Overview
overview
10Static
static
3FileApp.exe
windows7-x64
10FileApp.exe
windows10-2004-x64
7mi/CbsCore.dll
windows10-2004-x64
3mi/libglib-2.0-0.dll
windows7-x64
3mi/libglib-2.0-0.dll
windows10-2004-x64
3mi/meshsystem.dll
windows7-x64
1mi/meshsystem.dll
windows10-2004-x64
1mi/tmp/Pre...re.dll
windows7-x64
3mi/tmp/Pre...re.dll
windows10-2004-x64
3mi/tmp/cmi...rt.dll
windows10-2004-x64
3mi/tmp/msc...ks.dll
windows7-x64
3mi/tmp/msc...ks.dll
windows10-2004-x64
3mi/tmp/upd...nt.dll
windows10-2004-x64
3mi/wcp.dll
windows10-2004-x64
3General
-
Target
archi743.7z
-
Size
7.7MB
-
Sample
240830-jwh9ratdna
-
MD5
59f4f9ea8bf1a099b379a618d5d4ba79
-
SHA1
0a7bbf4afbbffe733faad435b18426f57e759696
-
SHA256
22c87c01fb31d7ae241eeaa7d560e3c063ba68bfdd519533927929a66f618c9c
-
SHA512
6a04aaa1c26d1129bd14d9e366ab027f397ea041a09ffcd0ac34e347f6b761aa3c157d992883b918882ef6eafcc58ad653ce254b333077774b8d10a6219621a6
-
SSDEEP
196608:j0ZE4drEta86a1CThRAQ2tflMWXclhvv8Ye6aYII4tEGfYX:A1dr0uhRAntVXcnXbGtEGfI
Static task
static1
Behavioral task
behavioral1
Sample
FileApp.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
FileApp.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
mi/CbsCore.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
mi/libglib-2.0-0.dll
Resource
win7-20240705-en
Behavioral task
behavioral5
Sample
mi/libglib-2.0-0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
mi/meshsystem.dll
Resource
win7-20240704-en
Behavioral task
behavioral7
Sample
mi/meshsystem.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
mi/tmp/PresentationCore.dll
Resource
win7-20240704-en
Behavioral task
behavioral9
Sample
mi/tmp/PresentationCore.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral10
Sample
mi/tmp/cmiaisupport.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
mi/tmp/mscordacwks.dll
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
mi/tmp/mscordacwks.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
mi/tmp/updateagent.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral14
Sample
mi/wcp.dll
Resource
win10v2004-20240802-en
Malware Config
Extracted
vidar
10.8
1f3c236c672ff2ffe017b396f834c66e
http://147.45.68.138:80
https://steamcommunity.com/profiles/76561199761128941
https://t.me/iyigunl
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Extracted
stealc
default
http://46.8.231.109
-
url_path
/c4754d4f680ead72.php
Extracted
stealc
leva
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
147.45.47.251:2149
Extracted
lumma
https://awwardwiqi.shop/api
https://locatedblsoqp.shop/api
https://traineiwnqo.shop/api
Targets
-
-
Target
FileApp.exe
-
Size
743.0MB
-
MD5
d0ed6e42966d004ac554d91ac06aaf76
-
SHA1
b6ad260289983fb23ddee3057b2e8ca1823789c9
-
SHA256
292c837b6bd1831a84fce1528cc1666ba42eddae362594de068498dd88ccb164
-
SHA512
50946a555e0a59b9fc48b53bcd8e16dfa34e45f4704cfa30726b47b954ace8930c891d659003717900a99d618c1d8c4edf9d888058473eadee22aa352c437fc2
-
SSDEEP
49152:CFeCpd9HxrLr9xHMtMFRgUkYxZKXkgW9pUgLMRXlhWZ+52GeqooQ7wtwrn:CwCpbU2XZgWukZ+VDooyswrn
-
Detect Vidar Stealer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Creates new service(s)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
mi/CbsCore.dll
-
Size
2.1MB
-
MD5
6ce2e6469625d238d523aeea1a03c13d
-
SHA1
f0b9c78eeb6769feb29f703991984802fcab8857
-
SHA256
75de17d67a5f40fef8648ab9c452ce5b2834237a19d92ed7427c3c33b46562e8
-
SHA512
7bcc637db986a94c833dc39b485b12853be81278af8e927e91e17a9c471a8f89dd0fa0b7a7b1f269c0eed9f5a87cd9265399526412c763ebe1cd485bdbaeba6f
-
SSDEEP
49152:EqRcwBxPtk2MB7fNmkBKTHg8WkRdNgLqAFE754o56x:EqRcWPtk287fjBKT7WkRd6qAFE75g
Score3/10 -
-
-
Target
mi/libglib-2.0-0.dll
-
Size
1.2MB
-
MD5
18e88b04da123bf05b07ff60a4e96654
-
SHA1
f46cd8411e579da9f31749809a5707fecb28b7db
-
SHA256
c0f35b0e5f9b25f36bf9ef885a8135e7dcdb77d425f8ac88124d90cf2bf32fde
-
SHA512
735158b60194205c6262dae0689599babdc2bd0e10d0d6a71c1e1c56695caf432b207e439b5f84a3995c2d8aef3ab26706cf796848c0af0ddd340d388a76f1d4
-
SSDEEP
24576:Cizs37Kr7hSWn/4bHGA+fWynbzTexXdQSdRImTBm0VmavJUgucuVEv5z:Ciy70n4jGwynbzTex+SdR9TBpVmhgM2
Score3/10 -
-
-
Target
mi/meshsystem.dll
-
Size
1.2MB
-
MD5
39eed2616c86e03ef23007e7bf4f0613
-
SHA1
c87d0b9d3aeccd5239aca85d8a4b2256fdf922ed
-
SHA256
b5b13a820ab317abf5142368b30231de9ff21345e32ef1f9aa03e74c6c511c3a
-
SHA512
b14f4f5a8f97e200a78810378d5968f0a40a3621efa8fd9f9dde29095273cca6e860bfe9e913e19ade619f33a50bd7890618cc869b48e41644efd04933ac29cc
-
SSDEEP
12288:pYpDYxT6Nbe1shgrOyUUgCkxPrxSuUVMSWcA/JC98kcWjXcJdqRJgguA9ansN6Ma:pnxT0bMnsXUWJhhC9aZYrgGJy
Score1/10 -
-
-
Target
mi/tmp/PresentationCore.dll
-
Size
4.0MB
-
MD5
196ef466d99343e89ce3e384eb7ff615
-
SHA1
e8328dbdd6608bfc2ac37b2d4ca98169daa3d428
-
SHA256
14c0eca6c6c09423dc6681c549c56c3da9001ab6ac9f1a0518c7ef8ed3292900
-
SHA512
6c11ccdc25336df99d97bde9882947f56a04fc7ff0ff00c837067d2bdd7eafe57c37f9b0ce836391d0e632089136a4c72087fc5b86dda8bcfae3822a79f01d5a
-
SSDEEP
49152:QWYdDqsaUbdG8XDMML1Tht9k5tFLW171o/VP45O0o:QWYdDqsaUbdG8XDTL1TFk5tFLW1G
Score3/10 -
-
-
Target
mi/tmp/cmiaisupport.dll
-
Size
1.6MB
-
MD5
68449b2b4f0501e49dda0cef00e950f2
-
SHA1
fc7e200d12a4518b625c8af20a12d60d6ea2f220
-
SHA256
175bde039507f02b84b3e367c35e5eb463b36a942feed24e5293d6171c851e9d
-
SHA512
7a96a88e282589b1a829373b78619b8bd0bbaa521760ad0945134192c246c7c9d689817d80a8ce3c518efa2caeb04e28d042ecfadf634ba42ba9b9ae4882a5f2
-
SSDEEP
24576:YVxy0MFZqBSdCQDmnpUgaeitdVXenH+s76rjc0CTOIk9E/Ec3ndp18RTsn4ODmcv:YVIqBSdvDypUoEc3d78Ns9DmnuwQOmp
Score3/10 -
-
-
Target
mi/tmp/mscordacwks.dll
-
Size
1.3MB
-
MD5
d0ee513805aa4cc9ef6e9c6b27939035
-
SHA1
848709ac5c8984c48bdf5b67f7534cb37068a1ea
-
SHA256
133ede25f199de80ad751258c44639c95d08e899be25c458ec98e02428536889
-
SHA512
89db8457170885eb422c9898c65340a4207ddac84e3b291c61ad95683d2b18eb5331cb453ed27585469e1663434a4507d7fcd4a9e36b5d41b36e21e8bc863923
-
SSDEEP
24576:/BbmstF7FYcu1YOP9zWxKVFOZEjrm9eAyYd9aGdNdOvTh5D/vzN4EnC/mCkaZs:pltfYcEn9zWOvTCjI7DHx4KYmCkaZs
Score3/10 -
-
-
Target
mi/tmp/updateagent.dll
-
Size
2.0MB
-
MD5
3629dc4d1eb8ecbbe42f4deee407865f
-
SHA1
99737fc8bd13eb56e3e933b92fc9b4ee65ad4989
-
SHA256
88a6adc03576cb8e2d5616e47205493195c257f4d12fb832dfd91f8920fc0697
-
SHA512
9a6ba384d4a880cfb85c63d5a7535d65163a16e51bde45a544b7ca02925a671a3fc4774a2efdc6d962a6b44a7175176bf5313c61fef8d217249c12dbd7b92c4a
-
SSDEEP
49152:yqRRcz9BPGAfBelw99MFJ6d8NfEz1L9tsDU7akEtlYTr8XdSx+jyfZ0A:tRRcjGAfBelw9OFwd8Ncz3+DU7C/grBr
Score3/10 -
-
-
Target
mi/wcp.dll
-
Size
3.1MB
-
MD5
de6c5dc9968e59957eade9e2244aebd8
-
SHA1
ad2fa90f6d215666127c0a27c47d15e5f7ad7123
-
SHA256
b1bb713f8dabcc297284149af7ca6f74a6c4c28503e9f9f0721303566ce2273d
-
SHA512
2501f4cc93a8c041c74283e3b41b764912f62b4559df2dd8ba9f2c729cbc79c1f4721e084c54b0eb5ea3930f7fc878cda1762f9d5d6cde781655f7bc7cc590ae
-
SSDEEP
49152:OvChBvd9eTQkTag1BYBYq3Agvjgl4iUD5Q9qh94hRogwKQEJbULui826gPuu7UvS:OBNq3AgvjglPUVQEh94rogxQDad5fC
Score3/10 -
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4