General
-
Target
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe
-
Size
3.4MB
-
Sample
240821-kv1cbazcma
-
MD5
efa310ffcb46aa3768de9aae3a8fdcda
-
SHA1
fc57edeadc23e53610eb75881fc7d2cecc847387
-
SHA256
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
-
SHA512
22578db72219ab2d80876d025475d74ec05db4a575d0b5c890033bb7cda9bcbf648217e6d140388643280802566b4fc4c77cd78f01d9d3f28b5594c2e406432d
-
SSDEEP
98304:JDxSfQksG3P/rm5AUfWo7lvZTkKXUx5KyChc2tpi:JDkQbCK5Qo7lviyUocypi
Static task
static1
Behavioral task
behavioral1
Sample
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
nullmixer
http://hsiens.xyz/
Extracted
privateloader
http://45.133.1.107/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
51.178.186.149
Extracted
redline
she
135.181.129.119:4805
-
auth_value
b69102cdbd4afe2d3159f88fb6dac731
Extracted
redline
media11
91.121.67.60:2151
-
auth_value
e37d5065561884bb54c8ed1baa6de446
Extracted
redline
ANI
45.142.215.47:27643
-
auth_value
9491a1c5e11eb6097e68a4fa8627fda8
Extracted
gcleaner
ggg-cl.biz
45.9.20.13
Targets
-
-
Target
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exe
-
Size
3.4MB
-
MD5
efa310ffcb46aa3768de9aae3a8fdcda
-
SHA1
fc57edeadc23e53610eb75881fc7d2cecc847387
-
SHA256
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
-
SHA512
22578db72219ab2d80876d025475d74ec05db4a575d0b5c890033bb7cda9bcbf648217e6d140388643280802566b4fc4c77cd78f01d9d3f28b5594c2e406432d
-
SSDEEP
98304:JDxSfQksG3P/rm5AUfWo7lvZTkKXUx5KyChc2tpi:JDkQbCK5Qo7lviyUocypi
-
Detect Fabookie payload
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
OnlyLogger payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer.exe
-
Size
3.4MB
-
MD5
264fbe02a8acae2ba9a5144f8b947aae
-
SHA1
3de9e174bb8105895c3ef65fe49233cbb34b8778
-
SHA256
ab3f08d6cfe4107ef0a285ce7862846169ec0e0f942b146e27e90919e48f9e24
-
SHA512
11e0a03eb5004159a1c7dc84bb52caa7394740b87e375ce2be0701bd8b12445af01ee22ac7f9c91516b53cfca7e13619623524122d489e34946038732a2fe067
-
SSDEEP
98304:xsCvLUBsg8IAEVN9nlglKZlLyCBk0v4W7W4YUMw8MB:xxLUCg57LyCBkYW43RRB
-
Detect Fabookie payload
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
OnlyLogger payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-