General
-
Target
7268e57a354c49482b14d239632cfd73.exe
-
Size
381KB
-
Sample
210522-ep9csynfz6
-
MD5
7268e57a354c49482b14d239632cfd73
-
SHA1
8d42017b64c9d4060c56f5916bd70c6f42515d13
-
SHA256
a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d
-
SHA512
e0cab9d4b5b39a5202790dd5ca634e9e15dae583fa7071186f787183e9bcf01c5264265660572d9de226108a308136e8a9d8340569826abc4d9fe1644223c297
Static task
static1
Behavioral task
behavioral1
Sample
7268e57a354c49482b14d239632cfd73.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
7268e57a354c49482b14d239632cfd73.exe
Resource
win10v20210410
Malware Config
Extracted
redline
BBS1
87.251.71.193:80
Targets
-
-
Target
7268e57a354c49482b14d239632cfd73.exe
-
Size
381KB
-
MD5
7268e57a354c49482b14d239632cfd73
-
SHA1
8d42017b64c9d4060c56f5916bd70c6f42515d13
-
SHA256
a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d
-
SHA512
e0cab9d4b5b39a5202790dd5ca634e9e15dae583fa7071186f787183e9bcf01c5264265660572d9de226108a308136e8a9d8340569826abc4d9fe1644223c297
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Blocklisted process makes network request
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-