General
-
Target
user-invoice-8488888.doc
-
Size
63KB
-
Sample
210511-4y2az5vn4s
-
MD5
e6fa4e620f40158675e05a337318ee50
-
SHA1
5b6dfc5bcdd0d9fd0b6ed397c1d325f41784a0d6
-
SHA256
71adba3a8692ba36d24a2280954bc55db0b0c2a067a84a569682414443893ac7
-
SHA512
74de666ee675b9683b996bfffaf3e7729cc19ff607124c305e0e317ad74f9aab52844d73d1e08f1503b60d27f627aec98cc9d752241a89570a00ac869b669b9a
Static task
static1
Behavioral task
behavioral1
Sample
user-invoice-8488888.doc
Resource
win7v20210410
Malware Config
Extracted
https://bitbucket.org/tanake5518/fi/downloads/r1oo.exe
Targets
-
-
Target
user-invoice-8488888.doc
-
Size
63KB
-
MD5
e6fa4e620f40158675e05a337318ee50
-
SHA1
5b6dfc5bcdd0d9fd0b6ed397c1d325f41784a0d6
-
SHA256
71adba3a8692ba36d24a2280954bc55db0b0c2a067a84a569682414443893ac7
-
SHA512
74de666ee675b9683b996bfffaf3e7729cc19ff607124c305e0e317ad74f9aab52844d73d1e08f1503b60d27f627aec98cc9d752241a89570a00ac869b669b9a
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Turns off Windows Defender SpyNet reporting
-
Nirsoft
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-