Overview

overview

10

Static

static

1

archive.rar

windows10-2004-x64

10

Resubmissions

22-07-2024 06:49

240722-hltgastenn 1

20-07-2024 22:09

240720-12vcmsxfkc 10

20-07-2024 22:06

240720-1z7j7ayhmq 3

20-07-2024 22:05

240720-1zhaasyhln 3

20-07-2024 22:03

240720-1ygmdaygrp 3

20-07-2024 21:59

240720-1wg55aygml 3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    WF34g534ve3.rar

  • Size

    11.6MB

  • Sample

    240720-12vcmsxfkc

  • MD5

    5b6538d718824f82eea1680ff478d910

  • SHA1

    c0687c2e372768d09e3343a839c65ffdd9ae8ecf

  • SHA256

    1f23c8f3a32d58689391b37c0ea1dd12ec73c65f2f5b09390ec7f62daeb25db2

  • SHA512

    06209b73065a84e324113fa259623d9482971c7e221116eb37c0c407c7428d1241b99622c5835d004a8f0b8409d6efcaa1f2fdc0365290c0b83caeeb851ea699

  • SSDEEP

    196608:vDOWMSWGX0Kb4zmkV0kPVhr6TmGeWgJazOarKlqlHSDWrVeL31DWmmvQP4lW:rOG5Bb4zlHPVheePayOesHU2VamvG4lW

Score
10/10
privateloaderredlineriseprostealcdefaultlogsdiller cloud (tg: @logsdillabot)discoveryevasionexecutioninfostealerloaderpersistencespywarestealerthemidatrojan

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

77.105.135.107:3445

Extracted

Family

stealc

Botnet

default

C2

http://85.28.47.31

Attributes
  • url_path

    /5499d72b3a3e55be.php

Extracted

Family

risepro

C2

194.110.13.70

77.105.133.27

Targets

    • Target

      archive.rar

    • Size

      11.5MB

    • MD5

      691e3e042f77f3ca8b5344829029b272

    • SHA1

      43f3a009a7bd9ce972be8992151240cda02eb598

    • SHA256

      21a27ad9d564f6af8aa67437023baac60d5bad9316fac18dbace5af1ab85ec1f

    • SHA512

      2917da919add222f47b69a5e93e62872e422d74e7308edd556e0e1084234a6545a8018852ece5bc15eb96c54a5a43371b1008cdb0157430d52a2ee6a0f6f27c7

    • SSDEEP

      196608:1DOWMSWGX0Kb4zmkV0kPVhr6TmGeWgJazOarKlqlHSDWrVeL31DWmmvQP4ld:5OG5Bb4zlHPVheePayOesHU2VamvG4ld

    Score
    10/10
    privateloaderredlineriseprostealcdefaultlogsdiller cloud (tg: @logsdillabot)discoveryevasionexecutioninfostealerloaderpersistencespywarestealerthemidatrojan

    • Modifies firewall policy service

      evasion

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Stops running service(s)

      evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix

Tasks