Overview
overview
10Static
static
101/0178b79b...bd.exe
windows7-x64
101/0178b79b...bd.exe
windows10-2004-x64
101/0280cde4...60.exe
windows7-x64
101/0280cde4...60.exe
windows10-2004-x64
101/08b76206...65.exe
windows7-x64
101/08b76206...65.exe
windows10-2004-x64
101/0e4fc438...91.exe
windows7-x64
31/0e4fc438...91.exe
windows10-2004-x64
101/0fb86a8b...05.exe
windows7-x64
101/0fb86a8b...05.exe
windows10-2004-x64
101/25898c73...8f.exe
windows7-x64
101/25898c73...8f.exe
windows10-2004-x64
101/2c2e9491...3c.exe
windows7-x64
31/2c2e9491...3c.exe
windows10-2004-x64
101/2ef0f582...2e.exe
windows7-x64
31/2ef0f582...2e.exe
windows10-2004-x64
101/39884fc0...82.exe
windows7-x64
101/39884fc0...82.exe
windows10-2004-x64
101/3a72ecec...8a.exe
windows7-x64
101/3a72ecec...8a.exe
windows10-2004-x64
101/3bfcb4f7...71.exe
windows7-x64
81/3bfcb4f7...71.exe
windows10-2004-x64
101/4103411f...f5.exe
windows7-x64
101/4103411f...f5.exe
windows10-2004-x64
101/4e0fdb84...95.exe
windows7-x64
31/4e0fdb84...95.exe
windows10-2004-x64
71/5297372f...33.exe
windows7-x64
51/5297372f...33.exe
windows10-2004-x64
51/68292f38...e4.exe
windows7-x64
31/68292f38...e4.exe
windows10-2004-x64
101/6da4696b...e5.exe
windows7-x64
71/6da4696b...e5.exe
windows10-2004-x64
7General
-
Target
bfc092b384976e97153bae0e29359461bfd65fce5ad8188d6460de57bc680eaf.zip
-
Size
20.2MB
-
Sample
240801-cdsl5szgma
-
MD5
05543d62dd8e652936165c212ca0980a
-
SHA1
f0c13e272c06cc945891d3508e341c1b5550a8e9
-
SHA256
bfc092b384976e97153bae0e29359461bfd65fce5ad8188d6460de57bc680eaf
-
SHA512
3cae5f69d3a7beffcb357b668b00a2223d3e616eb29564ed978138c80d9245af3ef77d78a86365039e745d430dac6d8e0a75d683c38f45024a6c9193bebc70ee
-
SSDEEP
393216:8rniuKDJ1KA/oaXpBbD3QRDqeyNrQ/MR50eaJ92Bc0bU4BVzjfBzGct9/ug5Hd3w:8rOJsA/dBb7Qg3rQ0Q0TUcBzj/ugNd3w
Behavioral task
behavioral1
Sample
1/0178b79bd084c2597b2de4e62e61a88bb8359e4fcac2fe672bb887e0e52e5dbd.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
1/0178b79bd084c2597b2de4e62e61a88bb8359e4fcac2fe672bb887e0e52e5dbd.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral3
Sample
1/0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
1/0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral5
Sample
1/08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
1/08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral7
Sample
1/0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
1/0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral9
Sample
1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral11
Sample
1/25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f.exe
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
1/25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral13
Sample
1/2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
1/2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral15
Sample
1/2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
1/2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral17
Sample
1/39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82.exe
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
1/39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral19
Sample
1/3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
1/3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral21
Sample
1/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe
Resource
win7-20240704-en
Behavioral task
behavioral22
Sample
1/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral23
Sample
1/4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5.exe
Resource
win7-20240729-en
Behavioral task
behavioral24
Sample
1/4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral25
Sample
1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
Resource
win7-20240708-en
Behavioral task
behavioral26
Sample
1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral27
Sample
1/5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33.exe
Resource
win7-20240705-en
Behavioral task
behavioral28
Sample
1/5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral29
Sample
1/68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe
Resource
win7-20240704-en
Behavioral task
behavioral30
Sample
1/68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral31
Sample
1/6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe
Resource
win7-20240708-en
Behavioral task
behavioral32
Sample
1/6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe
Resource
win10v2004-20240730-en
Malware Config
Extracted
stealc
hello
http://85.28.47.70
-
url_path
/570d5d5e8678366c.php
Extracted
xworm
schools-copper.gl.at.ply.gg:14154
-
Install_directory
%Userprofile%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot6887301557:AAE2e7AcjyzPeaHQb_2XBthrT3TTCKt7jCs/sendMessage?chat_id=7045481276
Extracted
redline
6951125327
https://t.me/+7Lir0e4Gw381MDhi
https://steamcommunity.com/profiles/76561199038841443
Extracted
asyncrat
0.5.7B
Default
82.65.19.134:4443
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
agenttesla
Protocol: smtp- Host:
mail.bonnyriggdentalsurgery.com.au - Port:
587 - Username:
[email protected] - Password:
Sages101* - Email To:
[email protected]
Extracted
C:\7V7uPExzv.README.txt
http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/
http://group.goocasino.org
https://nullbulge.com
Extracted
Protocol: smtp- Host:
mail.bonnyriggdentalsurgery.com.au - Port:
587 - Username:
[email protected] - Password:
Sages101*
Extracted
Protocol: ftp- Host:
ftp.libreriagandhi.cl - Port:
21 - Username:
[email protected] - Password:
x6p2^m#1#~+O
Extracted
remcos
RemoteHost
192.3.64.149:2888
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-7Q1GRN
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
stealc
default
http://85.28.47.101
-
url_path
/f3ee98d7eec07fb9.php
Targets
-
-
Target
1/0178b79bd084c2597b2de4e62e61a88bb8359e4fcac2fe672bb887e0e52e5dbd.exe
-
Size
678KB
-
MD5
c229261d7e8c8524dd25f7bc58edddf8
-
SHA1
781d106f3aa60c392f039968ae45c53f78890871
-
SHA256
0178b79bd084c2597b2de4e62e61a88bb8359e4fcac2fe672bb887e0e52e5dbd
-
SHA512
be05a39499b86bfcb30725fd277502f026b29b205bb657d8303b55d9b8e0ae6d4bfb507153d77229871df32d4608a5b8b3bdb1e783f12db2541e48a73fd2891c
-
SSDEEP
12288:8S2iNbczDLej8zhAA3Crp4mIjYBTBIE5Vmmah9di01DRzqICQlzCDmXPIPe:8S1ZcXh9IuMZBIEHlg9s01D71lzCDmXS
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
1/0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe
-
Size
1.3MB
-
MD5
73d006e33d8eda033e684c07b15c53ad
-
SHA1
e3e0a09b37beee1e19d5a6b9fd5322f906f4493d
-
SHA256
0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160
-
SHA512
1b2822a9f568783a6064194c21e4147ffb10c1a0c3ca00f586f3306cf7b5d0bee39af5dad5a78f720d75c09b0b71d44c75d05d9b432b1159915977006e9252db
-
SSDEEP
24576:KAHnh+eWsN3skA4RV1Hom2KXMmHaKi4Tivd32MUMh9ZzU2Fk1gn5:dh+ZkldoPK8YaKi4mrUUZbk1I
Score10/10-
Suspicious use of SetThreadContext
-
-
-
Target
1/08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
-
Size
161KB
-
MD5
855da30648c0d4f4e2497470ece750bf
-
SHA1
4f45dae1b578ddd47a0d62b59e5fbc9a4f11e58a
-
SHA256
08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65
-
SHA512
948b66613c1e494e445a8fb7eff553345385ca0cd468c500397ea7c3bd02bc6163930759b057f98c9245c118205e0166023fee4e13135ef677947619d184d393
-
SSDEEP
3072:/9gyPX977bb+Vnh9N47rL74qBlslaubyAWEktPZsZ:/yMZPb+Vnh9CLtkauehEkf
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
1/0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe
-
Size
389KB
-
MD5
35a50d146a389289bf8cf8ae60c9e785
-
SHA1
eb94502d25789eb86dc160c2bc9be4b4a64131bd
-
SHA256
0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791
-
SHA512
9bfe09f5165fd43579d87f229ba4a17cc8af8d7fc50ed629de3ec93e1b8d94d9c6aac17f7a429b401f332623cef2178f0d0f1930b674cf1061d24225e5427ada
-
SSDEEP
6144:blwLkykiFkeLnCUcx/IcoN6OpMW6rTBwEBKI7MUYbuYg785zg2di8DEO:bRiFHnC5m2TB+I70678dXi8DEO
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
-
Size
146KB
-
MD5
2357ecbcf3b566c76c839daf7ecf2681
-
SHA1
89d9b7c3eff0a15dc9dbbfe2163de7d5e9479f58
-
SHA256
0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305
-
SHA512
bb5630ae44e684f2dfc74478c57bf97a94045501a64022d563e87f2a60d777307cab2b5a14e6764d25a2fd1f27901624c1ee76ca551d5a5e3a21abc4befef401
-
SSDEEP
3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUS:V6gDBGpvEByocWeauV2gvzwU
Score10/10-
Renames multiple (633) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
1/25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f.exe
-
Size
1.0MB
-
MD5
631e3c5465349fdfd6fc2fbe9c15cf65
-
SHA1
af9e5b3d8ca4b6c64b69876b9cad6a18476f0168
-
SHA256
25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f
-
SHA512
31c6c58a5ec3d26e67a20f46df689fcfe69e90dffeaa36183630cc2cfa20d7fc07e19efe551f65f9606e435e26e2daf50b2275ee4b1cd7ab6b3641bef1552b93
-
SSDEEP
24576:GAHnh+eWsN3skA4RV1Hom2KXMmHasvktOpBS5:hh+ZkldoPK8Yasvkt+2
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
1/2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe
-
Size
338KB
-
MD5
6f1e400bcf79c773832b3ca2aab94d3d
-
SHA1
8a1724e7f0df1b8bb22413751908b76f72498121
-
SHA256
2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c
-
SHA512
2459d2e2b39987ebcf635a2867b67d8b5ae7c865157fe1ad32513fb0dcae0d226532d2416d4fc23c347add8a9d741ba3d15e662c3e2a01cf316046b1fab1254a
-
SSDEEP
6144:mY1jumalKcYdvkMEdRE29UHYOhQWr6vSuwgeBNsCri5rg/73LM+L2di8bEO:maEKc+kMcIOauwgeBPi5rgz3L4i8bEO
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
1/2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe
-
Size
338KB
-
MD5
d5ad720fa67bbce2d11544ad3c211424
-
SHA1
e9f63402b2eaabbdcc6cb5ec95e328f9620cd170
-
SHA256
2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e
-
SHA512
d8a8ae60abec80b7cfd7c9b9bc19d2f2594d1ecee0a28cf9a2f545afc7ef0ee59ca7a073edb8415f006662ed2095f9f3c190abed5023b81e094724c04ba153c6
-
SSDEEP
6144:RY1jkmalKcYdvkMEdRE29UHYOhQWr3y/7qpKfQmhapjXFISRn2di8bEO:RcEKc+kMcI+IKImcFISAi8bEO
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
1/39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82.exe
-
Size
3.3MB
-
MD5
7cdff219ccaaa4c4d67448e9e812f2de
-
SHA1
a063103f177df84c90f0054d0f2adcae6f1885af
-
SHA256
39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82
-
SHA512
5986b98ac4ff98da5188b8d5ee53400a4a3bd7dfe3de70471b090c3c3d751f550f7ebd3757554e5976b069c1da1cc1cb69808504ac97987ae42e5152f72408e5
-
SSDEEP
49152:/5dVwPaFHTTgkAAn2IQ39y9rRF8v72yEh72yEE72yE72y5:RdW4lQw5RF8T
Score10/10-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
-
-
Target
1/3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe
-
Size
487KB
-
MD5
f451292bbe0b4c16d244c251105de16a
-
SHA1
a527d277ccc25ad97ae64fb76767f1e2cda66ff2
-
SHA256
3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a
-
SHA512
d53a9cd31a3a98eb88af0c5454007adf8c897db53b6518a9f0c019af0bdcb906bf9fbca616b5ee03d7adfa397a16af06bbfbbbf36d15b89fdf3b96fb79fd439a
-
SSDEEP
6144:MNDD+bHpEiGXQ4rnc+UI73whSk7MIhWI3tf5Jx/R7ZCe7w4uoVLdaPYZHuW31bZ+:MNncp0jUI73F0DhHbbzCMwI11b
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
1/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe
-
Size
731KB
-
MD5
bd1050f3642d22733a30cd101f591713
-
SHA1
5a6553bea21e2df2307ed5c843072bcb023566be
-
SHA256
3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671
-
SHA512
6cc19b1df105d9f4e76c39f7be79c9a5a42fdb338a8b56b1d16e1343221e36552344fc30aa8c2bf4d48781694a412dcddb5858a36c643706bc778b0b8cc59883
-
SSDEEP
12288:tmoDWx2PQfRcudR5C3T+Lc7vaVs95ucinaj13Tp8K2:tHawMR9/gDR5yrQx2K2
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
1/4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5.exe
-
Size
109KB
-
MD5
2da5e6b97759d3537cbd23e9fdb2b770
-
SHA1
cabbf38051fa6657e28a12dee92042e44d8b72cb
-
SHA256
4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5
-
SHA512
7ea710ed16326bd0841f403c9db260a20dfec5f22fe2fd85970d51764e612c4a495a7c9abec6999dc8e1a7134656a4d65994c8f4cc138bb353b43a7be9b1698b
-
SSDEEP
1536:jr7WmLwJll8imS4qZyNRMCuCDGSLf0Rc/cVjpnrRWKkystINby+xXm8lMwGHG6w:jmdyGSLfIFtnrRKysYyMWvpm6w
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
-
Size
1.2MB
-
MD5
dd831eb4a822421a497990d84a0fd578
-
SHA1
aa7ee9cd7fcdb6e0f15c57f6f99c83c320480f3b
-
SHA256
4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95
-
SHA512
5a894b58d5d6b3a6abedb687caa16c06344d87b6d8e5bfb39d5b9806a7b51f3003e3ae83871683d086a760ea987a42bff511d4cb4d723a9e52744ea8aaf9b73e
-
SSDEEP
24576:4qDEvCTbMWu7rQYlBQcBiT6rprG8aLY2Sbly7TWEPje:4TvC/MTQYxsWR7aLY2dW
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
1/5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33.exe
-
Size
719KB
-
MD5
a7d3bd55656bdc04c270315d083b59c1
-
SHA1
a76453791867e4aaf4cd0551b70e52ced80b3fab
-
SHA256
5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33
-
SHA512
9233bbbbaed1bafaa296ae332713d0374594443dea06df83ebc9934ae0341ac7366a91c47cdd9b0877313ad1bbbf9b747f34e7cf75a1a21816463791cfdea861
-
SSDEEP
12288:wY2iNiw9WMA4snu2lpaSgsDLRK8RP8dSWhdWyGLiOkV2IPePH:wY1UnH4olpaSgsDlK2PKSWnWyqiJ2q
Score5/10-
Suspicious use of SetThreadContext
-
-
-
Target
1/68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe
-
Size
765KB
-
MD5
a8e583583122cff4ea57a3062bb4aa3f
-
SHA1
b4a4bee8dbc966624f43273a500aa0ec1bbf1790
-
SHA256
68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4
-
SHA512
3c1205a23cb737ab7d81377672954e55e3adae6858bb1ba1eaae80669ef8957487090cacf2fdb6377c9bdf0cf7af27ede3e788f1dd767ded7d16aea484ca6d91
-
SSDEEP
12288:6WgLNqLMg5tqimUsu8l5hs4PShE9EZnuKFqik7/6VVu+mvd789LjQg6xOVw:vgLNqLMJimUsu8lw4PShgOuKFqizgduE
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
1/6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe
-
Size
2.1MB
-
MD5
ab6ca8e3d0c7967c6372a96334e6bb19
-
SHA1
58a2142787ffae164d4c78d97102ff652fecfc86
-
SHA256
6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5
-
SHA512
a50b4935510a1e6a7100b8eaed8301c8436138960c0932e54d7b59e79da3a0e60b702ccde2388b9c2d6f70d1cff8143bb055e0382b7af6d9788f498f2773c445
-
SSDEEP
49152:6aUQl+AM2inT6xlAT78y5hIl8JZ7a07xznKMj5RyXE1ID1u17:nLIAM2uumTIft+xznKMj58aIxu17
Score7/10-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1