Overview

overview

10

Static

static

3

Extreme.Net.dll

windows7-x64

1

Extreme.Net.dll

windows10-2004-x64

1

MetroFrame...gn.dll

windows7-x64

1

MetroFrame...gn.dll

windows10-2004-x64

1

MetroFrame...ts.dll

windows7-x64

1

MetroFrame...ts.dll

windows10-2004-x64

1

MetroFramework.dll

windows7-x64

1

MetroFramework.dll

windows10-2004-x64

1

MetroSuite 2.0.dll

windows7-x64

1

MetroSuite 2.0.dll

windows10-2004-x64

1

Netflix Va...v2.exe

windows7-x64

10

Netflix Va...v2.exe

windows10-2004-x64

10

Resubmissions

31-07-2024 14:08

240731-rfw5ns1hrb 10

31-07-2024 12:58

240731-p7lrxathnp 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Netflix Valid Email Checker.zip

  • Size

    1.8MB

  • Sample

    240731-rfw5ns1hrb

  • MD5

    a8ff2fc3b3d8cb158ef4b3e62f252055

  • SHA1

    bce1e7bf0dab25dea26ae8170fb1f43436061bea

  • SHA256

    5cf1dd4e1137cbdf404266cf62fae5fd1eb59d07afa69a7bfb02c2243fa5ddfc

  • SHA512

    1abc984113f63e51db7c87ce54ef7863523bf22ef549ac23f02183e1970a1ffcac50f8aecaf96b8e8d259e28c8302f662dd1f7812c5efcb5496ec0395a5594b2

  • SSDEEP

    24576:XbCNr5L9wdMm67zifwBtIuoJosWeh0PLi2+F5Byd9I2Ufo2134n5E/CqHx8VdLtL:Xy5qMzzNBdoNhYr+HMbI2Mo216y98Tx

Score
10/10
asyncratredlinedefaultdiamotrixcredential_accessdiscoveryinfostealerpersistencepyinstallerratspywarestealerupx

Malware Config

Extracted

Family

redline

Botnet

diamotrix

C2

176.111.174.140:1912

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

176.111.174.140:6606

176.111.174.140:7707

176.111.174.140:8808
Mutex

PWhSiRkcxVoa

Attributes
  • delay

    3

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Extreme.Net.dll

    • Size

      121KB

    • MD5

      f79f0e3a0361cac000e2d3553753cd68

    • SHA1

      4314bcef76fddc9379a8f3a266b37d685d0adb79

    • SHA256

      8a6518ab7419fbec3ac9875baa3afb410ad1398c7aa622a09cd9084ec6cadfcd

    • SHA512

      c77516e7f5540ecd13fa5d8cecfce34629acecd9b5a445f5f48902c9e823328fa9a6694ecaa39f5b6053de61c2b850c2d87df25357548afaad6ec37eb3e5e355

    • SSDEEP

      3072:bdoECIgjBibgp2tBqL0Y++ruXqMG4ih3lbpMqc:bdoECIgUrG

    Score
    1/10
    behavioral1behavioral2

    • Target

      MetroFramework.Design.dll

    • Size

      16KB

    • MD5

      c853e9e8c720249198ff376f42328ef9

    • SHA1

      a56ee195148023571e26ffeaa5a736bc73a76c40

    • SHA256

      28089707733c92c7fade97e7b6fab4007e7b8bfd6dc7a8526a3ea597f1a30845

    • SHA512

      d21cf5cfe0a5e2f7d4c128e64e0decee28028297c804319fb957b1f0e60d62e3103976b95abc3d2bd5ba66801cb5fe9bef4bae067273079177be28c73132c739

    • SSDEEP

      384:k1q4fJwcRJTxK0JLBamLGqPkO9V1VFf5L7W1OYKjbq9w:6q4hwcRBJLBamSqPkO9V1ViGq9

    Score
    1/10
    behavioral3behavioral4

    • Target

      MetroFramework.Fonts.dll

    • Size

      656KB

    • MD5

      b8c8a532438c4b421081efb258355469

    • SHA1

      41aa88d5eaf398da55f712f30226b70492125be1

    • SHA256

      15a605129cac3663ba1ddb98f5798334fba5e7954ee36a69727299b4e366c2eb

    • SHA512

      511070c8cfe018e60e11d495393152e10aa2aa0c08cde84678ef3a0efd63ae5c562a47bfab883f4babd469b1873127bacc9c986cb2bc096985176f1dbf93b1fc

    • SSDEEP

      12288:5+/9JcJlYqCNktA+SXfGpq2fHowSqCNktA+SXfvJR9FrIJJaqCNktA+SXfUC:5+/3qlrCNoh+UqgIwhCNoh+JR9FrIJJw

    Score
    1/10
    behavioral5behavioral6

    • Target

      MetroFramework.dll

    • Size

      313KB

    • MD5

      b20f1b5e3d4e3df2d826e9870637cd06

    • SHA1

      a03bb47afdf9498be409ed5b56e945f6e143fb32

    • SHA256

      9e58f13deb328455f216f165588b5f5111ecd12042d7dd196686dfb0f0fc68eb

    • SHA512

      095c5956ebc114c4b380d2b43981bcabd221782530328a51cb2c6aec05a016dad2e5efae36810f6840611f77f589be1e1e7f2200738df3bca222381837033b2d

    • SSDEEP

      6144:Ys+J/PxfbpAQ1bZHE7Zhm6uOw0g749O2:qJ/PxzpAObhV6uO99O

    Score
    1/10
    behavioral7behavioral8

    • Target

      MetroSuite 2.0.dll

    • Size

      305KB

    • MD5

      0d30a398cec0ff006b6ea2b52d11e744

    • SHA1

      4ceebd9c6180a321c4d4f3cfb5cfc3952bf72b45

    • SHA256

      8604bf2a1fe2e94dc1ea1fbd0cf54e77303493b93994df48479dc683580aa654

    • SHA512

      8e06ff131a81e73b1ff5de78262701a11ecc2bcdaf41011f4e96f11c5372742478e70b6a0901b61953c21c95725532af8d785654405ec5066ad157e2143467cc

    • SSDEEP

      3072:K6J2UBugOAI+yjNDWswy1MNo1EvnvkgvloSVQBjDifX0pPSRZ9KZdf8uvqtXfZBF:K6Jr8xhFzfOaa3xqQnQGTO

    Score
    1/10
    behavioral10behavioral9

    • Target

      Netflix Valid Email Checker by X-Splinter v2.exe

    • Size

      976KB

    • MD5

      1a4da925d3cfef0f8040ad9858133181

    • SHA1

      e912d052c7d778eef4a3ab320d8c9e8d905147be

    • SHA256

      ee5db783f4fcaa53ca4babb8ddb6c143bf34307af0e1f7be9912494c5d071aae

    • SHA512

      e1ec260669e3f89a9479245dacce1b5b7550ddca437572d69516335575543d138924adffec4202e147347f5cc8fb0c365de83383df5fb740dbe32b8f21eb8a54

    • SSDEEP

      12288:BiUE6zr+B8DY9yYhaODRgDKqHgo2aqNUazcKhhhhTGyRYpYqh:AUEyavaOWuqAxa+vYl

    Score
    10/10
    asyncratredlinedefaultdiamotrixcredential_accessdiscoveryinfostealerpersistencepyinstallerratspywarestealerupx

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Async RAT payload

      rat

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks