General
-
Target
c1be767404a3d71717a54b01ebfa91ebff578dad8dd518a1a49012bcf012738e
-
Size
18.4MB
-
Sample
240727-vnrrpszapr
-
MD5
f4668d061e909155b6fac133b996454f
-
SHA1
f447f9f60c302e86396d0c6ee87a9d051ffdc663
-
SHA256
c1be767404a3d71717a54b01ebfa91ebff578dad8dd518a1a49012bcf012738e
-
SHA512
37b060d37792f1c6579e3f06a7f511048bbd03f683f42cfcb97974e606f83104f0415b391a2fcaedb8b27b8c5aca81392ff37790056e1b28242f244392626898
-
SSDEEP
393216:ajbiEohoCmIKjjw8t2Ilk1TZj4ASPRlZzXFAuU2ywpV:aqEfSKj/t2IqTN4xRlzAMyYV
Malware Config
Extracted
redline
185.196.9.26:6302
Extracted
quasar
1.4.1
Office04
45.66.231.154:4782
4304b988-116c-4522-ab83-7f9ad875f60f
-
encryption_key
A6B8B9B9B02FC86103A59CE003D7B3B45DAF8550
-
install_name
svchost.exe
-
log_directory
svchost
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
svchost
Extracted
stealc
default
http://85.28.47.101
http://85.28.47.31
-
url_path
/f3ee98d7eec07fb9.php
Extracted
Protocol: smtp- Host:
mail.schafoundation.org - Port:
587 - Username:
[email protected] - Password:
schafEST2012.
Extracted
vidar
10.5
b607a7a47e1a6ff266af835d50c6eaa5
https://t.me/s41l0
https://steamcommunity.com/profiles/76561199743486170
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.0 Safari/537.36
Extracted
remcos
1.7 Pro
Host
213.183.58.19:4000
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
read.dat
-
keylog_flag
false
-
keylog_folder
CastC
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_sccafsoidz
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
formbook
4.1
ty31
jejakunik.com
inb319.com
jifsjn.buzz
gkyukon.site
43443.cfd
cogil69id.com
oeaog.com
lpgatm.com
mymarketsales.com
tomclk.icu
404417.online
nysconstruction.com
ourwisequote.com
ahsanadvisory.com
ottawaherps.com
forevermust.com
apartments-for-rent-47679.bond
kdasjijaksdd.icu
buthaynah.com
manggungjayakanopi.com
Extracted
stealc
sila
http://85.28.47.31
-
url_path
/5499d72b3a3e55be.php
Targets
-
-
Target
c1be767404a3d71717a54b01ebfa91ebff578dad8dd518a1a49012bcf012738e
-
Size
18.4MB
-
MD5
f4668d061e909155b6fac133b996454f
-
SHA1
f447f9f60c302e86396d0c6ee87a9d051ffdc663
-
SHA256
c1be767404a3d71717a54b01ebfa91ebff578dad8dd518a1a49012bcf012738e
-
SHA512
37b060d37792f1c6579e3f06a7f511048bbd03f683f42cfcb97974e606f83104f0415b391a2fcaedb8b27b8c5aca81392ff37790056e1b28242f244392626898
-
SSDEEP
393216:ajbiEohoCmIKjjw8t2Ilk1TZj4ASPRlZzXFAuU2ywpV:aqEfSKj/t2IqTN4xRlzAMyYV
Score1/10 -
-
-
Target
00195a05484a91950f0c188ce6ac5f05b94123095bba2bdf0f184332bacd4201.exe
-
Size
294KB
-
MD5
901ad3475ed59bb58ac16b73b3fa467a
-
SHA1
b30e556a0670d0bc1c15e51caf3b435a1c6d483d
-
SHA256
00195a05484a91950f0c188ce6ac5f05b94123095bba2bdf0f184332bacd4201
-
SHA512
ca169e2071d9bc6eb42582f251dcce64c981afaa74d43d65947b982a31fa9fab33e4a9f31d4843d93c193c0ae5c3cad36a6ef94cb0cb618b1f870af33e691f34
-
SSDEEP
3072:AcZqf7D34KpVMQGBOLNNxplzSpECsAbwst1TkxnqpQaAxyDeqiOL2bBOU:AcZqf7DIKOExplzSpKi1TkBVxytL
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
103494894de51a19c77a06cf7a48e2d278cd7f768bd972c2fd34d557f619e1b8.exe
-
Size
1.8MB
-
MD5
f2a98e1ba261e9235029bd9ca240c31e
-
SHA1
052cf8c487fa2fec20a18f268de10e6c10b4e69c
-
SHA256
103494894de51a19c77a06cf7a48e2d278cd7f768bd972c2fd34d557f619e1b8
-
SHA512
caececd5b5aada81350b450d3e26d046034c7ccd030c2ad42ddefd9aaf2819bc4c06e04787ce9485e859e3659501f66cad162e8baaa24c2c9e1b3e0f100a66a1
-
SSDEEP
49152:hwJvvL96MLtWUrX8+fwG2jH+c/LoxZ3SaYee6r3qHZPZlNjFBb7:YrscmZ/7
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in System32 directory
-
-
-
Target
15e918d1df17402cac720b75c85e81587d15ef620e89b639ad71085ce77ca8c8.exe
-
Size
1.1MB
-
MD5
77dfe19b8675d6b07dddaabb0b9d6ffe
-
SHA1
34c16e4540dfcca9f84497a8d8914b830f7d3c27
-
SHA256
15e918d1df17402cac720b75c85e81587d15ef620e89b639ad71085ce77ca8c8
-
SHA512
7825cb4dd3d9cd853b165afab9315e035eb12f554f619d6d3ffc82e36f96c6d043ba077ced35eeb14283447c94f507ea1c3de85f0d574d9a91ad500c859d4b82
-
SSDEEP
24576:x6Dzd05DeCQYG/uv2m7bg4fBOqItgze9Q+gs95159Ruv0P9/eUu:x2z6U4G/up/VfE3C+hAv0F
Score10/10-
Stealc
Stealc is an infostealer written in C++.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
1adf26633c17278c9b930529b164637a8942cbb1f3267afafec63b56de51dd96.exe
-
Size
163KB
-
MD5
a668cb93c16026b6ee15b96dbd13d64f
-
SHA1
878b50a51f28a78ab4350d0c8b327c8172301de6
-
SHA256
1adf26633c17278c9b930529b164637a8942cbb1f3267afafec63b56de51dd96
-
SHA512
e291e45706ccee09d8f5314a871b783a69ac7caa764c8e9d0c4efe2e548aaee76e77fa284e662e19bfce21b6448e7383b772a8a510f1d903a77277b703ba49d0
-
SSDEEP
3072:z6JM/iN8vLfG+EZm0jNJmG2F00EfqADbugtWlHn:z6A0BJmGa0HiibeH
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
25bbed456281ea6f37cb6b295ebd0d1764156e797b4f15e0dc1bbcd7342086a9.exe
-
Size
682KB
-
MD5
218ed2d0aee62452d3229a459cb492fb
-
SHA1
a2322a164ff11c0c71336e225c9087a5512cafd6
-
SHA256
25bbed456281ea6f37cb6b295ebd0d1764156e797b4f15e0dc1bbcd7342086a9
-
SHA512
989bbaf89e9a5d43ba698786753843d5f467637d0ec7881b2763115f32d7ef6475f05709573f9563d7d8a0856e59270b6f9f0082d92c1779d2ace7638bf42fba
-
SSDEEP
12288:JxOhZvdJ25Sy0V3gY7t4H3TvGre9SHhuuq8iZAlxWxxyEAN8RriCroxfL41:JCFn3J7mXTvOfUnmn58hiCku1
Score10/10-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b.exe
-
Size
5.3MB
-
MD5
f109fd54fa6c14302beff44d666a6ade
-
SHA1
912ad7378e837b82524c7d41e9792242bc5feacc
-
SHA256
29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b
-
SHA512
38fb7b93975931cdedbd360672ac51a75de4a59883419ee46b4e739ebf1f13dfa9703062c4bba2df7cd717a5b089e364f33eb42b9fd2a703aac78da6eeeef69c
-
SSDEEP
49152:7ccw6QFnEEabMHciiW/LhKq3FWhR3PIa1p0seWJb9sMS0Z0fCnZ0qstZNweCRmeF:7PIKEabM87W/KIatvBaqstZsRmqEQ
Score10/10-
Detect Vidar Stealer
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Suspicious use of SetThreadContext
-
-
-
Target
2f0d81e068e18c1b7fe631d9342b33afd5bdad5bf3de39a28d6c6de30edbf661.exe
-
Size
715KB
-
MD5
1ccafea4efc3a825a9e426a54bbd3c49
-
SHA1
8fc0ea51c8504621bccf5676aed71b285d8eb481
-
SHA256
2f0d81e068e18c1b7fe631d9342b33afd5bdad5bf3de39a28d6c6de30edbf661
-
SHA512
879949aca8995f9f62ac1d61009b79dee43e1eeabd193c60f12fd8b6a02525d09d8092825dca919c960f3c39fc3b1201f1d372bd662b66053cd6fc37c2ab9daf
-
SSDEEP
12288:YlD2+0vKMs+mDJYCjVNlfmC5BfeCB2IWC4hdVlk:E2+2KMADrHlfmAtNoCs2
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
317ce86a4e5783cbfa78be1ce5950fe287d810f34d834d859df0bf7496625985.exe
-
Size
2.0MB
-
MD5
8f424619f95580c7ce64bf3663046f60
-
SHA1
83b585a40f4a8a9c421647cf88716b6200750a3b
-
SHA256
317ce86a4e5783cbfa78be1ce5950fe287d810f34d834d859df0bf7496625985
-
SHA512
e5c92c2bf2d874c10686e5d6a87fd30bfef9b8b87cc3571774fbc72ae8e7111626f675ac356df19377d50a670c8596882da2a6cc4ded40525dbc00907cab1f13
-
SSDEEP
24576:WD39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjYF4+cZkL:Wp7E+QrFUBgq29S
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
3c764ae83eaaab36e7550ebd312d12daa8e41cd8bc2294eb3bdf4459dda73f36.exe
-
Size
690KB
-
MD5
781bcc2fb7f0ace472e3e76ed572b1a3
-
SHA1
a79b7b560bf17db7d46b37cdf06833ee8d0093bf
-
SHA256
3c764ae83eaaab36e7550ebd312d12daa8e41cd8bc2294eb3bdf4459dda73f36
-
SHA512
577dc53fc1089d944d6238fcafa83ae67cafa08d26e46b70563e7e940b526cfbe6a85dd47a5bef5b3c4196b70467bdd47105fb58a706f01bc93b88212ba4ee27
-
SSDEEP
12288:7xOhu3FQjq+9O3yjkWBpsFm8oq2OYImDZnpb5hbCak6iTxr8vqFlHp:7Cu1qb9O3mlpsFmoYIChVHiTh8vSp
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
40c918b435649c05c1f43a6f95c9bdb613726a86dfce987ea5ccd90ec2c911df.js
-
Size
5KB
-
MD5
d2f7824a9ca7ba8e47764dee6c61ac6b
-
SHA1
b11912837f3fccb36a4cfd10c3b95175515c7a1b
-
SHA256
40c918b435649c05c1f43a6f95c9bdb613726a86dfce987ea5ccd90ec2c911df
-
SHA512
f1e608ff3255dc5865c69d4fd153968f054c0a408043977e01b536e46d0f1b59fc53b54ee6a55e495c3469549b22b3ff4c35c3bd452a4199db622b0d4046911f
-
SSDEEP
96:kTdLPdO337lh7z3T4d4hut69UXG2siCCehAkx3nCwG2siCCehCGu5:kTBdc5YqnuGXiCCcAkxGXiCCcCG4
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
4963827ab4881382f900255fa034f5c5f369cdc11d30863c69a04ed7f6abca5e.exe
-
Size
2.0MB
-
MD5
40ac7d11ebb91612d8d5c16c05af0a13
-
SHA1
543a6c16f8f058fb6ba029ee3a9c5fde92aaa212
-
SHA256
4963827ab4881382f900255fa034f5c5f369cdc11d30863c69a04ed7f6abca5e
-
SHA512
223ecc008fe3b9818597c3870ef605674eb96c52f8f140edb1d7c878691ce16c604440be77107c795a2bbb4e1b5c28ba94141e5703d9488c3a06580e38bf953c
-
SSDEEP
49152:PbA3HdwWe2aSe6pcUwxE0G+dK7RB7/wWnm1Xl:Pbt2M4cUwxEII7RB0d1Xl
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
50d670fcdb23752572ad966fef6e4b67e9d600a8ca0bfef4f58847eff69ed40d.exe
-
Size
611KB
-
MD5
7bcdae2d187bfe37c144b880a1d8b52f
-
SHA1
168827a3c6e990a2e5fe88e8446447e0b54f6f06
-
SHA256
50d670fcdb23752572ad966fef6e4b67e9d600a8ca0bfef4f58847eff69ed40d
-
SHA512
fe4eb7a281012793f4efd650741ee49d20f5698de3d3d8a860c478acfa58787b2e5b198ef5edc115720dea4d0e1a193e9a612a0f8a32210d98e8dd17d0110fe9
-
SSDEEP
12288:8k5XbZ72LebM76TRB8EDtOC5I+/VPc3L4YclC+1Y+fgbXeA8gVml+ZTcv0qvBWFD:8UdRbM76TR5wOI+tq7Z
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Suspicious use of SetThreadContext
-
-
-
Target
55911205edcecf1a4337052e070334ad0dfb5b651cb980122a963b811aeda078.exe
-
Size
1.0MB
-
MD5
83759232874676063ca07f71a214ba6d
-
SHA1
662fc90d52e4d9db2ca89b4eccbec7948a25f9f3
-
SHA256
55911205edcecf1a4337052e070334ad0dfb5b651cb980122a963b811aeda078
-
SHA512
57eae1f72dcf701fea500bf01fc5bd908e93143d5356a3061c4f51e28d554507eff7b190211caa96e9a5a93d34ca612a0a52452e9aaeaaa01e8b45894e9e610c
-
SSDEEP
24576:BAHnh+eWsN3skA4RV1Hom2KXMmHabbr6qd0SinFd5:Yh+ZkldoPK8YabfDd0V
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload
-
Suspicious use of SetThreadContext
-
-
-
Target
5a48f7ceeb3a0ef874ee3247079ce780b39e8af328aaa8b1e91cfed4729969a3.exe
-
Size
1.1MB
-
MD5
14a4c46beeb0a7f707a245d76c83d3af
-
SHA1
d6a5611132ddccea967ca0034edcd993382938c7
-
SHA256
5a48f7ceeb3a0ef874ee3247079ce780b39e8af328aaa8b1e91cfed4729969a3
-
SHA512
02f6f2288333bf35bfb92e750e8e90e727f1924a579accbf728dd1395132b226278f41fce03f1dce84817061b7e2a545c5b760c80445db5c376a4204cb9c52c7
-
SSDEEP
24576:UQ3ymXgO1ZBfK0VSs72lGNGqVDf7cEFp7aDUO0t5vV1:sm71mYSs72lGNZVDQCpmVIV1
Score10/10-
Stealc
Stealc is an infostealer written in C++.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
6700ee6916de2b466bfba8efd9d0aaa71cf99252d3f95c570c366819a45ab2ce.exe
-
Size
3.1MB
-
MD5
e0bd71734fc197f5d445a0220c946718
-
SHA1
0bf01f37003f8474f7e038a5846a8f3d1231ab4f
-
SHA256
6700ee6916de2b466bfba8efd9d0aaa71cf99252d3f95c570c366819a45ab2ce
-
SHA512
f637d2e0a69f6d0228f67c62c1391e2be8c2e8bde13bcfd676f5eba9960464d9f87494fd4aa146b86bfb38c1870e16e8b48dcf0b937805b60e27df14905e1a4f
-
SSDEEP
49152:P3ye82ipaSmopPZlGPBbLbrJSrMayVgjokdtNTHHB72eh2NT:P3982ipaSmopPZlGPBnbrJSrMayVK
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Executes dropped EXE
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2JavaScript
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4