Started with this redline malware sample
https://www.joesandbox.com/analysis/808971/0/html
Which the sandbox says dumps a bunch of child-processes and eventually drops these 2 payloads
AV killer
https://www.virustotal.com/gui/file/850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
Healer.exe
MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA-1 421a7167da01c8da4dc4d5234ca3dd84e319e762
Infostealer
https://www.virustotal.com/gui/file/dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3
The Infostealer looks a lot like this blog ( https://securityscorecard.com/research/detailed-analysis-redline-stealer/ )
Franchise.exe
MD5 dd0c9e110c68ce1fa5308979ef718f7b
SHA-1 473deb8069f0841d47b74b7f414dacc6f96eca78
C2: 193.233.20.13:4136
It is stored in a self extracting .CAB file (microsoft cabinet)
It unpacks itself 4 times actually before we finally see the payload.
Each time the child .CAB file is stored in a Resource named "CABINET"
Each time there is 2 .exes inside the .CAB .
Each of the repeated dumps the "RUNPROGRAM" resource launches another child .CAB extractor.
Hire Recovery Masters For All Hacking & BTC Recovery:
ReplyDeleteContact Recovery Masters for problems such as cryptocurrency recovery, Hacking emails, Facebook, Twitter, Instagram, note changes, deleting criminal records, credit and debit refill, reloading insurance documents, lost or lost file recovery, background check of people and organizations Monitor your spouse's activities regarding the phone and social media, Contact RECOVERY MASTERS They are very trustworthy.
(Recoverymasters@email.cz)
Whatsapp (+ 1 )55 (12 0) 2 2 (3 3 5)
Recommendation by Aaron
"I am writing this review to express my sincere gratitude to this NFT and USDT recovery hacker for all that he did for me during one of the most stressful and painful times in my life. His professionalism and guidance, at a time when I questioned myself how dumb I was to give out $1.2 Million Usdt to an NFT trading scammer, helped me to accept that so long there is a problem, there will always be a solution. He provided me with irrefutable proof that strengthened my doubts about the possibility of recovering or tracking lost BTC or USDT. I have no doubt about the decisions I made afterward. It took a while but success was achieved in recovering all the USDT Tokens I had sent. At a time when I felt like my whole world was tumbling down around me, his concern was truly appreciated. I highly recommend his services and while I hope never to need him again, I will be sure to call him if need be. Thanks so much, Cyber Genie Team”
ReplyDelete" ( Cybergenie (@) cyberservices (.) com ) "
" ( WA +1252)(5120391)"
HAVE YOU BEEN A VICTIM OF INVESTMENT SCAM? CONTACT RECOVERY MASTERS FOR SWIFT RECOVERY.
ReplyDeleteAs a business-minded individual, I despised staying at home, saving all my pensions and not being able to use them to make more money, so I went on the lookout for an investment. I tried binary options and forex, lost some money, and took a break from the online investment thing until I came across a so-called investor guru. I put a lot of money into him and never received it back. I saw articles on Recovery Masters how they have helped victims recover their lost funds and btc. Despite the fact I was at first dubious about the whole thing, l contacted them via their email. Truly grateful for their splendid service and support.. Contact them to recover your lost BTC or money.
Email address: (Recoverymasters@email.cz )
(On WhatsApp, dial +1(204)8195505