General

  • Target

    dbdb54d5a90130e3370590c7e07b2e3146f8578305554ba3ed11aab579a3dd3f

  • Size

    42.9MB

  • Sample

    241110-n8gnxawjgs

  • MD5

    9bd323b096b17d8a95acab77d3c2ea60

  • SHA1

    773114b5a64bc79b51b15a38a8040c660126e782

  • SHA256

    dbdb54d5a90130e3370590c7e07b2e3146f8578305554ba3ed11aab579a3dd3f

  • SHA512

    fac8a4fb4240924a4c3b39e99cb8af62ada57aeb81acf4de8466de6c16fd11a058972fb7b6d204c850aef1612e2a18835c0d9f871a8f3bf0fac044580052f367

  • SSDEEP

    786432:v59nC1y5oIQtk1IAUOjs62CK4hXdpI4roOiL210PW/+5OSV59nC1y5GK4hXdpNSB:vbC1GzFRsQK4NGInSVbC1GGK4NNox

Malware Config

Extracted

Family

redline

C2

205.185.119.191:18846

Extracted

Family

redline

Botnet

build2

C2

91.142.77.189:61524

Extracted

Family

redline

Botnet

23.08

C2

95.181.172.100:55640

Extracted

Family

danabot

Botnet

4

C2

23.229.29.48:443

5.9.224.204:443

192.210.222.81:443

Attributes
  • embedded_hash

    0E1A7A1479C37094441FA911262B322A

  • type

    loader

rsa_pubkey.plain
rsa_privkey.plain

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

ffdroider

C2

http://152.32.151.93

Targets

    • Target

      0hS8ndFapMyi9bpBTCoeqfJf.exe

    • Size

      359KB

    • MD5

      73ca4c10afa6a3f712facb40aa8254ae

    • SHA1

      ad824606d6c465a46296b736e8fa116bb67309a3

    • SHA256

      d8f723849493f85b6bd44cf8b94261f30ff26fa3080d5e53b537a5eacfdd873d

    • SHA512

      9c71e25022b678025a0465c8b5e92f99f2a957c4c3601b6e1617c48e19881e36da94c3ac87d6b05a6116088137be69fc67e61cbd8eac9dc8da26bbde571de907

    • SSDEEP

      6144:W5cg4yf/CHeM7JSjrkIKN3xyGUyOxDIjl+WMIzgjnHwpR3G8WhQg1CM1SzQf+:Tgffa+Mt1zhUBxDi4WQHxJQwZg/

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Target

      0rr48RlGuyf8MbsABD4Fd5xg.exe

    • Size

      1.1MB

    • MD5

      3b4348d187f24c82370836531f3fa94e

    • SHA1

      a2ca4e9f4a8d9c8634e42765e90e252803e20b15

    • SHA256

      cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7

    • SHA512

      2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394

    • SSDEEP

      24576:eDTLDJqGd+zowht2zmctw1CdvHh82JdjGY6LvxwAgRp54+/jrNtIf:qzdkBTce1CxHh8mlGY6LJBu54MjJaf

    Score
    8/10
    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      21oenuW1qnqk7qUsHH7Z2We5.exe

    • Size

      273KB

    • MD5

      ac7f28f999ef6657abc24673642b518a

    • SHA1

      37c701301ba28e8329f7c990a790320d021331a0

    • SHA256

      46d153d7d517ea834af83364c01388f5c4af458c359625244aa7bac158e8bff2

    • SHA512

      d45fe4a99c81d2221ebb4b537a23ac2a64e05defb8c789eb8a716af30685d2ca5963e8caeadcaec74e5ea588311ea59509077f14870193408114b261e7b97370

    • SSDEEP

      6144:38Gjn4iGmFj3lToLMjHxWs0YMaGahpgxSDj4SmsLdnAJ:jnfGmRVTL74mpgSDkudnA

    • Target

      25jZMPTiQqNIVH0Cs2hi6z9r.exe

    • Size

      1.7MB

    • MD5

      6753c0fadc839415e31b170b5df98fc7

    • SHA1

      7adbd92546bc0516013c0f6832ea272cf0606c60

    • SHA256

      01550ee84ac5a220197177182fd2f3f9c9e845b416d06a384384e3cd62ecb569

    • SHA512

      92c0264046f1293b02ccccbb3cb5b80510d2d3a1d1caff23815adb4c715d0aced08e57682c6dcb76fdca70eb46bc819db2a763f050f74de27fbb3946dca504ab

    • SSDEEP

      49152:pAI+r+g7ELp4UtaupKvwS9IBfgUtckcL1YsNP:pAI+CvK88wScgUAL1Ys5

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

    • FFDroider payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Fabookie family

    • Ffdroider family

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      28NEs4WOAbFCrw46bjrvW6Dx.exe

    • Size

      2.5MB

    • MD5

      f4f313d1f82fa87e710bd947a3667384

    • SHA1

      6ac08dd818b3dac502041508399f8c6392668521

    • SHA256

      492f4d8cae0b2cd6105f089b368d322bf6e388a803890f5196d5ccc4ac85bb04

    • SHA512

      97e4af0f46fa9e9b3d5a916af3a50bb6c9ba4df8fd5d63c63764f2a421f0eb04b4d48df2293152dcbe6184ffeb8adb9552d250aaab0e2f95ffdea443a853b59a

    • SSDEEP

      49152:zKQVnnBfPya5I4GMsUvwYcD9mKDGYNUe5hBlg1RIpxfFF:vtBXPTG74wYtiGY73xj

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      2DWwzYoIDsZeXAHrWMUgq7wH.exe

    • Size

      589KB

    • MD5

      34c76bcc1506b513c7a1ac605c045c4e

    • SHA1

      271c6b3853e33e039242da7cf8f4465c48e90d2e

    • SHA256

      1e7f2339065e8a6909eea27f090499a1af6427d1563ceac0cd25c916c637d29d

    • SHA512

      cb2170b5fa492dcb7df54cfd7f4ad94214de98face0f1710cbad749c79bf322ea1106ace723520486bdeabdf0aa2eefbf70dcc060d61fcda1124298225c36865

    • SSDEEP

      12288:fhdKHkwkYGXXRJRC7ijHRAWteLwnHdYnXQ6mr4ZFrUD:fzKYQv

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Suspicious use of SetThreadContext

    • Target

      4sqg3EO3n4bilXTOwELzdyE3.exe

    • Size

      359KB

    • MD5

      73ca4c10afa6a3f712facb40aa8254ae

    • SHA1

      ad824606d6c465a46296b736e8fa116bb67309a3

    • SHA256

      d8f723849493f85b6bd44cf8b94261f30ff26fa3080d5e53b537a5eacfdd873d

    • SHA512

      9c71e25022b678025a0465c8b5e92f99f2a957c4c3601b6e1617c48e19881e36da94c3ac87d6b05a6116088137be69fc67e61cbd8eac9dc8da26bbde571de907

    • SSDEEP

      6144:W5cg4yf/CHeM7JSjrkIKN3xyGUyOxDIjl+WMIzgjnHwpR3G8WhQg1CM1SzQf+:Tgffa+Mt1zhUBxDi4WQHxJQwZg/

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Target

      6IvhC9RrHtvRf0BCVttVUFQm.exe

    • Size

      1.1MB

    • MD5

      2b0e445c62830c383077959a8f07289e

    • SHA1

      40c24d7e6dc8fcb68b00b0e8c21a2dc0aed0e34b

    • SHA256

      9a9903020d8134184e850dd7069d26734ca07cb0dd87bbde15919587ced1d3a1

    • SHA512

      6a20481b88c9f124b2fb8f620e2e6adcc53116f8d2829c5cf915fbfcba4ce0b45e053ebd547918b7a7c95615508f1dcf89f274b3430ea3d0b6de995edb9c644c

    • SSDEEP

      24576:OF+drpnEdh3f7/zqT3bdDtm3I00oigJf34hbHnSPmfqXRJ:OkWd1/mbdg32SJ0bo

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Danabot Loader Component

    • Danabot family

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Target

      6K69WRpYoPgt3vIoWRXmpAwA.exe

    • Size

      90KB

    • MD5

      ff2d2b1250ae2706f6550893e12a25f8

    • SHA1

      5819d925377d38d921f6952add575a6ca19f213b

    • SHA256

      ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96

    • SHA512

      c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23

    • SSDEEP

      1536:lWvNrof2xIZ2ToPCt6VkPRYLUbrjhd3d7t20WYwuIJLO+s8jcdd1vzGHY:lWufhgTeCt0uREWrdhdY0W5uIVO77vKH

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      6RVcR1WSznUXUS8RtLypZMfp.exe

    • Size

      90KB

    • MD5

      ff2d2b1250ae2706f6550893e12a25f8

    • SHA1

      5819d925377d38d921f6952add575a6ca19f213b

    • SHA256

      ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96

    • SHA512

      c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23

    • SSDEEP

      1536:lWvNrof2xIZ2ToPCt6VkPRYLUbrjhd3d7t20WYwuIJLO+s8jcdd1vzGHY:lWufhgTeCt0uREWrdhdY0W5uIVO77vKH

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      7UwyHmKx00aB7vI0W6MvnkKA.exe

    • Size

      2.4MB

    • MD5

      b15db436045c3f484296acc6cff34a86

    • SHA1

      346ae322b55e14611f10a64f336aaa9ff6fed68c

    • SHA256

      dab2a18df66f2e74d0831a8b118de6b9df2642ac939cbad0552e30696d644193

    • SHA512

      804bee37e0a6247ef2edb5dba8d4b6820ff10b0a4cb76e4c039a7242285836ed5255a1f297f8ba96168d9295558844a9fd7ec3a977207f339296a001543c1fd9

    • SSDEEP

      49152:/JhGe/xVHII4W2qFRCsh7BQ0vLYtA2uORNJet/ylyPj792:/Jcevr2mLS0cT/Mj792

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      88wncypnTKvKj7Uwab0iiutt.exe

    • Size

      900KB

    • MD5

      7714deedb24c3dcfa81dc660dd383492

    • SHA1

      56fae3ab1186009430e175c73b914c77ed714cc0

    • SHA256

      435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c

    • SHA512

      2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58

    • SSDEEP

      12288:jx1vJUpzeLkTqhqeEmC7QOZGafeei7fqiHf:H2zIkTgqeEVQO5fess

    Score
    1/10
    • Target

      8Jw_RggGj5lBX2auQAnIQe71.exe

    • Size

      381KB

    • MD5

      58f5dca577a49a38ea439b3dc7b5f8d6

    • SHA1

      175dc7a597935b1afeb8705bd3d7a556649b06cf

    • SHA256

      857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98

    • SHA512

      3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a

    • SSDEEP

      6144:x/QiQXCfoL8+Ee0CYDTAsdRa1OGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7f:pQi3foL8+iDNdRa1lL//plmW9bTXeVh8

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      A04WVFPeCHaejSnQmBHCogH9.exe

    • Size

      264KB

    • MD5

      c7ccbd62c259a382501ff67408594011

    • SHA1

      c1dca912e6c63e3730f261a3b4ba86dec0acd5f3

    • SHA256

      8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437

    • SHA512

      5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b

    • SSDEEP

      3072:A/vFzYP505Wn7l8V2Rcoh17j89ta9AdHA8HB756aTRg2BNQkRr7fIKT0yB3X:izi7+0RXZ0I987wuRgKj7n

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Target

      A5ulgq_bFXMyWAYNZZbTBZ0Z.exe

    • Size

      1.1MB

    • MD5

      2b0e445c62830c383077959a8f07289e

    • SHA1

      40c24d7e6dc8fcb68b00b0e8c21a2dc0aed0e34b

    • SHA256

      9a9903020d8134184e850dd7069d26734ca07cb0dd87bbde15919587ced1d3a1

    • SHA512

      6a20481b88c9f124b2fb8f620e2e6adcc53116f8d2829c5cf915fbfcba4ce0b45e053ebd547918b7a7c95615508f1dcf89f274b3430ea3d0b6de995edb9c644c

    • SSDEEP

      24576:OF+drpnEdh3f7/zqT3bdDtm3I00oigJf34hbHnSPmfqXRJ:OkWd1/mbdg32SJ0bo

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Danabot Loader Component

    • Danabot family

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Target

      AU3ie6Mv1vmus72LuhNF2jzZ.exe

    • Size

      272KB

    • MD5

      2384683b867fb23fe19827051656ff92

    • SHA1

      9233c546a58426267f40c7e0071bb67a148404a2

    • SHA256

      7c7698b0b225ba593441808a52e4d8607f2d1b1c650d5cfc6e6a06094bd218ec

    • SHA512

      a51bdd08fd9aa814fe8c5f06f5183c6a08822532f54ecd1aa25d0a1465baaedf143feaa76aab837f9ee0cf26ddcfd5ac7d4b83513fca30abc75300de867eeb0d

    • SSDEEP

      6144:NulL4+qmRj3GfgD8DxeQY4KiKGzWYlRDq5VKbapYuRpbLKClVyipPf:GLbqmNWfz4YlysRD2pYuPbL9GEP

MITRE ATT&CK Enterprise v15

Tasks

static1

themida
Score
7/10

behavioral1

redlinesectopratbuild2discoveryinfostealerrattrojan
Score
10/10

behavioral2

redlinesectopratbuild2discoveryinfostealerrattrojan
Score
10/10

behavioral3

discovery
Score
8/10

behavioral4

discovery
Score
8/10

behavioral5

smokeloaderpub1backdoordiscoverytrojan
Score
10/10

behavioral6

smokeloaderpub1backdoordiscoverytrojan
Score
10/10

behavioral7

fabookieffdroiderdiscoveryspywarestealerupx
Score
10/10

behavioral8

fabookieffdroiderdiscoveryevasionspywarestealertrojanupx
Score
10/10

behavioral9

discoveryevasionthemidatrojan
Score
9/10

behavioral10

discoveryevasionthemidatrojan
Score
9/10

behavioral11

redlinesectoprat23.08discoveryinfostealerrattrojan
Score
10/10

behavioral12

redlinesectoprat23.08discoveryinfostealerrattrojan
Score
10/10

behavioral13

redlinesectopratbuild2discoveryinfostealerrattrojan
Score
10/10

behavioral14

redlinesectopratbuild2discoveryinfostealerrattrojan
Score
10/10

behavioral15

danabot4bankerdiscoverytrojan
Score
10/10

behavioral16

danabot4bankerdiscoverytrojan
Score
10/10

behavioral17

discovery
Score
3/10

behavioral18

discovery
Score
7/10

behavioral19

discovery
Score
3/10

behavioral20

discovery
Score
7/10

behavioral21

discoveryevasionthemidatrojan
Score
9/10

behavioral22

discoveryevasionthemidatrojan
Score
9/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

discovery
Score
7/10

behavioral26

discovery
Score
7/10

behavioral27

redlinesectopratdiscoveryinfostealerrattrojan
Score
10/10

behavioral28

redlinesectopratdiscoveryinfostealerrattrojan
Score
10/10

behavioral29

danabot4bankerdiscoverytrojan
Score
10/10

behavioral30

danabot4bankerdiscoverytrojan
Score
10/10

behavioral31

smokeloaderbackdoordiscoverytrojan
Score
10/10

behavioral32

smokeloaderbackdoordiscoverytrojan
Score
10/10