Overview
overview
10Static
static
106c5db6dce1...3e.exe
windows7-x64
106c5db6dce1...3e.exe
windows10-2004-x64
10DusBrowserInst.exe
windows7-x64
6DusBrowserInst.exe
windows10-2004-x64
6IDWCH2.exe
windows7-x64
7IDWCH2.exe
windows10-2004-x64
7Litever01.exe
windows7-x64
10Litever01.exe
windows10-2004-x64
10NAN.exe
windows7-x64
10NAN.exe
windows10-2004-x64
10anyname.exe
windows7-x64
3anyname.exe
windows10-2004-x64
3app.exe
windows7-x64
10app.exe
windows10-2004-x64
10askinstall50.exe
windows7-x64
10askinstall50.exe
windows10-2004-x64
10farlab_setup.exe
windows7-x64
7farlab_setup.exe
windows10-2004-x64
7inst002.exe
windows7-x64
10inst002.exe
windows10-2004-x64
10jamesnew.exe
windows7-x64
3jamesnew.exe
windows10-2004-x64
3justdezine.exe
windows7-x64
10justdezine.exe
windows10-2004-x64
10md3_3kvm.exe
windows7-x64
10md3_3kvm.exe
windows10-2004-x64
10mixseven.exe
windows7-x64
10mixseven.exe
windows10-2004-x64
10redcloud.exe
windows7-x64
10redcloud.exe
windows10-2004-x64
10udptest.exe
windows7-x64
10udptest.exe
windows10-2004-x64
10General
-
Target
f75d6ee676e63208489f05cd8c82d44fdda74b5752963e3967071f2d2d080113
-
Size
14.7MB
-
Sample
241108-b33b7svmcm
-
MD5
36e895cac68782276f49144d8904f79e
-
SHA1
411476265cdb80d2119ae49c34c6700a36577657
-
SHA256
f75d6ee676e63208489f05cd8c82d44fdda74b5752963e3967071f2d2d080113
-
SHA512
db7e7997e7017fc083b067aa9a610be84e425a5a562829a02dd3650b0dcf42a4ced706a69d27b7e86ce503558b13f9791b107f4281b0f4845e1d83a874e24550
-
SSDEEP
393216:/OFW3CWhhMLh2BJcqpGZLvH023cP1vlhaR/nW67:/OFW3CWIIchL+2Rvf
Behavioral task
behavioral1
Sample
6c5db6dce13ded4e0e6c7e9a526b063e.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
6c5db6dce13ded4e0e6c7e9a526b063e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
DusBrowserInst.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
DusBrowserInst.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
IDWCH2.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
IDWCH2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Litever01.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Litever01.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
NAN.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
NAN.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
anyname.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
anyname.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
app.exe
Resource
win7-20241023-en
Behavioral task
behavioral14
Sample
app.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
askinstall50.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
askinstall50.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
farlab_setup.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
farlab_setup.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
inst002.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
inst002.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
jamesnew.exe
Resource
win7-20241010-en
Behavioral task
behavioral22
Sample
jamesnew.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
justdezine.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
justdezine.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
md3_3kvm.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
md3_3kvm.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
mixseven.exe
Resource
win7-20240729-en
Behavioral task
behavioral28
Sample
mixseven.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
redcloud.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
redcloud.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
udptest.exe
Resource
win7-20240903-en
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
Extracted
redline
1.22
95.211.185.27:42097
Extracted
metasploit
windows/single_exec
Extracted
redline
NANani
87.251.71.14:89
Extracted
smokeloader
pub3
Extracted
ffdroider
http://186.2.171.3
Extracted
gcleaner
194.145.227.161
Extracted
redline
test
193.56.146.78:51487
Extracted
vidar
40.1
933
https://eduarroma.tumblr.com/
-
profile_id
933
Targets
-
-
Target
6c5db6dce13ded4e0e6c7e9a526b063e.exe
-
Size
4.3MB
-
MD5
1485d115c0db789ed882e6da39b845d0
-
SHA1
b25ee4515f5a1a8b420e7eba38f233ee64a24755
-
SHA256
036e1c48be2a9fde1e94334dcb1216eec8512b38c118234c118aaa47b6ad65c7
-
SHA512
c8571df02ca3c8d69c49393d45a032a291c6f5c7100564e9a1337f287abd195c903bf86a20217990de38627d2a646dc7dde0e3953827afa94db270124c1f559b
-
SSDEEP
98304:xQ4LwEKgQe6M92LKCOdyzrXabdwkxMwasT9mrWhO:xQdej2GC+McdXxMTkO
-
Glupteba family
-
Glupteba payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Modifies boot configuration data using bcdedit
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
DusBrowserInst.exe
-
Size
172KB
-
MD5
2bf65413a6aabdbb7f18b7efebee633d
-
SHA1
c4eed75b2d69ca51ce87ede0a907db0ecbb4f4b7
-
SHA256
1db05647c15a26167a50bf7cf1d5f2d00ae89e4f18cfba2bcb4024f043c81739
-
SHA512
b59fcc75925273239c90520d616a9e5dddacfc36d6cefb1f464dab3ef066aebfc57adfd9e28484aadfb9ed6a9dde4d509e0eee2bc5245a795025c64fb790fb2f
-
SSDEEP
3072:OqJYORWz8q9slhk6/admfp4dipoaDNzuYnr+YvRRB:Kb9Hdmf9P
Score6/10-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
IDWCH2.exe
-
Size
739KB
-
MD5
0d5cc91890c411599e994ab4d927350b
-
SHA1
b64c4752537fc05bd460918fe252ef64e72d2651
-
SHA256
b64cc3011b334fe3fdc47852da28f1d865a1f71dd819827a035b9b3adab1a163
-
SHA512
56418a6586f0cc7f985e944811744fdce2ddaea5e238d02b21435768a3738ba7cccc738190b677f0eb66916a24cdcd4b63701df8a35c7a44802ba053ccdf059b
-
SSDEEP
6144:d/QiQXC45m+ksmpk3U9j0IeP2soxvjFEOTb9WmZX/8shzdsY4CpHPhnq/FK:VQi34c6m6UR0IeP2p1hf39Wkv8xwJqdK
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
Litever01.exe
-
Size
502KB
-
MD5
bca995c0fd475fb09fb7988cb876c795
-
SHA1
0f8776b9a5b3daedcc314fa283172697dee4cf8d
-
SHA256
659895bb642f43854043053d386b987c63db7e615d827dbc41866ac0371ab92d
-
SHA512
94387589151f5dc774aaf981988c8f6b568e8373158ce79b5da370594a6f67f18c5b90547da62db70a808a9756fc318eeb3cd6df9b87495bfde379a46e2699df
-
SSDEEP
12288:+Ircrb5sQow2/ZswWmTV9LSuxlrwvAsP4BmHc:+mQb5gnZswWmTbLnxyvpP6
-
Vidar family
-
Vidar Stealer
-
-
-
Target
NAN.exe
-
Size
608KB
-
MD5
db1e5d0455f39c5cf5ac0c210dd679c4
-
SHA1
836e95bd1285ff790e55a8602febb29d97187bd7
-
SHA256
578eddcbe98744e25e8836b7cdc447f62b7032bcd3d083f2eb0cfe018022243e
-
SHA512
3f349ba618510f3e76e893fb70f0bfd5c3885216d73ed024617b49878eed376789eb7d3e4d347bb84aec8d90dbd0706256cdfdfa3f99c3b2b62982d9bc5c3a25
-
SSDEEP
12288:hjMQXZURC7TnfAWtUu/wQfmY4IG6zsJMWHn4oFl8n/bmThV:hjB34FC
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT payload
-
Sectoprat family
-
Suspicious use of SetThreadContext
-
-
-
Target
anyname.exe
-
Size
100KB
-
MD5
2cd68cb7fd85144362d03a0b260f338f
-
SHA1
6e106cc5246ed9fe053ef748b28022183e520ad9
-
SHA256
f67d7d488b447f8a6356bff9d49add653ef5c49e6dc74982005028d01609c24a
-
SHA512
4ac9508d59f9f32d5b883b78b2b4cc80a7364731d96f01f53d816055fe7e1f8505790796ca4696c6810de89331a346e2b5eedd071c50b56c10489bcc9b72693c
-
SSDEEP
3072:AH5/hX4B1I+Fe7UovWk07XFBbyzqRyZ/4Ji/:m/JK1RkZGXw/
Score3/10 -
-
-
Target
app.exe
-
Size
4.3MB
-
MD5
d3f680a40104a2bf44d1e55ab22cc283
-
SHA1
3e44293bd666ee6842f27001e561442203479698
-
SHA256
a5d0a8eb93516f6979ce8da08a5750bf7f0f0fc98a969cd9e5b175dd29302a86
-
SHA512
478c308a40b3da9697ef9925e3d8c375bdc9a51d17d401fdf947f1e9ec7b4b5b59d5aa6e5ab0857825f5dbcb398a1cfffe33f972b6841d2916329f2e2358510b
-
SSDEEP
98304:MQ4LwEKgQe6M92LKCOdyzrXabdwkxMwasT9mrWh:MQdej2GC+McdXxMTk
-
Glupteba family
-
Glupteba payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Modifies boot configuration data using bcdedit
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
askinstall50.exe
-
Size
1.4MB
-
MD5
68bc0c244bb2d261a9a7d007bb6e06d7
-
SHA1
4226d51ebf9d925de953e0a5a6b3784eabfc47b6
-
SHA256
fd53ca7be25f932d930f68ab7818359762dde5d3608271e7a27e815f5b30e9e4
-
SHA512
f52a04cd2a5d0f9f30be1b6827e95f5afe5f34d0453a78b000dd71d7d8e20467ef6f541a91858833704df6b1560cb5701eab08e5df0a86870b946b052cd6d9da
-
SSDEEP
24576:8IVFA1pqtg/TnMbX0lwyh0FVmEByA1EwFYyOsFTceoCSPZVjQtYfeXPPSTy:NFA1pvTMbOwa0TmUyMYEh1oCSPnQtY2/
-
Socelars family
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
-
-
Target
farlab_setup.exe
-
Size
1.7MB
-
MD5
a7703240793e447ec11f535e808d2096
-
SHA1
913af985f540dab68be0cdf999f6d7cb52d5be96
-
SHA256
6a17ebf5da6aa3a1f4813e5f46fdd5d19d026bcfac91f232359f98e43df3c38f
-
SHA512
57bdcdfcfa11f6b5bf4149be0fee0444fcf67ccececf1009b166b17b7dce30da1a472f1890736186f4ef76e02ed23cc0dd2a41dc9bff94218a059832d4b5c69e
-
SSDEEP
49152:C9CKxz5eM8JvooqXrFzYA8hVU2AGm63yjpGIcLJjmyGpf8:MCm5eMOooqhomhjrcLS8
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
inst002.exe
-
Size
265KB
-
MD5
f38f3aab5af6435226dcca8751f61e6c
-
SHA1
e555e536dca72784f73422a216aa35206441444a
-
SHA256
94590b6681e3f9255a27b41a356d0334460ed596daab947258110a4ab94708db
-
SHA512
0402a9d77388348aa055ab58a3211222ffdbe043e73052e075d861d1d0888437cfdeb2c2d7676b23e539b573bd4a4180d4e5f8af840693823979997f99c76c09
-
SSDEEP
3072:7DO+LxoC9PZUFfYS3azG0CYUZTCldBG//7VxSVzsC1X6R8geXrVpAFdcmuYT:7a0Sf7oQYUdgiizn9XrXeddTT
Score10/10-
Detects LgoogLoader payload
-
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
Lgoogloader family
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
-
-
Target
jamesnew.exe
-
Size
846KB
-
MD5
ea180cb17e71d8e32481aa37cb796cc1
-
SHA1
351b1c6cdbdcd21215e6cb9fc7b76887ddfe7a2a
-
SHA256
8a75fd219504039ceb7841811d75416ca52eb26a9667bbdf621055dad62e8b1a
-
SHA512
7bfe33816e5d6373cdbae1b8fffb620e76defabd1302b8c98650980ac0292b3135cee52d7316b8fe895812e56b2a7cfa2aa983d7e746f4673c37f1b585636cbc
-
SSDEEP
24576:1AHnh+eWsN3skA4RV1Hom2KXMmHaR1K5:kh+ZkldoPK8YaRi
Score3/10 -
-
-
Target
justdezine.exe
-
Size
136KB
-
MD5
7bd33952ce41285449099ae0bcd48d81
-
SHA1
1d6224283dd85c51a22445a69b1f2771724a7733
-
SHA256
6d5ac5464acd393224513115ebee2eeca5efca62b2a0e92f50c5186a8f740581
-
SHA512
bbe8a7d76db63b498b0ff8736ab010c12506b8f27b17eaeb13a77d0972e6512a54dccbf5c050642ffe7665647439c5fd1424312677b351d7fe893a7956728c05
-
SSDEEP
1536:w8Voh/WygQ/HlLg7ppfmFuOJFrh3dPiifz6JCzUKuhOZa0atsjk5/Npj6T61mD:wNqzo1lNqirxuhOZ7+sI5/DuT61m
Score10/10-
Smokeloader family
-
-
-
Target
md3_3kvm.exe
-
Size
924KB
-
MD5
53b01ccd65893036e6e73376605da1e2
-
SHA1
12c7162ea3ce90ec064ce61251897c8bec3fd115
-
SHA256
de95d03777407422fac23d6c1f0740e131a0d38c5ef19aca742c7bcf1a994fd7
-
SHA512
e5d1dd0ac1a53df261179d58817e71f4b263179ba1f1599da3b654ae9550dc608afc5a12057fb533aab0abb2eb406e3a7331e10a6f2b91254f062a777299e067
-
SSDEEP
24576:pP7A681d48vGlldFtqFbDNaYaPCQFXVDXE4IfmDWQ:pzF8I8vGbdFtabDNUPCQFXVDXvdDWQ
-
FFDroider payload
-
Ffdroider family
-
-
-
Target
mixseven.exe
-
Size
213KB
-
MD5
984f9ec5ff106e4c08bb076ef63f3ec2
-
SHA1
119152d00b0b883cefae6519bbe4be43c6e1aafd
-
SHA256
438676e5d2d9fd41a35b18eee5db8917e7f960f0d50917513f4fb92b95d29995
-
SHA512
641cdf64b6ba39fb01c0bbe86aa878026e9f61280a83d449d67656dfa89100957f9e5b2b575b7ec460a0eeb4d2a8ef8da0781de58d3c518be2a2ae97ce1acd6a
-
SSDEEP
3072:qYq47wlx3K0mbLClhjJPHH93Bf8Pwv+/FvFeWB3SaPkN1hL8csI5/DuT61m:qf4uxaKl5JPHH96vFeWVk5LsI5/
Score10/10-
Gcleaner family
-
Onlylogger family
-
OnlyLogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
redcloud.exe
-
Size
173KB
-
MD5
16bf4653dfc06b85e7d34cb5cfe62717
-
SHA1
35ca16cdb661f6978815efc8c8a2ae0fbddcb733
-
SHA256
6038860aefedc84fdafe7d693ea6fa63147be5e3a43dd96e20adf377811c5d30
-
SHA512
0717f23056515b18f627496c309c22bfc76da5b61f2730a320fa8584ad0fb5ed47a8695ad255bc8635cdd379d2313cb141466e86ae0b639c33772fe2177fa35f
-
SSDEEP
1536:8t9pmEJnCKOAD3dOlbi2JKnJbpNjbuqGd0AMuyq+d0+7dDjElG6qTaoigQwY8ls:CTnCK1DtCbi2AHhG0Ajyjd0iY428ls
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT payload
-
Sectoprat family
-
-
-
Target
udptest.exe
-
Size
240KB
-
MD5
265717bdcb626127fdb7e62b018e963c
-
SHA1
d9d70e33380e33caa8c48b6a4ba7a4fe08ecafe5
-
SHA256
e102abb40eb0795f838749e262c4e94af6df4213832b1d055b727cbc50f3a8ee
-
SHA512
f9c3656bb1e9848620990ca2ee8c163f32c2259774cf21ff78979ba1318daabb672ba1a67924b90d55cce8b579830bf31db32e2da83a09b51916c60ca157f362
-
SSDEEP
3072:z+9IWjNSUNngwphQyI+wyym+l2Dnn3e+3kC5p67Bp+QcsC/ddhrPOv/SsI5/DuTR:zBUNngwp8Kn3e+0C5pyBp+xsQNbsI5/
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT payload
-
Sectoprat family
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1