General
-
Target
installer.exe
-
Size
1.9MB
-
Sample
210410-1dncgtl7ce
-
MD5
46b155bb059841efcb9e0f0f10e18238
-
SHA1
1b31fb36f236670ad34fec242e66f4bef82468e9
-
SHA256
304abb9d5a128957d5e9cbfc2e2b74904cebe604bc4e1fc85eef3d9db5e4b118
-
SHA512
0bce4a3639c32fcf101a5b0b91bad8f5a812ce5bfccde2b3888137e8a0635c65138ad9c2eeb7163903a83c8fca10cf40ca790d6d30d9861e1452f10c6a889aaa
Static task
static1
Behavioral task
behavioral1
Sample
installer.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
installer.exe
Resource
win10v20201028
Malware Config
Extracted
http://labsclub.com/welcome
Extracted
icedid
1925120085
Targets
-
-
Target
installer.exe
-
Size
1.9MB
-
MD5
46b155bb059841efcb9e0f0f10e18238
-
SHA1
1b31fb36f236670ad34fec242e66f4bef82468e9
-
SHA256
304abb9d5a128957d5e9cbfc2e2b74904cebe604bc4e1fc85eef3d9db5e4b118
-
SHA512
0bce4a3639c32fcf101a5b0b91bad8f5a812ce5bfccde2b3888137e8a0635c65138ad9c2eeb7163903a83c8fca10cf40ca790d6d30d9861e1452f10c6a889aaa
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Sets service image path in registry
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-