General
-
Target
fires_258452962.zip
-
Size
6.1MB
-
Sample
210312-h45jelee7x
-
MD5
f5a2ebe9fa01c78bdfec3136508a738f
-
SHA1
a16b1088e365e800884b113f8d35ee2818375bf3
-
SHA256
ceea3e1b3829e10af9e68a64866ff4acbaa96f759b997fa68a1be90e6f4f36c1
-
SHA512
18cb1cbb3f21cf6cd7ca235283bc6dfe443646aca645e272f044e24f0fd43afdc2839c91dc21c85f97a44635935f6c8c7ff706388dbe3cf09259adc568b04c25
Static task
static1
Behavioral task
behavioral1
Sample
1dizrriv.xml.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
1dizrriv.xml.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
fires_258452962.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
fires_258452962.exe
Resource
win10v20201028
Malware Config
Targets
-
-
Target
1dizrriv.xml.exe
-
Size
3.4MB
-
MD5
659ddd8e403cde0e6403d605829d0f3b
-
SHA1
c76efe026ba7761563b889d7ff5dc47f37ce8e89
-
SHA256
bf5d0e8f30d74f2b00fcd1c5ee90c800b81c9b371e162b884278518925daab84
-
SHA512
44eb56bd5bd77dc886d3cc8eda1e2c2b503d605766b2e72444141f3c48b691bbd2ee807b54242c9530f9b9cc17f2a413b69256b5f8302b9946efa0c77be72906
Score3/10 -
-
-
Target
fires_258452962.exe
-
Size
4.5MB
-
MD5
90ce8dd992c0393eb7621e1c773b8914
-
SHA1
118efa19dc43b23b76b7d558a3f66d40f0d1b4bc
-
SHA256
3efbdb687b9cbb20fb1c2b12e567a650584ddadc598a9e580a70fe0feb14a2bb
-
SHA512
014239b2cb990c8f26e8b038d58782a562a3a2489bf2c68e2d7cb9c84d29460b1c59b0ecf4045abd40e8ea6e864e3e507f1e33a2f5afd802926b0688e25b6c84
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Blocklisted process makes network request
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-