Extracted

Extracted

Extracted

Extracted

• • Target

    f618840fdc6d40a683f35a268444ad53

  • Size

    1.0MB

  • MD5

    f618840fdc6d40a683f35a268444ad53

  • SHA1

    259eaba7e8902e26f516f47f25aa35e78496b0d3

  • SHA256

    f60f32ec899bcb92fd50491a8c32f0548afbd4dc02462dfa373d484b4b161a86

  • SHA512

    eaef79404a16724db4eaa4e898d4ae3c575a8bcde0227aad94d0099b49b407676678113375252c085ce447188047a0e5233696d236208f81bf1519b9e4b920e7

  Score

  10^/10

  redlineservhelper0808212backdoordiscoveryexploitinfostealerpersistencespywaresuricatatrojanupx

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine Payload

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • suricata: ET MALWARE ServHelper CnC Inital Checkin

    suricata: ET MALWARE ServHelper CnC Inital Checkin

    suricata

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2