Overview

overview

10

Static

static

10

silly.zip

windows7-x64

1

silly.zip

windows10-2004-x64

1

bfc092b384...af.zip

windows7-x64

1

bfc092b384...af.zip

windows10-2004-x64

1

1/08b76206...65.exe

windows7-x64

10

1/08b76206...65.exe

windows10-2004-x64

10

1/0e4fc438...91.exe

windows7-x64

3

1/0e4fc438...91.exe

windows10-2004-x64

10

1/0fb86a8b...05.exe

windows7-x64

10

1/0fb86a8b...05.exe

windows10-2004-x64

10

1/25898c73...8f.exe

windows7-x64

10

1/25898c73...8f.exe

windows10-2004-x64

10

1/2c2e9491...3c.exe

windows7-x64

3

1/2c2e9491...3c.exe

windows10-2004-x64

10

1/2ef0f582...2e.exe

windows7-x64

3

1/2ef0f582...2e.exe

windows10-2004-x64

10

1/39884fc0...82.exe

windows7-x64

10

1/39884fc0...82.exe

windows10-2004-x64

10

1/3a72ecec...8a.exe

windows7-x64

10

1/3a72ecec...8a.exe

windows10-2004-x64

10

1/3bfcb4f7...71.exe

windows7-x64

10

1/3bfcb4f7...71.exe

windows10-2004-x64

10

1/4103411f...f5.exe

windows7-x64

10

1/4103411f...f5.exe

windows10-2004-x64

10

1/4e0fdb84...95.exe

windows7-x64

3

1/4e0fdb84...95.exe

windows10-2004-x64

7

1/5297372f...33.exe

windows7-x64

5

1/5297372f...33.exe

windows10-2004-x64

5

1/68292f38...e4.exe

windows7-x64

3

1/68292f38...e4.exe

windows10-2004-x64

10

1/6da4696b...e5.exe

windows7-x64

7

1/6da4696b...e5.exe

windows10-2004-x64

7

Resubmissions

09-08-2024 21:57

240809-1t1vfs1cpm 10

06-08-2024 13:01

240806-p9f97szdlm 10

06-08-2024 12:52

240806-p3672stdkg 10

06-08-2024 12:29

240806-ppa8fsygqr 10

06-08-2024 12:26

240806-pmc92ashlh 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    silly.zip

  • Size

    20.2MB

  • Sample

    240809-1t1vfs1cpm

  • MD5

    e6223205e5424612c074648b87487e31

  • SHA1

    25d6ce1b0c91a5cdd1a5127537dce9c68c008a95

  • SHA256

    3123af93014a5a5c49aa6fd2118f6805041af178c222be27e30b2fd477085c19

  • SHA512

    9d6561386ff20c51eab8c3579a5fa64dba38914912ee41f4b00e0f322935c082f48320b6e1d5f96e1ab67c04c5736cda9ea1b874a9d5e34fa876b1b64dd2f3e6

  • SSDEEP

    393216:OuLfnQ/LwLbzfsnoUH46mHGquJZgh98gTOm7RGP4x11QtD2s:nLfYLYHsnbl6vnObEI6s

Score
10/10
agentteslaasyncratbabylonratlockbitredlinestealcxworm6951125327defaulthellocredential_accessdefense_evasiondiscoveryexecutioninfostealerkeyloggerpersistenceransomwareratspywarestealertrojanupx

Malware Config

Extracted

Family

stealc

Botnet

hello

C2

http://85.28.47.70

Attributes
  • url_path

    /570d5d5e8678366c.php

Extracted

Family

xworm

C2

schools-copper.gl.at.ply.gg:14154

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot6887301557:AAE2e7AcjyzPeaHQb_2XBthrT3TTCKt7jCs/sendMessage?chat_id=7045481276

Extracted

Family

redline

Botnet

6951125327

C2

https://t.me/+7Lir0e4Gw381MDhi

https://steamcommunity.com/profiles/76561199038841443

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

82.65.19.134:4443

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note
~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3C1A2E0C1963505526 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.libreriagandhi.cl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    x6p2^m#1#~+O

Extracted

Family

stealc

Botnet

default

C2

http://85.28.47.101

Attributes
  • url_path

    /f3ee98d7eec07fb9.php

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note
~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3C6EC022FD604BEDC8 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Targets

    • Target

      silly.zip

    • Size

      20.2MB

    • MD5

      e6223205e5424612c074648b87487e31

    • SHA1

      25d6ce1b0c91a5cdd1a5127537dce9c68c008a95

    • SHA256

      3123af93014a5a5c49aa6fd2118f6805041af178c222be27e30b2fd477085c19

    • SHA512

      9d6561386ff20c51eab8c3579a5fa64dba38914912ee41f4b00e0f322935c082f48320b6e1d5f96e1ab67c04c5736cda9ea1b874a9d5e34fa876b1b64dd2f3e6

    • SSDEEP

      393216:OuLfnQ/LwLbzfsnoUH46mHGquJZgh98gTOm7RGP4x11QtD2s:nLfYLYHsnbl6vnObEI6s

    Score
    1/10
    behavioral1behavioral2

    • Target

      bfc092b384976e97153bae0e29359461bfd65fce5ad8188d6460de57bc680eaf.zip

    • Size

      20.2MB

    • MD5

      05543d62dd8e652936165c212ca0980a

    • SHA1

      f0c13e272c06cc945891d3508e341c1b5550a8e9

    • SHA256

      bfc092b384976e97153bae0e29359461bfd65fce5ad8188d6460de57bc680eaf

    • SHA512

      3cae5f69d3a7beffcb357b668b00a2223d3e616eb29564ed978138c80d9245af3ef77d78a86365039e745d430dac6d8e0a75d683c38f45024a6c9193bebc70ee

    • SSDEEP

      393216:8rniuKDJ1KA/oaXpBbD3QRDqeyNrQ/MR50eaJ92Bc0bU4BVzjfBzGct9/ug5Hd3w:8rOJsA/dBb7Qg3rQ0Q0TUcBzj/ugNd3w

    Score
    1/10
    behavioral3behavioral4

    • Target

      1/08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe

    • Size

      161KB

    • MD5

      855da30648c0d4f4e2497470ece750bf

    • SHA1

      4f45dae1b578ddd47a0d62b59e5fbc9a4f11e58a

    • SHA256

      08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65

    • SHA512

      948b66613c1e494e445a8fb7eff553345385ca0cd468c500397ea7c3bd02bc6163930759b057f98c9245c118205e0166023fee4e13135ef677947619d184d393

    • SSDEEP

      3072:/9gyPX977bb+Vnh9N47rL74qBlslaubyAWEktPZsZ:/yMZPb+Vnh9CLtkauehEkf

    Score
    10/10
    stealchellodiscoverystealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral5behavioral6

    • Target

      1/0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe

    • Size

      389KB

    • MD5

      35a50d146a389289bf8cf8ae60c9e785

    • SHA1

      eb94502d25789eb86dc160c2bc9be4b4a64131bd

    • SHA256

      0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791

    • SHA512

      9bfe09f5165fd43579d87f229ba4a17cc8af8d7fc50ed629de3ec93e1b8d94d9c6aac17f7a429b401f332623cef2178f0d0f1930b674cf1061d24225e5427ada

    • SSDEEP

      6144:blwLkykiFkeLnCUcx/IcoN6OpMW6rTBwEBKI7MUYbuYg785zg2di8DEO:bRiFHnC5m2TB+I70678dXi8DEO

    Score
    10/10
    discoverystealcdefaultstealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe

    • Size

      146KB

    • MD5

      2357ecbcf3b566c76c839daf7ecf2681

    • SHA1

      89d9b7c3eff0a15dc9dbbfe2163de7d5e9479f58

    • SHA256

      0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305

    • SHA512

      bb5630ae44e684f2dfc74478c57bf97a94045501a64022d563e87f2a60d777307cab2b5a14e6764d25a2fd1f27901624c1ee76ca551d5a5e3a21abc4befef401

    • SSDEEP

      3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUS:V6gDBGpvEByocWeauV2gvzwU

    Score
    10/10
    defense_evasiondiscoveryransomwarespywarestealer

    • Renames multiple (605) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral10behavioral9

    • Target

      1/25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f.exe

    • Size

      1.0MB

    • MD5

      631e3c5465349fdfd6fc2fbe9c15cf65

    • SHA1

      af9e5b3d8ca4b6c64b69876b9cad6a18476f0168

    • SHA256

      25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f

    • SHA512

      31c6c58a5ec3d26e67a20f46df689fcfe69e90dffeaa36183630cc2cfa20d7fc07e19efe551f65f9606e435e26e2daf50b2275ee4b1cd7ab6b3641bef1552b93

    • SSDEEP

      24576:GAHnh+eWsN3skA4RV1Hom2KXMmHasvktOpBS5:hh+ZkldoPK8Yasvkt+2

    Score
    10/10
    agentteslacredential_accessdiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      1/2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe

    • Size

      338KB

    • MD5

      6f1e400bcf79c773832b3ca2aab94d3d

    • SHA1

      8a1724e7f0df1b8bb22413751908b76f72498121

    • SHA256

      2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c

    • SHA512

      2459d2e2b39987ebcf635a2867b67d8b5ae7c865157fe1ad32513fb0dcae0d226532d2416d4fc23c347add8a9d741ba3d15e662c3e2a01cf316046b1fab1254a

    • SSDEEP

      6144:mY1jumalKcYdvkMEdRE29UHYOhQWr6vSuwgeBNsCri5rg/73LM+L2di8bEO:maEKc+kMcIOauwgeBPi5rgz3L4i8bEO

    Score
    10/10
    discoveryredline6951125327infostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      1/2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe

    • Size

      338KB

    • MD5

      d5ad720fa67bbce2d11544ad3c211424

    • SHA1

      e9f63402b2eaabbdcc6cb5ec95e328f9620cd170

    • SHA256

      2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e

    • SHA512

      d8a8ae60abec80b7cfd7c9b9bc19d2f2594d1ecee0a28cf9a2f545afc7ef0ee59ca7a073edb8415f006662ed2095f9f3c190abed5023b81e094724c04ba153c6

    • SSDEEP

      6144:RY1jkmalKcYdvkMEdRE29UHYOhQWr3y/7qpKfQmhapjXFISRn2di8bEO:RcEKc+kMcI+IKImcFISAi8bEO

    Score
    10/10
    discoveryredline6951125327infostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      1/39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82.exe

    • Size

      3.3MB

    • MD5

      7cdff219ccaaa4c4d67448e9e812f2de

    • SHA1

      a063103f177df84c90f0054d0f2adcae6f1885af

    • SHA256

      39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82

    • SHA512

      5986b98ac4ff98da5188b8d5ee53400a4a3bd7dfe3de70471b090c3c3d751f550f7ebd3757554e5976b069c1da1cc1cb69808504ac97987ae42e5152f72408e5

    • SSDEEP

      49152:/5dVwPaFHTTgkAAn2IQ39y9rRF8v72yEh72yEE72yE72y5:RdW4lQw5RF8T

    Score
    10/10
    babylonratdiscoverytrojanupx

    • Babylon RAT

      Babylon RAT is remote access trojan written in C++.

      trojanbabylonrat

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      1/3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe

    • Size

      487KB

    • MD5

      f451292bbe0b4c16d244c251105de16a

    • SHA1

      a527d277ccc25ad97ae64fb76767f1e2cda66ff2

    • SHA256

      3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a

    • SHA512

      d53a9cd31a3a98eb88af0c5454007adf8c897db53b6518a9f0c019af0bdcb906bf9fbca616b5ee03d7adfa397a16af06bbfbbbf36d15b89fdf3b96fb79fd439a

    • SSDEEP

      6144:MNDD+bHpEiGXQ4rnc+UI73whSk7MIhWI3tf5Jx/R7ZCe7w4uoVLdaPYZHuW31bZ+:MNncp0jUI73F0DhHbbzCMwI11b

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral19behavioral20

    • Target

      1/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe

    • Size

      731KB

    • MD5

      bd1050f3642d22733a30cd101f591713

    • SHA1

      5a6553bea21e2df2307ed5c843072bcb023566be

    • SHA256

      3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671

    • SHA512

      6cc19b1df105d9f4e76c39f7be79c9a5a42fdb338a8b56b1d16e1343221e36552344fc30aa8c2bf4d48781694a412dcddb5858a36c643706bc778b0b8cc59883

    • SSDEEP

      12288:tmoDWx2PQfRcudR5C3T+Lc7vaVs95ucinaj13Tp8K2:tHawMR9/gDR5yrQx2K2

    Score
    10/10
    agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      1/4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5.exe

    • Size

      109KB

    • MD5

      2da5e6b97759d3537cbd23e9fdb2b770

    • SHA1

      cabbf38051fa6657e28a12dee92042e44d8b72cb

    • SHA256

      4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5

    • SHA512

      7ea710ed16326bd0841f403c9db260a20dfec5f22fe2fd85970d51764e612c4a495a7c9abec6999dc8e1a7134656a4d65994c8f4cc138bb353b43a7be9b1698b

    • SSDEEP

      1536:jr7WmLwJll8imS4qZyNRMCuCDGSLf0Rc/cVjpnrRWKkystINby+xXm8lMwGHG6w:jmdyGSLfIFtnrRKysYyMWvpm6w

    Score
    10/10
    redline6951125327discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral23behavioral24

    • Target

      1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe

    • Size

      1.2MB

    • MD5

      dd831eb4a822421a497990d84a0fd578

    • SHA1

      aa7ee9cd7fcdb6e0f15c57f6f99c83c320480f3b

    • SHA256

      4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95

    • SHA512

      5a894b58d5d6b3a6abedb687caa16c06344d87b6d8e5bfb39d5b9806a7b51f3003e3ae83871683d086a760ea987a42bff511d4cb4d723a9e52744ea8aaf9b73e

    • SSDEEP

      24576:4qDEvCTbMWu7rQYlBQcBiT6rprG8aLY2Sbly7TWEPje:4TvC/MTQYxsWR7aLY2dW

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral25behavioral26

    • Target

      1/5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33.exe

    • Size

      719KB

    • MD5

      a7d3bd55656bdc04c270315d083b59c1

    • SHA1

      a76453791867e4aaf4cd0551b70e52ced80b3fab

    • SHA256

      5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33

    • SHA512

      9233bbbbaed1bafaa296ae332713d0374594443dea06df83ebc9934ae0341ac7366a91c47cdd9b0877313ad1bbbf9b747f34e7cf75a1a21816463791cfdea861

    • SSDEEP

      12288:wY2iNiw9WMA4snu2lpaSgsDLRK8RP8dSWhdWyGLiOkV2IPePH:wY1UnH4olpaSgsDlK2PKSWnWyqiJ2q

    Score
    5/10
    discovery

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      1/68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe

    • Size

      765KB

    • MD5

      a8e583583122cff4ea57a3062bb4aa3f

    • SHA1

      b4a4bee8dbc966624f43273a500aa0ec1bbf1790

    • SHA256

      68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4

    • SHA512

      3c1205a23cb737ab7d81377672954e55e3adae6858bb1ba1eaae80669ef8957487090cacf2fdb6377c9bdf0cf7af27ede3e788f1dd767ded7d16aea484ca6d91

    • SSDEEP

      12288:6WgLNqLMg5tqimUsu8l5hs4PShE9EZnuKFqik7/6VVu+mvd789LjQg6xOVw:vgLNqLMJimUsu8lw4PShgOuKFqizgduE

    Score
    10/10
    discoveryredline6951125327infostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral29behavioral30

    • Target

      1/6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe

    • Size

      2.1MB

    • MD5

      ab6ca8e3d0c7967c6372a96334e6bb19

    • SHA1

      58a2142787ffae164d4c78d97102ff652fecfc86

    • SHA256

      6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5

    • SHA512

      a50b4935510a1e6a7100b8eaed8301c8436138960c0932e54d7b59e79da3a0e60b702ccde2388b9c2d6f70d1cff8143bb055e0382b7af6d9788f498f2773c445

    • SSDEEP

      49152:6aUQl+AM2inT6xlAT78y5hIl8JZ7a07xznKMj5RyXE1ID1u17:nLIAM2uumTIft+xznKMj58aIxu17

    Score
    7/10
    discoverypersistence

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

6
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Tasks

static1

hello6951125327ratdefaultstealclockbitxwormredlineasyncrat
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

stealchellodiscoverystealer
Score
10/10

behavioral6

stealchellodiscoverystealer
Score
10/10

behavioral7

discovery
Score
3/10

behavioral8

stealcdefaultdiscoverystealer
Score
10/10

behavioral9

defense_evasiondiscoveryransomwarespywarestealer
Score
10/10

behavioral10

defense_evasiondiscoveryransomwarespywarestealer
Score
10/10

behavioral11

agentteslacredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral12

agentteslacredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral13

discovery
Score
3/10

behavioral14

redline6951125327discoveryinfostealer
Score
10/10

behavioral15

discovery
Score
3/10

behavioral16

redline6951125327discoveryinfostealer
Score
10/10

behavioral17

babylonratdiscoverytrojanupx
Score
10/10

behavioral18

babylonratdiscoverytrojanupx
Score
10/10

behavioral19

xwormexecutionpersistencerattrojan
Score
10/10

behavioral20

xwormexecutionpersistencerattrojan
Score
10/10

behavioral21

agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan
Score
10/10

behavioral22

agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan
Score
10/10

behavioral23

redline6951125327discoveryinfostealer
Score
10/10

behavioral24

redline6951125327discoveryinfostealer
Score
10/10

behavioral25

discovery
Score
3/10

behavioral26

discovery
Score
7/10

behavioral27

discovery
Score
5/10

behavioral28

discovery
Score
5/10

behavioral29

discovery
Score
3/10

behavioral30

redline6951125327discoveryinfostealer
Score
10/10

behavioral31

discoverypersistence
Score
7/10

behavioral32

discoverypersistence
Score
7/10