General
-
Target
x86_x64_setup.exe
-
Size
4.3MB
-
Sample
250513-v6d9bsyxdx
-
MD5
415eb2a265e348e630a1f460a462240a
-
SHA1
189494a1c18c0a144ea49ec1f72480c32e777e4e
-
SHA256
6d29006485decfbf2f980135e87de1c5392f2207e382211dca5c7d1bdaa32947
-
SHA512
4bd5635ce1477de65582f134a8b18cf10bc1b26dc834cb3c1faaf024f00657d592ef822ae95f7e9eaf2b331e70b9a54cfd35cc2bbd852b60c243dc47a184fcab
-
SSDEEP
98304:Jr8fbFReiQn4t5KXMmWJtMlEbihwVDgC3+5248stv9NUu4Swl6zlt5oSK:Jr8pRFQM5rlXihwZl3U2RiUu1lt5u
Static task
static1
Malware Config
Extracted
nullmixer
http://razino.xyz/
Extracted
redline
Cana
176.111.174.254:56328
Extracted
redline
Ani
detuyaluro.xyz:80
Targets
-
-
Target
x86_x64_setup.exe
-
Size
4.3MB
-
MD5
415eb2a265e348e630a1f460a462240a
-
SHA1
189494a1c18c0a144ea49ec1f72480c32e777e4e
-
SHA256
6d29006485decfbf2f980135e87de1c5392f2207e382211dca5c7d1bdaa32947
-
SHA512
4bd5635ce1477de65582f134a8b18cf10bc1b26dc834cb3c1faaf024f00657d592ef822ae95f7e9eaf2b331e70b9a54cfd35cc2bbd852b60c243dc47a184fcab
-
SSDEEP
98304:Jr8fbFReiQn4t5KXMmWJtMlEbihwVDgC3+5248stv9NUu4Swl6zlt5oSK:Jr8pRFQM5rlXihwZl3U2RiUu1lt5u
-
Detect Fabookie payload
-
Detect ZGRat V2
-
Fabookie family
-
Nullmixer family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT payload
-
Sectoprat family
-
Zgrat family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-