Resubmissions
25/01/2025, 23:19
250125-3a9dlavrfq 1025/01/2025, 00:39
250125-azr7dswras 1025/01/2025, 00:32
250125-avsblawpdx 1025/01/2025, 00:29
250125-as5h5swnfv 1004/12/2024, 19:44
241204-yftswatlcj 1028/11/2024, 19:40
241128-ydqnfaxqgy 1020/11/2024, 16:31
241120-t1tw6azjfy 1020/11/2024, 06:05
241120-gtdv5ssnes 1020/11/2024, 06:00
241120-gqchxascje 1020/11/2024, 05:52
241120-gk2kvaxkgn 10General
-
Target
4363463463464363463463463.exe.zip
-
Size
4KB
-
Sample
241204-yftswatlcj
-
MD5
16d34133af438a73419a49de605576d9
-
SHA1
c3dbcd70359fdad8835091c714a7a275c59bd732
-
SHA256
e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1
-
SHA512
59c0272d6faa2682b7a6ce1cd414d53cc39f06035f4f38a2e206965805034bf8012b02d59f428973965136d70c89f87ac3b17b5db9c1b1d49844be182b47a3d7
-
SSDEEP
96:xBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEy:xBfwncSf8Cv3w9DZjKXjmBIKEvLs97D5
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe
Resource
win7-20240903-en
Malware Config
Extracted
amadey
4.19
8fc809
http://nudump.com
http://otyt.ru
http://selltix.org
-
install_dir
b739b37d80
-
install_file
Dctooux.exe
-
strings_key
65bac8d4c26069c29f1fd276f7af33f3
-
url_paths
/forum/index.php
/forum2/index.php
/forum3/index.php
Extracted
redline
Diamotrix
176.111.174.140:1912
Extracted
redline
unique24
185.215.113.67:21405
Extracted
xworm
super-nearest.gl.at.ply.gg:17835
-
install_file
USB.exe
Targets
-
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
-
Amadey family
-
Detect Xworm Payload
-
Phorphiex family
-
Phorphiex payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xmrig family
-
Xworm family
-
XMRig Miner payload
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2