General
-
Target
1dd26b1cd62aea1dd09f03541dc05448cc215e18
-
Size
8.9MB
-
Sample
241110-1sy98syqgk
-
MD5
6f36bb5a55e529c45eaff76ec91f1949
-
SHA1
1dd26b1cd62aea1dd09f03541dc05448cc215e18
-
SHA256
13bb0e481be407e8244a6c1f5b0be8a436d433040e2be69f5d27f5922aa2882c
-
SHA512
e503f5809bb988a863ccb4e4674fe3dc191a49c03909f36d0d2dc4a7feeda6b17c69c2cda41a86bf839e59645248e7f1176bd4489b7d4af21bb18fa91a7670a0
-
SSDEEP
196608:JHdWOynKXKz9zqngdwRI8jCqNlZcv3GscUTZXT0+pkU0X5J:J9WOynUKz9zqgd/ulKvcUTZXMUE5J
Static task
static1
Behavioral task
behavioral1
Sample
1dd26b1cd62aea1dd09f03541dc05448cc215e18.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1dd26b1cd62aea1dd09f03541dc05448cc215e18.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
nullmixer
http://626163618efe7.com/
Extracted
socelars
https://sa-us-bucket.s3.us-east-2.amazonaws.com/ysagdy415/
Extracted
smokeloader
pub3
Extracted
redline
supertest2012
91.213.50.241:25821
-
auth_value
3c9098bc220ccf9739f733015b9ad2db
Extracted
gcleaner
31.210.20.149
212.192.241.16
212.192.246.217
203.159.80.49
-
url_path
/software.php
/software.php
Extracted
redline
same1
116.202.106.111:9582
-
auth_value
f52427632ad56ee3727cf0cbe0f25b9f
Targets
-
-
Target
1dd26b1cd62aea1dd09f03541dc05448cc215e18
-
Size
8.9MB
-
MD5
6f36bb5a55e529c45eaff76ec91f1949
-
SHA1
1dd26b1cd62aea1dd09f03541dc05448cc215e18
-
SHA256
13bb0e481be407e8244a6c1f5b0be8a436d433040e2be69f5d27f5922aa2882c
-
SHA512
e503f5809bb988a863ccb4e4674fe3dc191a49c03909f36d0d2dc4a7feeda6b17c69c2cda41a86bf839e59645248e7f1176bd4489b7d4af21bb18fa91a7670a0
-
SSDEEP
196608:JHdWOynKXKz9zqngdwRI8jCqNlZcv3GscUTZXT0+pkU0X5J:J9WOynUKz9zqgd/ulKvcUTZXMUE5J
-
Detect Fabookie payload
-
Fabookie family
-
Gcleaner family
-
Nullmixer family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Smokeloader family
-
Socelars family
-
Socelars payload
-
Looks for VirtualBox Guest Additions in registry
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer.exe
-
Size
8.9MB
-
MD5
3b9cfea9ed7c16c3f27df255da4baf9d
-
SHA1
b7f3f6f1c6e0e2a596b31e242fffced8e3d0c516
-
SHA256
388485cce05113764a70a4d24cbccc85ee63bbe8159dd638f3f307c8c3d2dcf5
-
SHA512
5341e023db4209af75473ba730159e5ad8f226733208977455ff86acae8f64b5ed1a46b43c6cceda1b81e78958a5acc77fe874f32a0634fbab20d26616b8022a
-
SSDEEP
196608:x5kWHY2+T/CohKJTWpCagmfiMIzMRFzQZeA3VOoeMOD:xyWHY2CCiniMLzGFHdOD
-
Detect Fabookie payload
-
Fabookie family
-
Gcleaner family
-
Nullmixer family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Smokeloader family
-
Socelars family
-
Socelars payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1