General
-
Target
ADA6977ABF5CAA24A75F0DB17220267F6B05F11ED9497.exe
-
Size
4.8MB
-
Sample
220126-sx2xxseedn
-
MD5
406e2d7be4f35055b745b454f4394c59
-
SHA1
2a54af5951c86ff57fd75adb7ee2f1dca7056e8e
-
SHA256
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
-
SHA512
548809a9a1355214ffce169f5838d32bc06aabd2208d3462e26e170e8ec200873cd2d0df40c927bf63964ca06f86554a1d7d247f666e6c4901c40527e59b52a3
Malware Config
Extracted
redline
pub1
viacetequn.site:80
Targets
-
-
Target
ADA6977ABF5CAA24A75F0DB17220267F6B05F11ED9497.exe
-
Size
4.8MB
-
MD5
406e2d7be4f35055b745b454f4394c59
-
SHA1
2a54af5951c86ff57fd75adb7ee2f1dca7056e8e
-
SHA256
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
-
SHA512
548809a9a1355214ffce169f5838d32bc06aabd2208d3462e26e170e8ec200873cd2d0df40c927bf63964ca06f86554a1d7d247f666e6c4901c40527e59b52a3
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-