Overview

overview

10

Static

static

10

0eac1dd90f...0d.exe

windows7-x64

10

0eac1dd90f...0d.exe

windows10-2004-x64

10

119f9287f4...9c.exe

windows7-x64

10

119f9287f4...9c.exe

windows10-2004-x64

10

202588cc1d...10.exe

windows7-x64

10

202588cc1d...10.exe

windows10-2004-x64

10

28b51218b1...09.exe

windows7-x64

10

28b51218b1...09.exe

windows10-2004-x64

10

583c56547b...6a.exe

windows7-x64

3

583c56547b...6a.exe

windows10-2004-x64

3

73782bd2a7...e8.exe

windows7-x64

10

73782bd2a7...e8.exe

windows10-2004-x64

10

d279fb4121...d7.exe

windows7-x64

10

d279fb4121...d7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    515d4efa87e4dc9103d0d3f42c2b241177e6a5436be06b7f2cff9211be6ea1a6

  • Size

    43.7MB

  • Sample

    241106-3ypzvszlgw

  • MD5

    67451b3af2f010864ee5538219e5a7de

  • SHA1

    009d307b162414fef31d81dbf97ddf0a4355c883

  • SHA256

    515d4efa87e4dc9103d0d3f42c2b241177e6a5436be06b7f2cff9211be6ea1a6

  • SHA512

    c3a327aae559ee7eae1fc261a5d0482041762367833b5d6401f1146f7cd272637ac1c9e4256af1ddb184ac8d66a28f2407333a007a7490022e306e6e22ea6beb

  • SSDEEP

    786432:CbYJ5ZZ4dyaA4UQDo40vt+UR5T8dEc6NixfMlg8mNWKNEjwc/MhNAyS7/OK3HFHN:Cu5YQp4HqfX8x6uIgLNWQi/MhWd/33HD

Score
10/10
floxifneshtaredlinesectopratbuild4backdoordiscoveryevasionexecutioninfostealerpersistenceprivilege_escalationratspywarestealertrojanupx

Malware Config

Extracted

Family

redline

Botnet

build4

C2

45.139.236.36:33611

Targets

    • Target

      0eac1dd90fbafb505a3b627d166d9ef62db4e2df68da9bbc2e39db0573ecd00d

    • Size

      358KB

    • MD5

      350b0557936a6ed2d688f895cbbd50ad

    • SHA1

      1f6469a384f9af3489a189a8331d82cda0ec6613

    • SHA256

      0eac1dd90fbafb505a3b627d166d9ef62db4e2df68da9bbc2e39db0573ecd00d

    • SHA512

      6bacfa711c5dba242a4da1307153f0d423151fd6e5281f85f05ad64fc14b065275075992049d3e678591dcb51bd9b12d478bd7d04318d36c79c5b5a76fd11efb

    • SSDEEP

      6144:k9AZdOmF2ry5xxRG5YJyZyz8JsK1et+IFWBzMdNDlXK4tDk:9vB7sEeHZ2+3IjUAI

    Score
    10/10
    neshtadiscoverypersistencespywarestealer

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Neshta family

      neshta

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1behavioral2

    • Target

      119f9287f46d3ed3888403c3c21054974a0e8926ef247fc065164a8d58303c9c

    • Size

      2.4MB

    • MD5

      d4bfc09f4e75c9eef1ead04768aaabc9

    • SHA1

      7b9fe73a44da7b5b7b1c8743b8227e07723c8175

    • SHA256

      119f9287f46d3ed3888403c3c21054974a0e8926ef247fc065164a8d58303c9c

    • SHA512

      345a4248cedf541acb667925893db6d3660102ee9e5df9086d69cd03719e038f3f7fae01f1b7a21235a7b57ad2aa49c0d044db793eb2ac9a509e9f355d2a81a6

    • SSDEEP

      24576:WNisxv4HA62oNMBzF0MkcFRGP4/G/iE/K3LI7DE3Q1V+Z02cyxxGj:CisqNAz2sGPYspK393bZ02cyx6

    Score
    10/10
    redlinesectopratbuild4discoveryinfostealerrattrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      202588cc1d6cebb32b5888f7e9bbbfa9aa1d5e3ab6a116892cb90486ac4e7d10

    • Size

      4.6MB

    • MD5

      c7620b77d05f9dac8105469b7d0c854f

    • SHA1

      5368819b5aa8db1ee7f5cc5b4b50ecb6aa6faf55

    • SHA256

      202588cc1d6cebb32b5888f7e9bbbfa9aa1d5e3ab6a116892cb90486ac4e7d10

    • SHA512

      0fb1e57e2fd053bacbba7a0aabc00c162432c33a9332bac2c45036173fccbe5bebc2906568d2facea4fcf0963dcfcb557bff932dbb2dc2ec5b8cd736213101d3

    • SSDEEP

      98304:I1qaURDb8PNfMVNnlqKL0T/46KhPLQYVVW4G1jOUc/hItwGn:I1zsf8PNfkl/m4zdLQYPZGNI/hmVn

    Score
    10/10
    evasionexecutionpersistencetrojan

    • Modifies Windows Defender notification settings

      evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral5behavioral6

    • Target

      28b51218b1f1a5250f851180c3bca3c79397a9fc36089a2e356f45b667881209

    • Size

      4.6MB

    • MD5

      6c8e7b9edb130c9dab130f66f9bad1c3

    • SHA1

      332e1d7efdf2dc5ecaf6349db417f143b48d60e3

    • SHA256

      28b51218b1f1a5250f851180c3bca3c79397a9fc36089a2e356f45b667881209

    • SHA512

      74998f93ff487d554c7734e5e7be148a0811d71164447c2a6816469338cc1b00b201e28b2ae01aa3162f63f8908782626206d84a8d62bb64960d0aa8ef38f6c3

    • SSDEEP

      98304:N1Mie3EZD4qxp6QQ7Xs/Vd28BfkFsIjfxVFms:N17ZDxpFQ7XYZfkFsEf8s

    Score
    10/10
    evasionexecutionpersistencetrojan

    • Modifies Windows Defender notification settings

      evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral7behavioral8

    • Target

      583c56547b1a00fcb4c0f4920998e0c0ee812691c2bfae7a643dab639e7faa6a

    • Size

      957KB

    • MD5

      d4c108f52d1ab06f96ce081199bcfb31

    • SHA1

      3cf70a986e72b14bdd11e51625a4e81e6b8bf789

    • SHA256

      583c56547b1a00fcb4c0f4920998e0c0ee812691c2bfae7a643dab639e7faa6a

    • SHA512

      2dd84482f2c38120d4b4e29565b1bdaf27844f5797bc469e20196cba65a822ec9e26b4e07b5a505b310b034f0539f21e24f5b525d2fe116e95e9566a7503fa44

    • SSDEEP

      24576:EQSyyuBxEdF4cbi1mKp4JCZQ5vabA8JEFn:1VEdFnU4CZJI

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      73782bd2a7e22ad9b0cf75db952caac03b1db76549dfa8d79d68af50056359e8

    • Size

      753KB

    • MD5

      c2cdc14235b70d09dbad55af6202d7eb

    • SHA1

      72145ec4baac4c0839c409a028aa473a7403673b

    • SHA256

      73782bd2a7e22ad9b0cf75db952caac03b1db76549dfa8d79d68af50056359e8

    • SHA512

      b1bd8d30c399ef18b2cc473778ab26b9489dec6cbe1b921b043fdaa3bd99a4e6796be1db5f02490da606cf48096c9b538e47fd6422c93084d1774688095086e7

    • SSDEEP

      12288:w3rHcIck2bHbGVItlponOR0dHc3mlasg1wvIVtfBl858QFGBqM8f:w3BwO1nDH2BXrk58QFmEf

    Score
    10/10
    discoveryevasionpersistencetrojanupx

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral11behavioral12

    • Target

      d279fb4121b6a7e552133823a497b4d2502b1494bc0864e2c8689fe92eef7fd7

    • Size

      32.2MB

    • MD5

      cb3eb826c1c6e385209f0be254c03dfc

    • SHA1

      abbf755333db672605802aa1ebaf3b1f2f0fdb6b

    • SHA256

      d279fb4121b6a7e552133823a497b4d2502b1494bc0864e2c8689fe92eef7fd7

    • SHA512

      b448c6fbd518cc3e146974b3f823412caa5229a3971c15a7d445b30a6ef8a92eb5e1db43e53ad0fa8c03705fc3ac0eea66b458108b11aff3d082e864a1f580b8

    • SSDEEP

      786432:BzH0kJTHa3EEITUJRAikwZbvQBnOtNsf2jd8AwvDkQ7rt3A+6x:BNFarIIGirZDAZf2j+LDl7rtY

    Score
    10/10
    floxifbackdoordiscoverypersistenceprivilege_escalationtrojanupx

    • Floxif family

      floxif

    • Floxif, Floodfix

      Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

      backdoortrojanfloxif

    • Detects Floxif payload

      backdoor

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral13behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

AppInit DLLs

1
T1546.010

Change Default File Association

1
T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

AppInit DLLs

1
T1546.010

Change Default File Association

1
T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

7
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

upxneshta
Score
10/10

behavioral1

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral2

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral3

redlinesectopratbuild4discoveryinfostealerrattrojan
Score
10/10

behavioral4

redlinesectopratbuild4discoveryinfostealerrattrojan
Score
10/10

behavioral5

evasionexecutionpersistencetrojan
Score
10/10

behavioral6

evasionexecutionpersistencetrojan
Score
10/10

behavioral7

evasionexecutionpersistencetrojan
Score
10/10

behavioral8

evasionexecutionpersistencetrojan
Score
10/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discoveryevasionpersistencetrojanupx
Score
10/10

behavioral12

discoveryevasionpersistencetrojanupx
Score
10/10

behavioral13

floxifbackdoordiscoverypersistenceprivilege_escalationtrojanupx
Score
10/10

behavioral14

floxifbackdoordiscoverytrojanupx
Score
10/10