General

  • Target

    d42bb7f95b50972680b8a5f2f68ab5bee5450fc45cf15612d45cc00b1b65f0c2

  • Size

    24.1MB

  • Sample

    241109-ty4zcaxgrc

  • MD5

    c2fe184c336168526031e4e2e89c0f7e

  • SHA1

    15f50deb50b394945f471132b9ecc8d6c0799ed9

  • SHA256

    d42bb7f95b50972680b8a5f2f68ab5bee5450fc45cf15612d45cc00b1b65f0c2

  • SHA512

    58ece1ef706a26913bd7577f504c3681f20e07dd4dbe8aec2dafd924bbfaf8defd591b282bb124d38f6bae0270eb7a7eadf357ae34a4c7af3801974d482657d6

  • SSDEEP

    393216:BlzEKd9Eji3xnlwJIEMkSS3eqUNW/R0iTO0sagWe6CnPI7t0ePvSxG4zwuqOLBy+:zsEnGJIUOqyWPh1uJAvPvEGqwhSyFTs

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/874444160558563388/1Z__Ltngb8adeGgWdMA39QkqE4wgMqoVQlGLFgGOjNTN4MGcToQd9sV4w8rlBaE7sqmx

Extracted

Family

redline

Botnet

asap

C2

45.14.49.109:54819

Extracted

Family

redline

Botnet

rich

C2

95.217.248.44:11695

Extracted

Family

redline

Botnet

Ninja0812

C2

185.92.73.140:80

Extracted

Family

redline

Botnet

boss9

C2

109.248.201.150:63757

Extracted

Family

redline

Botnet

@bestiefFcs

C2

37.1.213.214:63028

Extracted

Family

redline

Botnet

@krxstkrxst

C2

jonaianell.xyz:80

Extracted

Family

redline

Botnet

@killyxu

C2

3.68.106.170:59223

Extracted

Family

redline

Botnet

@Navi_Gator

C2

136.244.80.139:40533

Targets

    • Target

      Bird.exe

    • Size

      1.9MB

    • MD5

      2ef0cc6f0f8aa2534e103b829e270e1d

    • SHA1

      c146681a98d585012791c2e9504caacba25becc9

    • SHA256

      822c95f975773e71f49d3ed2c9afa87d6d27d245c7f5a4a9439278e27ee0ae64

    • SHA512

      56efa1b2e849ad5d836034a3f7992edec6e24914a80a8a1a03b29953082a0e898bace35705a76ce6660188c3954370c0c63d105c3c51f03441aadb94d590ee4a

    • SSDEEP

      49152:UehSFpgl8ZovDXNVBECKYLNDMBp6/FMe/MoNgd:Ue4FpglOo5KMDMBp6/FB/+

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      CSGO FREE HACK.exe

    • Size

      587KB

    • MD5

      19ccde66d64539ba78e681bbd037b88f

    • SHA1

      e67a1f8f13caad85c34894124ad588ab6a5452a8

    • SHA256

      26380f65701264b2ad7c6e7731d1cac383319cb9ba64b921c9ecb27970089fb1

    • SHA512

      e96247652abf3974eb3ad9b1b68078c4b1ca1d715ca31a62939deca1019f2115d9c86f85c1e19bd909b09335c53621052a10e206d25585974dfd5195df017fff

    • SSDEEP

      12288:TkoWRkGj5eA1Go7lVNkfq08KTZPqSA5HsVVbO/F9uDDm/:LYku13lw

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Suspicious use of SetThreadContext

    • Target

      CSGO FREEHACK.exe

    • Size

      1.6MB

    • MD5

      378b5331c2d94bb7907bc70b8f97cbec

    • SHA1

      1944ae8a089f20be5ae512e40a5deb4c3a6ad5b1

    • SHA256

      ff0d60cdc768a7f3262304b27f22a9baebc8348b21cac75b85e9d59a845e5b93

    • SHA512

      3a3d6fdc6d6c4a856661eff4740bb00ea209d8a62edb6e77fc3e3e64639fbdc2184be58169d9f526a8b8563882585cef614a87b49f772b283e07f4e59b5a1966

    • SSDEEP

      12288:cF2hrazesEAFkphsR1GdSzE2Jlr6k0BKY4sxJ6Bwo3jRL:gEAFJ1CR6zRL

    Score
    3/10
    • Target

      CSGhost-v4.1.exe

    • Size

      158KB

    • MD5

      2dd7cacaab277d37dace276fc3c98f32

    • SHA1

      7227f97f9539a7620ef4ff6687394bce9220d972

    • SHA256

      2340f7976585cd113520b33eb51c6b57e37c6bad2fba29a48b8c7e8e784a2491

    • SHA512

      df73194f1adeff94942ff01e4161a836b642d02a5da564a0b8388936b1a1c7e0018779e49cfef38e8523c032d31bf34dc0fce7fad3185a57d5a20a616eb46520

    • SSDEEP

      3072:mSKJbzx0eTzNRvcF9mOQEUzJw4xE+vn84Tt4dVmfyu5ytLNoH:pWztTz709mVEUzvydVk5ytLN

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      Install.exe

    • Size

      317KB

    • MD5

      cf31bb1b26f00448ed2f1359d403fa59

    • SHA1

      22ab9cc3bdce1e177f5fac0e745229dacde1d07a

    • SHA256

      1d322ad6c295b0ee8a552e96ac231c4d9259141c9ed22f7319c7f169eaecee71

    • SHA512

      05541d9938c80c860e18cd29e3b708000fb90a89f217a1cf0faf2ced29c26dfb6dd395d12178e34f72ab386991f21cba71f8659fd99a649c81b4bf65ae86d998

    • SSDEEP

      6144:QJ5m8CQqj8bx5yoZQPg7nju+dEd7DhTd+IJN00nm7knGyHM:QJ5s8VkoZmg7fdEd7VhxZmI

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Target

      Installer.exe

    • Size

      1.1MB

    • MD5

      2d50222f6b702083c73d10e94eaaef9f

    • SHA1

      dcce81eecbb46ef3963c8b4ad30f2ec3b14d2056

    • SHA256

      80752bd3e74c165e9c88fee2b806b67641f6cdae222d4ef9f5bc433f8501e767

    • SHA512

      10482897831ef7cf9ffc117e41e876c212f26c2f6cc4a8e089ee3990f64dde296d4d3c5fa5bcdab9c4f01ce71a4f864d43876c6f23f5fd2f64f97e66a50dcdfa

    • SSDEEP

      24576:rRzS4127aD0WEjwizMRjgynPEeyTYQ/MuRJNObPztSC:I412GD0WEkihNYQZBObn

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Suspicious use of SetThreadContext

    • Target

      Installer2.exe

    • Size

      448KB

    • MD5

      e913219e5f91222d184ecc758088ef02

    • SHA1

      e3e9a88a115f3661d55655a096b013f192b93a05

    • SHA256

      9dc934f7f22e493a1c1d97107edc85ccce4e1be155b2cc038be8d9a57b2e430f

    • SHA512

      879406edaaf7b4956c535c93d067f485e660309ffa7d9a40b1de4eac0fe6e59c0497f93960c5b280df29c91bc6e232c2b0311f6582aabb5b264c43b1dea3505b

    • SSDEEP

      12288:OdQGx+KnXxFfjAQaKXGBmpO7AJ7Lgm9j7:OdvPjfav0pNJLgm9j7

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Suspicious use of SetThreadContext

    • Target

      Kiddions Mod MENU.exe

    • Size

      142KB

    • MD5

      0bc5ae5e0021fccd9bff9f64f686f043

    • SHA1

      06e779dae148031e6294ecf0cc5e135da09811b4

    • SHA256

      e0aca3b1e2806672143d256e87812294fe04f1ea95625979e3b9d64b951449db

    • SHA512

      ac306d51feaddbc4f733963314b48aeb50a1a707bea90d3347dcf832d59ae96da6775e73760d6899066cdbcb11370ad26e5b901447fd8be2133fbbe6143b6414

    • SSDEEP

      3072:FvcjAFss11pSyRNKB2c3XEECZOX0ByrzwZ+Tlttu6OcTy+Dp1jWT39Y7umZZWDpT:Fvt11pxIuZOX0ByrzwZ+Zv9WqumZZ1Pb

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      Minecraft_v4.5.exe

    • Size

      1.3MB

    • MD5

      95692ea1f96acdc98fe565323e8a85e3

    • SHA1

      f51b89233440a81d86295074fbfb3d2958d49325

    • SHA256

      df3731e797b1f9dc07e772747e9fb1a2ca62ca7c8823f3df96eb8c20f6ee0912

    • SHA512

      1699d38a87b219b8c33c8ad6a77f2122e71b97d587d8f76b1657e8db76c606fae5d8a38bacd7d61fee3c5a889c6059a82f6cbe6a08c2d1db3773b7d843b4026a

    • SSDEEP

      12288:e8PUAoMZQaktUC04YqZrkPrkxChx4S95dmWT:eW/x6o4fZgPrkxChx4I5dvT

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Suspicious use of SetThreadContext

    • Target

      Vape Crack.exe

    • Size

      356KB

    • MD5

      179dbbdb6e22f978115168d87a70ab33

    • SHA1

      324a73e17fdcada034d3ad841286f9d6b5873fcb

    • SHA256

      258445b5c086f67d1157c2998968bad83a64ca3bab88bfd9d73654819bb46463

    • SHA512

      237a58b819f086f9ed2215e99d7b13ed027d252e47a3ba17deb5b28e3db27f853f2d2d75bdbfb3b875dec8dc0fa4fb059e3be6e41dc3b47b2020c2298a6b0358

    • SSDEEP

      6144:zo9QlVmhcIS/rwO+l7qYspB2NnYXmJ8tuy2a9W17fyF45pDBKoydJ:zdxrwHRqxQNYXO8tt2aw1DyWPDO

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • System Binary Proxy Execution: Regsvcs/Regasm

      Abuse Regasm to proxy execution of malicious code.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • Target

      Vape Patch.exe

    • Size

      1.3MB

    • MD5

      8454f382107d764cc0ba8c1df3b7d7b5

    • SHA1

      797833088a010068fdc0a9b8becdd14f3166f7b8

    • SHA256

      7a5e1184dafbeff212207211036f9014ae1d16b34b8118be275144e40de13bb7

    • SHA512

      b382346d2a0b9c77808d0763d0ceff2e1c94b2ea937c3025c721fe528bc64450b1f37c486ed25dd666fe98671784de16535bbeecf8418f58fcfa630c25c000f6

    • SSDEEP

      12288:NhsR1GdSzE2JlHb+Z8+EPu+p+/YrQwo54:O1CZ

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Suspicious use of SetThreadContext

    • Target

      Vape_V4.exe

    • Size

      42KB

    • MD5

      66d4d4a5ffc881a66788b56b7f91377e

    • SHA1

      549564df32fbca9768b0fd23719f186182c628fe

    • SHA256

      4a1ca570b3bd7efe98b5cd8a5532dd68f99364907346f90170bcfdffe00a1703

    • SHA512

      623d0279f39e8ea648beec57bbb5ea86466b0430db90248c477293addbd0d06e07e879c1f2b1276702e853da4e984046f848c28a4c56a38dab26e1b6ecb22766

    • SSDEEP

      384:hLcfjaRCmI42zbh4zthWN/XTNTW8s/XZxIh/PoJEFq5nmHmTAs8KQsLd/SfgUfAk:KRhQGN/jNxuZhLqmTj8KZKfgm3Eha7

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Mercurialgrabber family

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Target

      launcher.exe

    • Size

      378KB

    • MD5

      36aeb708e396c2627e52d8c50d8ea287

    • SHA1

      e1bd5ab1cb291915db4e3d03b0e88b4dc737f53a

    • SHA256

      b35f6e33f997d11867056950aae71610d3bbef64eb443db3aed8a49cc850e226

    • SHA512

      1ad276b880dd136f4364ccf0361d8ef3c790a6f178c39f1fd0c365b93f789595c7060f90020b7b4f0592a3c0f64444b194c83fc7652ffbad3afa5f14b8574a6d

    • SSDEEP

      6144:OthUfR1Gfk0EAspZJVN9htIBVnUxFMO8F/vZmMYGhwPgL9x4mN:OthsR1Gfk0EAsZVN9htIBVnUxFMO8F/f

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Suspicious use of SetThreadContext

    • Target

      nixware crack.exe

    • Size

      19.6MB

    • MD5

      bddd6ad4c8b66a3f551fdc47d6e12c53

    • SHA1

      e8b4a0e7918eb4641ce971df0020bf318b5f6788

    • SHA256

      105897c4dd3369b8c8ae8956ef2e8d945c33e7172022d81e0791546d9c17b21f

    • SHA512

      79f791d0b510a1627669072060a2c99f25402a40ce5eef404a0e8c31aa06f9656f2104c83003618272a9eddab800987e6d0dfadaba34010f066181bdcb9a264a

    • SSDEEP

      393216:Vyyv/JNbIZNv1bLTMZN5GTRWTjzMPpDcFBxxkhwgA1LivT2ts+oKs6yCZZh:VLTcB1QZiTATjwZNuLivT2ts+oRCjh

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks

static1

themidamercurialgrabber
Score
10/10

behavioral1

sectopratdiscoveryevasionratthemidatrojan
Score
10/10

behavioral2

sectopratdiscoveryevasionratthemidatrojan
Score
10/10

behavioral3

redlinesectoprat@navi_gatordiscoveryinfostealerrattrojan
Score
10/10

behavioral4

redlinesectoprat@navi_gatordiscoveryinfostealerrattrojan
Score
10/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discoveryexecution
Score
8/10

behavioral8

xmrigdiscoveryexecutionminer
Score
10/10

behavioral9

redlinesectopratasapdiscoveryinfostealerrattrojan
Score
10/10

behavioral10

redlinesectopratasapdiscoveryinfostealerrattrojan
Score
10/10

behavioral11

redlinesectopratrichdiscoveryinfostealerrattrojan
Score
10/10

behavioral12

redlinesectopratrichdiscoveryinfostealerrattrojan
Score
10/10

behavioral13

redlinesectopratninja0812discoveryinfostealerrattrojan
Score
10/10

behavioral14

redlinesectopratninja0812discoveryinfostealerrattrojan
Score
10/10

behavioral15

spywarestealer
Score
7/10

behavioral16

discoveryspywarestealer
Score
7/10

behavioral17

redlinesectopratboss9discoveryinfostealerrattrojan
Score
10/10

behavioral18

redlinesectopratboss9discoveryinfostealerrattrojan
Score
10/10

behavioral19

redlinesectoprat@bestieffcsdefense_evasiondiscoveryinfostealerrattrojan
Score
10/10

behavioral20

redlinesectoprat@bestieffcsdefense_evasiondiscoveryinfostealerrattrojan
Score
10/10

behavioral21

redlinesectoprat@krxstkrxstdiscoveryinfostealerrattrojan
Score
10/10

behavioral22

redlinesectoprat@krxstkrxstdiscoveryinfostealerrattrojan
Score
10/10

behavioral23

mercurialgrabberevasionspywarestealer
Score
10/10

behavioral24

mercurialgrabberevasionspywarestealer
Score
10/10

behavioral25

redlinesectoprat@killyxudiscoveryinfostealerrattrojan
Score
10/10

behavioral26

redlinesectoprat@killyxudiscoveryinfostealerrattrojan
Score
10/10

behavioral27

discovery
Score
3/10

behavioral28

discovery
Score
3/10