Overview

overview

10

Static

static

3

setup.exe

windows7-x64

10

setup.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    image.zip

  • Size

    2.8MB

  • Sample

    240724-ebw8nawgpm

  • MD5

    48c9ceaaed90ed3d75e00daf7184ee86

  • SHA1

    5b43319eb70e128c5c890021da92398efae52745

  • SHA256

    87486970ad819fc0c311607afdc0c823f6a687e31057136a29004ad87bbce0b6

  • SHA512

    352b0c0abafb3e49dd6282cfaa198a3265b8924589bdfb89b8941ce056468c04fa6b81205fa3343ace93702444930c2fe958813fbf13171fa5b3ea595e1f0db0

  • SSDEEP

    49152:TLdJ3PlrgkJIP6dYrXtbkOhdhboEox2ALsQKN0XA/3fi4xtbESgpJZ1paoDwdH:TLd/GiubqOFW2ssQKN1/1PQfHaJdH

Score
10/10
privateloaderredlineriseprostealclogsdiller cloud (tg: @logsdillabot)silacredential_accessdiscoveryevasionexecutioninfostealerloaderpersistencespywarestealerthemidatrojan

Malware Config

Extracted

Family

stealc

Botnet

sila

C2

http://85.28.47.31

Attributes
  • url_path

    /5499d72b3a3e55be.php

Extracted

Family

risepro

C2

194.110.13.70

77.105.133.27

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

77.105.135.107:3445

Targets

    • Target

      setup.exe

    • Size

      5.5MB

    • MD5

      4277d47d6916af0a7d3a1c1583112df7

    • SHA1

      e8cdd4ceb3476ef0e69387ad3f759bc2a7da36a6

    • SHA256

      ed95fe802a065e28b952131fb08b43d6bde7c1aa54f88ac927ea4176e005fae1

    • SHA512

      5c97f427cd3ef8916bfebdfecdb8eeeb4e31a556950b8fde7c6e0d97381efdaf7dad7593114d1bf65dc2738fb4b34ed2eddf1373cea304821bd19dbaef571d43

    • SSDEEP

      49152:NIaTHKNhze5p5D/oEhXbVuE6lUIdsQKTeXIqPgYxtX8IdiSsnffMlCJso:NI8HKy57cApoUMsQKT9qFD5iSsn

    Score
    10/10
    privateloaderriseprostealcsilacredential_accessdiscoveryevasionexecutionloaderpersistencespywarestealerthemidatrojanredlinelogsdiller cloud (tg: @logsdillabot)infostealer

    • Modifies firewall policy service

      evasion

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Stops running service(s)

      evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks