General
-
Target
c743068884e5656a7656592ce5b7cb71ab95eddb364fa460b31c7e60f6fe3f79.zip
-
Size
324KB
-
Sample
220104-emccmaaden
-
MD5
99c906cebfa979011fee05770c6b8bc1
-
SHA1
1d9705443a29fe402e736ea5eb852c89430a7877
-
SHA256
7c57bc24a838278b7530516273a452e0e4723ed1a280244dcc12a50b2fb28118
-
SHA512
606929d9e7e3828421ccebba8db3e4f7244f0012affe94c413d4d35e04f25a2adc04bdb4dae15fcb0ebbb2021b56d18c657a616029e7e64118abc6f98692bedd
Static task
static1
Behavioral task
behavioral1
Sample
c743068884e5656a7656592ce5b7cb71ab95eddb364fa460b31c7e60f6fe3f79.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c743068884e5656a7656592ce5b7cb71ab95eddb364fa460b31c7e60f6fe3f79.exe
Resource
win10-en-20211208
Malware Config
Extracted
redline
cheat
45.147.196.146:6213
Extracted
raccoon
e9f10fade0328e7cef5c9f5bf00076086ba5a8a1
-
url4cnc
http://91.219.236.18/baldandbankrupt1
http://194.180.174.41/baldandbankrupt1
http://91.219.236.148/baldandbankrupt1
https://t.me/baldandbankrupt1
Targets
-
-
Target
c743068884e5656a7656592ce5b7cb71ab95eddb364fa460b31c7e60f6fe3f79
-
Size
843KB
-
MD5
f95dbac9816e7e57b5cdd6a2c8df2191
-
SHA1
925ed9a2e86cdee9090f17875766d513bd9bb971
-
SHA256
c743068884e5656a7656592ce5b7cb71ab95eddb364fa460b31c7e60f6fe3f79
-
SHA512
b3b74dd7c349afe8ea48a1a770099d7d5c366c8cfeb7405b9712e18ecdce5d7c1fda5169bb402553810e44adaea66ed09e40cd20574329f7389ee7f49023726d
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-