General
-
Target
fd09b71d35b55a7beb80386eeec03f0495d26613e4204b7ba4940a01431c6665
-
Size
3.5MB
-
Sample
241109-bk75qstgjb
-
MD5
93a96e22a2824784bb61563bb73e7288
-
SHA1
b48c2c20ae46d8d76c65be8ad9b00e972e7d319c
-
SHA256
fd09b71d35b55a7beb80386eeec03f0495d26613e4204b7ba4940a01431c6665
-
SHA512
f92aeded0aa6f870fa5a122f0e0eeb91214da66d521f0979d96ecc991bcc680a3188708a37122cda1e58db91de6ccee9f7fc5c909f0b16745fa35403ff71ceb4
-
SSDEEP
98304:eRwXbHRpImRtgzKx49Qt9aH8gnKTawD3vg92cNV:eRATljg+4GbaH7nKTljk2cNV
Static task
static1
Behavioral task
behavioral1
Sample
abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
nullmixer
http://hsiens.xyz/
Extracted
privateloader
http://37.0.10.214/proxies.txt
http://37.0.10.171/server.txt
http://wfsdragon.ru/api/setStats.php
37.0.10.185
Extracted
redline
pub1
viacetequn.site:80
Targets
-
-
Target
abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2
-
Size
3.5MB
-
MD5
a622201f2fd6274513877d20636864ff
-
SHA1
c3c53c1bc993125858fda65ed91b9d11eaa441e9
-
SHA256
abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2
-
SHA512
8888e4f504acd3599d3aa387e74fc4decc044e1b4a250bc1c20b445277622125442416eeb75ddaffe9438fe67e65302cc4a90fb4823074a8cdf953855f18dcbd
-
SSDEEP
98304:x2H2hIi7atfC7AE7W+2E/3PLAUZymoyugkwQB7WKiR7:xO2httTa+plZkngkwQkB7
-
CryptBot payload
-
Cryptbot family
-
Nullmixer family
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT payload
-
Sectoprat family
-
Vidar family
-
Vidar Stealer
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2