General
-
Target
bf04933d506d9325ceecaa263a5ae72bf90a53030cf52f71b30aee05a9462124
-
Size
4.6MB
-
Sample
241104-vvytlawpaq
-
MD5
db3dc4e85ef7ea6cba96b6f307463a12
-
SHA1
9834b917bccc5c7ce7df7f4238e9b6b155b04b60
-
SHA256
bf04933d506d9325ceecaa263a5ae72bf90a53030cf52f71b30aee05a9462124
-
SHA512
94cea77da4c6c5343d3775c50b55afb02b65cf3824b9997cd340b72919a46690a2dbc78183f8489bd0427ae27a6c8ac40cfadb94b85bf56dddb9d7a9d9b8323a
-
SSDEEP
98304:2YMTO1sE82c5GJXG698NHlrP8FbMeFlj8WBdOn31K2H7Tg3+:2YwEptKh2IeIWBqXHB
Static task
static1
Behavioral task
behavioral1
Sample
5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
privateloader
http://45.133.1.107/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
51.178.186.149
Extracted
socelars
http://www.hhgenice.top/
Extracted
redline
media0421
91.121.67.60:23325
-
auth_value
e37d5065561884bb54c8ed1baa6de446
Extracted
redline
newjust
135.181.129.119:4805
-
auth_value
b69102cdbd4afe2d3159f88fb6dac731
Extracted
gcleaner
gcl-gb.biz
Extracted
vidar
47.8
916
https://mas.to/@romashkin
-
profile_id
916
Targets
-
-
Target
5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684
-
Size
4.7MB
-
MD5
93f7cfd3c022ed464cdcc4a13d8f48b3
-
SHA1
05e9c0722bae43249cfe1b9597325a47c00da1f1
-
SHA256
5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684
-
SHA512
c3b44c420ec8d28bd6df4451cdd6203cfe71cc515a8e56e4df8062ab451fbb6dfc5ed7681fad91d3f20309e0832468ac7eda0ac15d9cda9774320dc7c09b8727
-
SSDEEP
98304:xICvLUBsgYqbmtzs03GefVRgLECXbvgbLujlnCY:xVLUCgYqEBfrx8LALuZl
-
Gcleaner family
-
Nullmixer family
-
Onlylogger family
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Socelars family
-
Socelars payload
-
Vidar family
-
OnlyLogger payload
-
Vidar Stealer
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1