General
-
Target
0ca8a68308fac722e8aa2e8c0a0016ea
-
Size
3.4MB
-
Sample
220129-qgpljsbgb2
-
MD5
0ca8a68308fac722e8aa2e8c0a0016ea
-
SHA1
79963426b94a5e1badacb63522bf6df6a7909fef
-
SHA256
b2596bd49beb188627fb0ad46f87c2359d27e49b3d021e45e779cfa66eb25b75
-
SHA512
b413f31e14a34a5545ae3a30159e0f57cbfd186c498c16200da7c6d9d6ae0b2dacc38f5467bfb246f60a518a800301305354b2401aa70ba7bbfa45c760773e6d
Static task
static1
Behavioral task
behavioral1
Sample
0ca8a68308fac722e8aa2e8c0a0016ea.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ca8a68308fac722e8aa2e8c0a0016ea.exe
Resource
win10-en-20211208
Malware Config
Extracted
redline
5.206.227.11:63730
Targets
-
-
Target
0ca8a68308fac722e8aa2e8c0a0016ea
-
Size
3.4MB
-
MD5
0ca8a68308fac722e8aa2e8c0a0016ea
-
SHA1
79963426b94a5e1badacb63522bf6df6a7909fef
-
SHA256
b2596bd49beb188627fb0ad46f87c2359d27e49b3d021e45e779cfa66eb25b75
-
SHA512
b413f31e14a34a5545ae3a30159e0f57cbfd186c498c16200da7c6d9d6ae0b2dacc38f5467bfb246f60a518a800301305354b2401aa70ba7bbfa45c760773e6d
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-