General
-
Target
574843CE13304217F897E35CCFA66118.exe
-
Size
1.6MB
-
Sample
210814-8h7w257wm2
-
MD5
574843ce13304217f897e35ccfa66118
-
SHA1
19671765f1d4db74a1a9bca2911ff8f3d9633a81
-
SHA256
041fa6acb0d512cd68e538d2e4bd11a9a1345839d3803ec8c096862eafc0cd81
-
SHA512
3d344e2208a0b00775b64cc897cd47d29b507f7da2416270cd3b2594a3379b12786ad29c14682259843ce0a1f176d15fa7406639ba11f71e1d01a1899be04427
Static task
static1
Behavioral task
behavioral1
Sample
574843CE13304217F897E35CCFA66118.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
574843CE13304217F897E35CCFA66118.exe
Resource
win10v20210410
Malware Config
Extracted
https://bitbucket.org/thereopportunity/en-en/downloads/Shtate.txt
Extracted
redline
usacash888
185.53.46.25:38743
Extracted
redline
Ruz
sandedean.xyz:80
Extracted
redline
birja traff
alasshrilm.xyz:80
Targets
-
-
Target
574843CE13304217F897E35CCFA66118.exe
-
Size
1.6MB
-
MD5
574843ce13304217f897e35ccfa66118
-
SHA1
19671765f1d4db74a1a9bca2911ff8f3d9633a81
-
SHA256
041fa6acb0d512cd68e538d2e4bd11a9a1345839d3803ec8c096862eafc0cd81
-
SHA512
3d344e2208a0b00775b64cc897cd47d29b507f7da2416270cd3b2594a3379b12786ad29c14682259843ce0a1f176d15fa7406639ba11f71e1d01a1899be04427
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
Core1 .NET packer
Detects packer/loader used by .NET malware.
-
CustAttr .NET packer
Detects CustAttr .NET packer in memory.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-