Overview

overview

10

Static

static

10

012700a410...85.exe

windows10-2004-x64

10

02a23f59da...1f.exe

windows10-2004-x64

10

053ddd7019...99.exe

windows10-2004-x64

10

072f59f857...a5.exe

windows7-x64

1

072f59f857...a5.exe

windows10-2004-x64

1

07b9d54ca0...2c.exe

windows10-2004-x64

10

085092942b...7b.elf

ubuntu-18.04-amd64

085092942b...7b.elf

debian-9-armhf

085092942b...7b.elf

debian-9-mips

085092942b...7b.elf

debian-9-mipsel

08cbd1cc0c...d1.elf

debian-12-armhf

1

0a50e4e96f...61.exe

windows7-x64

10

0a50e4e96f...61.exe

windows10-2004-x64

10

0bdd1bc4a2...54.elf

debian-12-armhf

1

0c349ec65f...e3.exe

windows10-2004-x64

10

0c6a7849d4...d3.exe

windows10-2004-x64

10

0ceb0dadfa...de.elf

debian-9-mips

0dd32a3e7e...85.exe

windows7-x64

10

0dd32a3e7e...85.exe

windows10-2004-x64

10

0dd3f8b254...7f.exe

windows10-2004-x64

10

1100f4a753...15.exe

windows10-2004-x64

10

124c02ed92...f5.exe

windows7-x64

10

124c02ed92...f5.exe

windows10-2004-x64

10

1267a2b9b9...dc.exe

windows7-x64

10

1267a2b9b9...dc.exe

windows10-2004-x64

10

13a5b3d41f...f1.exe

windows7-x64

10

13a5b3d41f...f1.exe

windows10-2004-x64

10

13a63fbb66...62.exe

windows10-2004-x64

10

143dea0e6e...5c.exe

windows10-2004-x64

10

14779e087a...9a.elf

ubuntu-24.04-amd64

1

15f6ddf672...e3.exe

windows10-2004-x64

10

16478becee...e4.elf

debian-12-armhf

Resubmissions

23-06-2024 06:12

240623-gyd2psscqf 10

16-07-2023 19:09

230716-xt4pkahc8t 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2023-06-18.zip

  • Size

    285.3MB

  • Sample

    240623-gyd2psscqf

  • MD5

    8c0f5e86d1f5493a0880a5b4904681af

  • SHA1

    8cbed3b39884500b8d277bbf92f4597b271cf98f

  • SHA256

    d8d8e2bd36c25798e8243ccb42440baf3f49559a1e251f2f29e70b3d46f597ed

  • SHA512

    7f4bfefe043eb5ba8ccfe563b5aa8d6f0f8c26b4f1a67c642e157d77445e786c5a0ba97f1c0a00a1f7343fe34f63d5973511f1dc64209c966b5d30a5f9503cad

  • SSDEEP

    6291456:d8ArxcDqoEQal3nJ9Xs2URMmQlZYYUlrF+CpICF0ciqgVvdTS/+cRdtqj:dRrRoEFD9Xs9D3hBF+pP9S/jLy

Score
10/10
agentteslaamadeyasyncratdcratgafgythealerlokibotmirainanocorenjratprivateloaderredlineriseprosnakekeyloggerxmrig2f280568ded0defaultdrowedduzagromjasonmiraicollectiondropperevasionexecutioninfostealerkeyloggerlinuxminerpersistencepyinstallerratspywarestealertrojan

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

gafgyt

C2

45.81.234.229:606

Extracted

Family

mirai

Botnet

MIRAI

C2

190.btc-f2pool.top

Extracted

Family

mirai

Botnet

MIRAI

C2

190.btc-f2pool.top

Extracted

Family

asyncrat

Version

0.5.7B

C2

209.25.141.180:6498

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

nanocore

Version

1.2.2.0

C2

sneakerpop.bounceme.net:6349

madbunny.duckdns.org:6349
Mutex

f23c9a26-21f9-4616-b2a4-7a31333df843

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    madbunny.duckdns.org

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2023-03-12T14:07:36.727208736Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    6349

  • default_group

    BOLD

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    f23c9a26-21f9-4616-b2a4-7a31333df843

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    sneakerpop.bounceme.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

mirai

C2

www.violtebotnet.cc

Extracted

Family

amadey

Version

3.84

Botnet

2f2805

C2

http://77.91.68.63

Attributes
  • install_dir

    200f691d32

  • install_file

    rugen.exe

  • strings_key

    e6ad3da56139a7f602e521090c482398

  • url_paths

    /doma/net/index.php

rc4.plain

Extracted

Family

mirai

Botnet

MIRAI

C2

190.btc-f2pool.top

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

5.tcp.eu.ngrok.io:16050

5.tcp.eu.ngrok.io:5304
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

njrat

Version

im523

Botnet

Drowed

C2

source-seconds.at.ply.gg:36244

Mutex

7c27d7599d944dcc420f1985da53674a

Attributes
  • reg_key

    7c27d7599d944dcc420f1985da53674a

  • splitter

    |'|'|

Extracted

Family

mirai

Botnet

MIRAI

C2

190.btc-f2pool.top

Extracted

Family

amadey

Version

3.83

Botnet

68ded0

C2

http://77.91.68.30

Attributes
  • install_dir

    a9e2a16078

  • install_file

    lamod.exe

  • strings_key

    160cbe54f0b273951f758f9cee76bb0f

  • url_paths

    /music/rock/index.php

rc4.plain

Extracted

Family

mirai

Botnet

MIRAI

C2

190.btc-f2pool.top

Extracted

Family

redline

Botnet

duza

C2

83.97.73.129:19071

Attributes
  • auth_value

    787a4e3bbc78fd525526de1098cb0621

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5817723059:AAHLBu2CaRbhv8Vp2UNvh8S3DM3a6i7mZsk/

Extracted

Family

redline

Botnet

jason

C2

83.97.73.129:19071

Attributes
  • auth_value

    87d1dc01751f148e9bec02edc71c5d94

Extracted

Family

lokibot

C2

http://161.35.102.56/~nikol/?p=27226656008

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5252645306:AAGCEUxgRGtto8oZfNWHw7sqdTCF0zNGxX8/sendMessage?chat_id=5590273095

Extracted

Family

redline

Botnet

grom

C2

83.97.73.129:19071

Attributes
  • auth_value

    2193aac8692a5e1ec66d9db9fa25ee00

Targets

    • Target

      012700a41078e9d01c70955c50073da3b9b9a163c6fa5776195c278a70bf8c85.exe

    • Size

      572KB

    • MD5

      420622306beffd3306e285ea654ad117

    • SHA1

      49a77a1af0d9a93454b0dedb0429024c504f786d

    • SHA256

      012700a41078e9d01c70955c50073da3b9b9a163c6fa5776195c278a70bf8c85

    • SHA512

      7097900867b7c6c471cb24f880163ffb1b553c8ef31c36241272805508291d4a35604b1e94c396c87fa7ca1da534503638253ab8bc9f828fc31ccea9439f8e2c

    • SSDEEP

      12288:OMrvy90sthwYfZRMudCLVgXbOWVowB0d5uJk:Ny/nZKNqZTMuJk

    Score
    10/10
    redlineduzainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      02a23f59da1c37d7ed4e0f14e61fa5b264083dc4bdf35a1b09f0a3d29293981f.exe

    • Size

      726KB

    • MD5

      603947b90bbf3dc52aa799d6d74ecc3f

    • SHA1

      3af5d58a9da2971fdbe0097712d19051cf0eae81

    • SHA256

      02a23f59da1c37d7ed4e0f14e61fa5b264083dc4bdf35a1b09f0a3d29293981f

    • SHA512

      ead2ec945c1853cacde72d20182cdb5d282e74b6a236d4cbd191faffb68e30f3a5afab117ae3fc73a1ef8ebb8d392eee07a18143f0b52240c4ea9433f6f3df31

    • SSDEEP

      12288:nMrty908YkYKWr3HLkkKPYPGjBbrY6t34+ZOLtQ48ErdVhR0X+5:6yakYHHfKwqY694+Zct3lXD4M

    Score
    10/10
    healerredlineduzadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      053ddd70199526b974c71bb268539790e27247760bbf2680be1e0e82d01fb799.exe

    • Size

      787KB

    • MD5

      36b9237f9ecf4c5c108cd7f67404b0e6

    • SHA1

      4ccd5b450d77b42a4485bb2ddddce85c4dd89758

    • SHA256

      053ddd70199526b974c71bb268539790e27247760bbf2680be1e0e82d01fb799

    • SHA512

      1208a186e7ea814a817b9d59ff4a09a56ad94d5ea6e56bc5cfa9ae0a0f170c81b592b47de3d940b5cc2daf64ca582272fce2b77a0858a0909c926baa65e6b04a

    • SSDEEP

      12288:lMroy9052D1VtAZGIKEkY0BaLiTBFbtcqMQ8e76H+4MEARgmWP:tyw2DSsrEkZDz8lHO2P

    Score
    10/10
    healerredlinegromdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      072f59f857e5b792013df1c7916d31ad467fa3dab84c623a44e62ce35f13a3a5.exe

    • Size

      39KB

    • MD5

      fdbc4c73cbe3ebac5180923c1e85a0a9

    • SHA1

      f7554b64a19910c49bcb9e37763ab9aa1284689e

    • SHA256

      072f59f857e5b792013df1c7916d31ad467fa3dab84c623a44e62ce35f13a3a5

    • SHA512

      de60eb468682cb8bd63dbb134ad328eaf5bb98e492c889929c5912489701d77f7098c807fa455ca43aa42a3ce0f6dca215f28497a32b4f421e90e7d2a08c0992

    • SSDEEP

      768:n/IVNefxlLUvTNW0yGXFzdFpi1KfWky+hd38nl4EdgSC6:QVsfrL3G9dLiceky+hRrEdgSC6

    Score
    1/10
    behavioral4behavioral5

    • Target

      07b9d54ca0b731b8a0a8aaa99c2204278d655de9f349d485cd084b2709f0062c.exe

    • Size

      787KB

    • MD5

      b9c9f8149471777598683a218736c2df

    • SHA1

      37742f6bd47a5a6697615f083dae05d4d2f24b38

    • SHA256

      07b9d54ca0b731b8a0a8aaa99c2204278d655de9f349d485cd084b2709f0062c

    • SHA512

      18b161a37c5ac4ec9734f2481190e50b8d00c5a3d5c406ecb2e77092a3af0874b5f01da5694eb34481d947960b098026ce8575d5b88c676926564d22320a3fa6

    • SSDEEP

      12288:yMray90VrufvvB9pzkydTWjtKXbAN95yilwCzaowl9/vp++B20:kydpFTWjtKMONc+d

    Score
    10/10
    healerredlinegromdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      085092942b0623e53eceee98070267fb4f8d6b1f6c866d75389be1868784dd7b.elf

    • Size

      70KB

    • MD5

      d9ae56199d5d36db7cd6988ec5045ac9

    • SHA1

      88ffe931433154ad3a3cc8d349ddee612fe44e25

    • SHA256

      085092942b0623e53eceee98070267fb4f8d6b1f6c866d75389be1868784dd7b

    • SHA512

      64666de2eb8601cd11b5b669a3b922f415b15cee90694d4f3a692096902e9c99302b53b48ae187523be4a561d92438717f0ef377e261cb699d4a7f212980a882

    • SSDEEP

      1536:ywk609bh5+9JTnUXJ8DC85qecNdIBTn7WdP0MXeTBnbL:ywk60915+91UXvEcNix9MXeTBnbL

    Score
    1/10
    behavioral10behavioral7behavioral8behavioral9

    • Target

      08cbd1cc0c473b44845d3960e6af301cb430002f301a55d40dbd03477ad85ed1.elf

    • Size

      156KB

    • MD5

      ebf788e2e49bae300f4b58552def112a

    • SHA1

      bfd2e924530960537da867ffbdd342364195d53b

    • SHA256

      08cbd1cc0c473b44845d3960e6af301cb430002f301a55d40dbd03477ad85ed1

    • SHA512

      fbf81850e04b2f67b1bad5d78378275eb4b98ff7cb77a57304ef791c574fe298725a6217420bf81473d094fdfb6d7c9a3149b86a8de76e5a58a5a6b77c60a6ee

    • SSDEEP

      3072:T1g2/eINNlzx2kkQCMOaQcvB0YnyLRM/9q3tmFwfBxKQodn:hg2hNNlzIkk/MOa/CYnydM/9MmFwfBxE

    Score
    1/10
    behavioral11

    • Target

      0a50e4e96fe3948c570214cd5dcdf34b3a2625742eaf15ebdde41d0cd75dea61.exe

    • Size

      1.0MB

    • MD5

      a6f0b3e1315cc524eedec7e5ece1727c

    • SHA1

      6e8aeb9e7c755eb8308df20b229120b1979fa114

    • SHA256

      0a50e4e96fe3948c570214cd5dcdf34b3a2625742eaf15ebdde41d0cd75dea61

    • SHA512

      520397ed8f9112a3a525c990493425e1a1579233954b1f1c23ae3ae4f71e39300cad2166e1247d445ebce21b2efd7ee01a4f183bfeafbd44a4d5affd1d38758f

    • SSDEEP

      24576:Ua1j5LA9gxosrW+22BZWddZp8yNv+CyTVh:j95LAax1rWr2BZevpYCUVh

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral12behavioral13

    • Target

      0bdd1bc4a24d817604fadd739b1e80cf47722df37c4b2240f6ddfb3c2d120454.elf

    • Size

      69KB

    • MD5

      eb4b6f6f782fc56259027316378fd2f9

    • SHA1

      682249a98670dc9eef678565bfb51159c96edd17

    • SHA256

      0bdd1bc4a24d817604fadd739b1e80cf47722df37c4b2240f6ddfb3c2d120454

    • SHA512

      66b901f0e007f2fcebde86e3f71f23085d40997deece721df0461ad7009b1001f0f2148193dda4ae8e35d275493dee2b17a867134b6652447f65a12c55905738

    • SSDEEP

      1536:Vnfor84GrVS/h8+0Amihk1hWZuiil6Xvy9wbZnN:Vnj4hOMk1hWZ0sy9wbZnN

    Score
    1/10
    behavioral14

    • Target

      0c349ec65fde9efebd2ff123c6b223cce44c6fdbafa19b46c12d43eccde3a3e3.exe

    • Size

      729KB

    • MD5

      6b1a9cac89d36bfac5c5035809a3d484

    • SHA1

      5d1a7d8d3b0eee361215f739a1fb9971efcbea53

    • SHA256

      0c349ec65fde9efebd2ff123c6b223cce44c6fdbafa19b46c12d43eccde3a3e3

    • SHA512

      cedb70fb89194f705a4c08ee514d666fbcdf5b95cc4a869144aebbc296a762d7dc3eb98e6f0d49a4206b8b1362629cc0646e2165201ecece9f5c780a447eabcd

    • SSDEEP

      12288:iMrNy90Tvvx7thoce2cRQlY5ORPAsbZZI7LmL5AZFYqyItiwZsJJr/jigI:3yEZgRQKDEKKuc9IwwkFbBI

    Score
    10/10
    healerredlineduzadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      0c6a7849d41395e38b5f348c64219356456952602e96e3228379a31e3031a0d3.exe

    • Size

      852KB

    • MD5

      fe6f965517d6e9ee9fac7b6a2728b125

    • SHA1

      61fa95d7d24b8667e5eb219f0772dba114ea19cc

    • SHA256

      0c6a7849d41395e38b5f348c64219356456952602e96e3228379a31e3031a0d3

    • SHA512

      f5827e2e061d96ea4183cf383dfaf5b2046ef32971a9a7472743e5a131102e6f7f2d7b559f5575e532c3b9083f7b2c3147dbe90293791bea2e187ee833dbcd62

    • SSDEEP

      24576:HySCwgVIZTFq+zGYRkVfJQvqYb0WqU/0El:S/wgV+TFhzGYcgq+0WP/

    Score
    10/10
    redlinejasoninfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      0ceb0dadfa894aba36d3629ef69c69540f0cba4fe5d52f7fb0b9663738923bde.elf

    • Size

      83KB

    • MD5

      212aadba15e0debfdd98a4783051685b

    • SHA1

      6e514cb5364266c96ea00638656b9ea1248a7db5

    • SHA256

      0ceb0dadfa894aba36d3629ef69c69540f0cba4fe5d52f7fb0b9663738923bde

    • SHA512

      22fe3dbf1c214086b367036813f87d35750ed0495c304d3663c4470f4da35db757a25a705046c333752df76ff88b0fa8c8866dc50717ae68aae2d566fced8347

    • SSDEEP

      1536:cR/C4e6K67Dr3gujI/uVceyrMMKenkXGwbZnLx:cRq4eB67Dr39I/uVceyrMXXGwbZnLx

    Score
    1/10
    behavioral17

    • Target

      0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe

    • Size

      880KB

    • MD5

      d5af7b4e4aa554542307474645208ce1

    • SHA1

      aaf49c2518fb31dccdd6b8ae383b21cc6de0a430

    • SHA256

      0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85

    • SHA512

      785e01b295ac3a12045df777d8cd5fe86a76f06d5bab2ab77c07ca049c27119f43a1928724452339f90660ba379d74c080f810c74cb732274956ff68cc578310

    • SSDEEP

      12288:/mcnG6zEGU6Iq2jCrYQQsbeLmFDgJzEhFP92MpgtK3IoRA7+JQEKVWk:ZnGSrU6IqQCr1KJzEhFPWtxoR12/

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral18behavioral19

    • Target

      0dd3f8b25459c4e5e8eabfe91f24381813035cf7c71837ccb6e5f6899e48c27f.exe

    • Size

      624KB

    • MD5

      b680b95a2ca063dd15b0dd77f8f09ebe

    • SHA1

      796f4d63fc05f166c128124a011f165fbe28105f

    • SHA256

      0dd3f8b25459c4e5e8eabfe91f24381813035cf7c71837ccb6e5f6899e48c27f

    • SHA512

      2be2930fb6670d84b4b48abf201ed69453014d68ac4a2d8bb9177e7b92bf9ac6954e472f2bfa26d7ffcd1e1f2055737f9aea5fc2cf105dbe791c4ab04ce31adf

    • SSDEEP

      12288:wMr7y90LHqjnE/4dW/NFws2tbSP29adN5jZk4qh0r4A8bEMmHbk:byIKjnE/4dANxG42o3nrqh0r4So

    Score
    10/10
    healerredlinejasondropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      1100f4a7535cf8075a78a8da90894ef23cade6fed0d169d44c1738a870630c15.exe

    • Size

      579KB

    • MD5

      7346c9336d7498f6c1ca3e50bf86b790

    • SHA1

      5ea0344751f5d870d553a86d45df278a4be086bf

    • SHA256

      1100f4a7535cf8075a78a8da90894ef23cade6fed0d169d44c1738a870630c15

    • SHA512

      d67e21c390ae47baae31ae061cae1a2b5114536d29fe7c31a022001a2a7cffe5478c9af3a900187c8119a90f8201ec8edab66d561f180e9a83dfb34ba62b13c3

    • SSDEEP

      12288:AMrly90iNyVjcWXPhJulUcY3oBYGGZJcqIWy/mnmef8yMHu:1y1Nyc4Ut4oBYGGJeGnd8yMHu

    Score
    10/10
    redlineduzainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral21

    • Target

      124c02ed924e11b06b74e1b8c1290adbb1e50dfa2a7bcf95104c6425a1f82ef5.exe

    • Size

      45KB

    • MD5

      8f18dae3a06e5d01df276b48679d87ae

    • SHA1

      eca04933b3034d40113e990a8914a4f9d46b00a0

    • SHA256

      124c02ed924e11b06b74e1b8c1290adbb1e50dfa2a7bcf95104c6425a1f82ef5

    • SHA512

      20e472a03b695550830dde0c27e5cb3edf24bbc672ab2d70fd4c1e97b78ed3399f604d3ab590e2a9f8164a3a01e14b448ca7d88776effdee5078a39e2f138a42

    • SSDEEP

      768:NuwCfTg46YbWUn9jjmo2qrvcPjrhFmsWhzjbdgM3iAvC2oN/TqDiCrcDZTf+:NuwCfTgpM26cLNFm3h3bKMSEK/TqDiH0

    Score
    10/10
    asyncratrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat
    behavioral22behavioral23

    • Target

      1267a2b9b9ff99e4039372e8ee87b8d61ad0a4db0ee052564aee4ddccf2de9dc.exe

    • Size

      712KB

    • MD5

      07f532593a4c71ee76366396563a0f0b

    • SHA1

      a9c2fb723a074bb666a25d2cbb53b549014f27ca

    • SHA256

      1267a2b9b9ff99e4039372e8ee87b8d61ad0a4db0ee052564aee4ddccf2de9dc

    • SHA512

      6ae82777903358b1d4e56873c11c969cc7ec663bdc1660d88de4b30c550b8f7a0f6e12a1f79372b3fb231021f002ef6a6cd4a80852924b732efb201ec33076ad

    • SSDEEP

      12288:gNUya2iNx5LbzIu9+r97hIySewQpnrfccbd+mObCzJ0/m63OCb3biaBWIgiY:Qa1j5LA97hIySsnYcMPCJ0l3OCbriaUI

    Score
    10/10
    lokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral24behavioral25

    • Target

      13a5b3d41f084cd25b4142b948e31e80a917c91fff12aa8b156ac9f23c18b0f1.exe

    • Size

      1.2MB

    • MD5

      e03efd2648ccfc03575503650c64d3d2

    • SHA1

      87c50ddadc9bd135512c42719901587cd6195384

    • SHA256

      13a5b3d41f084cd25b4142b948e31e80a917c91fff12aa8b156ac9f23c18b0f1

    • SHA512

      b366910f07b65655cc9b01d982e192e4452b537c28dda48befb7a903689943d94c6ae5187bdac39b5dfea8579851c2feaef397dd256f96643f6753ae716a2cf9

    • SSDEEP

      24576:q7pIOM88+6lcv9VAo4FUq4iG95LFt8Xh:q/M88+6avYo4XT5h

    Score
    10/10
    snakekeyloggercollectionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral26behavioral27

    • Target

      13a63fbb669551bf49f493a5471f08d73b453f35ebeafae1384e9f34dff94462.exe

    • Size

      573KB

    • MD5

      e97cb42ee797cb71a2b355d5cf08bed0

    • SHA1

      0737c2b520c023ecca79c98e48e6a6c5055d77cd

    • SHA256

      13a63fbb669551bf49f493a5471f08d73b453f35ebeafae1384e9f34dff94462

    • SHA512

      2783b96c1d7ae82ef3be08a5b16472c00ed6ddc9b8a411d5e31d988a38c81570dd3f9306f7792d6d48dd52dbcb5ae83be96e6a10e6bdbb597679fc275e7b70e4

    • SSDEEP

      6144:Kdy+bnr+Up0yN90QEx95o/WN5peWsZNKZLbKohtnrDBgxgoxjEFK4D0qm+R8xwJs:HMrsy90ZW/WHekpCxgXsom+gArXip1

    Score
    10/10
    redlineduzainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral28

    • Target

      143dea0e6ec39e956087e8ed61f409995090455ba38a1e73225a6d87b9d1a55c.exe

    • Size

      573KB

    • MD5

      57c977c9e7ae3d27e53f187c66fff172

    • SHA1

      54e977c69884649abc91dee85dca134c7ff146d6

    • SHA256

      143dea0e6ec39e956087e8ed61f409995090455ba38a1e73225a6d87b9d1a55c

    • SHA512

      bb2ee725215a410d780e3cd3f6070f90ad96c399c2450c1a8a4ebd516ef8eb680f5288a3729800d7d72b6af7ee2764d073906b615644a9365bfeafcd837d590e

    • SSDEEP

      12288:LMrAy90RVCbfkFW+uv9JtYoqleDx12HZXwheCdI:/yqE8puztYou5Zoq

    Score
    10/10
    redlineduzainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral29

    • Target

      14779e087a764063d260cafa5c2b93d7ed5e0d19783eeaea6abb12d17561949a.elf

    • Size

      657KB

    • MD5

      946689ba1b22d457be06d95731fcbcac

    • SHA1

      e998494f91b08b52b28fe3304e9322962e3d1b58

    • SHA256

      14779e087a764063d260cafa5c2b93d7ed5e0d19783eeaea6abb12d17561949a

    • SHA512

      5ccbed7425cff1237781d680c3c84a8059624169645cdf7bc82ef6d42c658ae0dbc7f275c9fd187461287e82db10feaba7df2fc7be1abf3680e032658494ce83

    • SSDEEP

      12288:TkvsVw0s3hz3hX7HD6lHd7SyihHV/xJTp0eeXRl6yixrLW:ovsVw0s3hz3h7D4FSyUB907XRMx2

    Score
    1/10
    behavioral30

    • Target

      15f6ddf672086fbd9e4f59fa670c201e101a75e13a71645c982db165fc6e66e3.exe

    • Size

      608KB

    • MD5

      d167146c83ff7591d7d10d1ede086a97

    • SHA1

      83a9d22d4c0baa547f3bf8d0bf46f39299185cbf

    • SHA256

      15f6ddf672086fbd9e4f59fa670c201e101a75e13a71645c982db165fc6e66e3

    • SHA512

      0cfb3f6ee3b07c01c2fdc7127b9ac1a12f4ff5ece30fa9da3d0c3e2b87b23dfbf246ff56c1f62eba7de813aa9e40563e320f4eb084b9ed0150c765a09a25a487

    • SSDEEP

      12288:QMr3y90iBqiXyHVwpzUxo4HRsdpQyfBFmNfj:3yl37p4xo4H6QIFmR

    Score
    10/10
    redlineduzainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral31

    • Target

      16478beceea6d01555ceffc1c582531617a76919cc713c3b72319c19a879b6e4.elf

    • Size

      5.2MB

    • MD5

      4f1b6e43b4bae496067a124c61fec7dd

    • SHA1

      374f8f462aafd474fd184c13aa7a681be68168fd

    • SHA256

      16478beceea6d01555ceffc1c582531617a76919cc713c3b72319c19a879b6e4

    • SHA512

      3c84d9c451a71f4ac3ed832f2b8e4918a8360d7a6bbb98d20b7c73f2ab8e4aa80d0ec4294643b6cee046dd7c5011bdef27abc05cf5ab6487ab81173287ad3769

    • SSDEEP

      98304:on/v2UOp/P/BNLsOATqAUpuzFD60Mq5C+:3p3/rsOAmFuzg0M

    Score
    1/10
    behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

11
T1547

Registry Run Keys / Startup Folder

11
T1547.001

Create or Modify System Process

5
T1543

Windows Service

5
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

11
T1547

Registry Run Keys / Startup Folder

11
T1547.001

Create or Modify System Process

5
T1543

Windows Service

5
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

21
T1112

Impair Defenses

10
T1562

Disable or Modify Tools

10
T1562.001

Credential Access

Unsecured Credentials

8
T1552

Credentials In Files

7
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

8
T1005

Email Collection

3
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

mirairat2f2805defaultdrowed68ded0pyinstallerminermiraigafgytdcratasyncratnanocoreprivateloaderriseproamadeynjratxmrig
Score
10/10

behavioral1

redlineduzainfostealerpersistence
Score
10/10

behavioral2

healerredlineduzadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

healerredlinegromdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

healerredlinegromdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral13

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral14

Score
1/10

behavioral15

healerredlineduzadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

redlinejasoninfostealerpersistence
Score
10/10

behavioral17

Score
1/10

behavioral18

dcratexecutioninfostealerrat
Score
10/10

behavioral19

dcratexecutioninfostealerrat
Score
10/10

behavioral20

healerredlinejasondropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral21

redlineduzainfostealerpersistence
Score
10/10

behavioral22

asyncratrat
Score
10/10

behavioral23

asyncratrat
Score
10/10

behavioral24

lokibotcollectionspywarestealertrojan
Score
10/10

behavioral25

lokibotcollectionspywarestealertrojan
Score
10/10

behavioral26

snakekeyloggercollectionkeyloggerspywarestealer
Score
10/10

behavioral27

snakekeyloggercollectionkeyloggerspywarestealer
Score
10/10

behavioral28

redlineduzainfostealerpersistence
Score
10/10

behavioral29

redlineduzainfostealerpersistence
Score
10/10

behavioral30

Score
1/10

behavioral31

redlineduzainfostealerpersistence
Score
10/10

behavioral32

Score
1/10