-
SHA256
21a05abfea96761494af4e62be2f6dd68b6a7abb36f8fb679799a4d654194873
-
SHA512
60c9f378e5ca931b826f4eef3bca15b021459cfebd97aa6be3ae7608c34bd2ebcf9249435064a239ef7c58500f77617b1b892ad36dcc287da7a8166e7081331f
-
SSDEEP
49152:gZtsSc2SPxtiMhN0G6Y/9Vr9FFBSFjFZBHHimZgIh0rk+9X8:i+B2S5suN0TYJzBSFj5HCmZgp9X8
Static task
static1
Behavioral task
behavioral1
Sample
QQ bypass/QQ bypass.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
QQ bypass/QQ bypass.exe
Resource
win10v2004-20240704-en
Malware Config
Extracted
redline
Sabad0n
77.73.129.75:1912
Targets
-
-
Target
QQ bypass/QQ bypass.exe
-
Size
3.6MB
-
MD5
7d4449cae104d4dc966bc74df0b2ba2e
-
SHA1
6e3076c9cf82a04ef39523aab3b1cb1e6103f9a9
-
SHA256
7bd293ae422b09cc8e4052f5cd74a9295f04566eeb756c576507ce8716f4c5d8
-
SHA512
46f8a2842ac0501717b7d5da92713211c09723672a3c8d354e4fd9616fec38c3440c9075413560ead85be16c3c8a4ccb81efc188ddf2069fbb3a3c0a56fc240f
-
SSDEEP
49152:cBVtv6o+8O3KHnGNzcDodTX9j/ohWkkjYIBkzY:WPioqh9jyWkkjPX
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1