General
-
Target
onestep_817601070.zip
-
Size
7.3MB
-
Sample
210722-vrwe53ajen
-
MD5
ef2e062a5b07bb61118cc0b50e0e392b
-
SHA1
d35819f7d5a6b30465a7f877982ee42f53062d02
-
SHA256
046942c430f910e16c224d3109007c9855c0529e84cc9bf911845c62ac018186
-
SHA512
051cc370b0cb8bf72cfea60bbea8327ef1168d84eeecb1d2fe7767770be9c5d5fa2ae4b9fd36a180006bcccccfe59ad4a3548fc7de058d4222ac5b9802c8e199
Static task
static1
Behavioral task
behavioral1
Sample
onestep_817601070.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
onestep_817601070.exe
Resource
win10v20210410
Malware Config
Extracted
redline
180721
cookiebrokrash.info:80
Extracted
redline
KO1000000
qusenero.xyz:80
Targets
-
-
Target
onestep_817601070.exe
-
Size
7.0MB
-
MD5
9815414bc96392ce89a88d0c7c46585a
-
SHA1
56deb0499d6a67d90b5bf92a597456fd1a05535c
-
SHA256
75d4cd9fa27ad0133285d39729bc676b4062f0856e4315bf9232d5123795ce0d
-
SHA512
2dff98fa978db9fb30adfec10b13e084784381441a97ef4675c8c9ccaa2302cb72111f3e6c7265076f818a0f929b9495ea314919997748f5b3797d8371e44a13
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
autoit_exe
AutoIT scripts compiled to PE executables.
-