General
-
Target
d31de02b5f962de2238544c454be3d8a.exe
-
Size
139KB
-
Sample
220331-nm94bsbbh8
-
MD5
d31de02b5f962de2238544c454be3d8a
-
SHA1
ed2c92e0eb1aed02ed6a471b7b51a2e049771c67
-
SHA256
d012e723b1fe4143b4fc37a45a41718ee2a3e13c333fb51e0e2bdb0653e5da96
-
SHA512
869b7d64f24ba04bc49e6df6b2aa61ede65ca4c2c94075f0c39c95230d528c86b969f911beb1956ae8d7dfa1973647c0eb2c61523285ad4f8820016fb26b07a6
Static task
static1
Behavioral task
behavioral1
Sample
d31de02b5f962de2238544c454be3d8a.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
d31de02b5f962de2238544c454be3d8a.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
warzonerat
108.170.60.184:5200
Extracted
redline
rrr
46.8.19.115:7225
-
auth_value
ee6604d0530215d1c747f04e49b3c531
Extracted
redline
ruzki28_03
176.122.23.55:11768
-
auth_value
22cdac7fdda98bfe74c28402ce2ddc18
Extracted
redline
nam33
103.133.111.182:44839
-
auth_value
8b278c0f8c2de9225b1633fa0e83ddce
Extracted
redline
193.106.191.253:4752
-
auth_value
ec8cbe4ac27e8d5a62e72c4281063258
Extracted
redline
RUZK
91.243.59.45:34762
-
auth_value
8c76f33e1a37a1142ff1a265063ec892
Extracted
redline
@ywqmre
185.215.113.66:26416
-
auth_value
5aab3b27575b218cc78165f1b5c607a0
Targets
-
-
Target
d31de02b5f962de2238544c454be3d8a.exe
-
Size
139KB
-
MD5
d31de02b5f962de2238544c454be3d8a
-
SHA1
ed2c92e0eb1aed02ed6a471b7b51a2e049771c67
-
SHA256
d012e723b1fe4143b4fc37a45a41718ee2a3e13c333fb51e0e2bdb0653e5da96
-
SHA512
869b7d64f24ba04bc49e6df6b2aa61ede65ca4c2c94075f0c39c95230d528c86b969f911beb1956ae8d7dfa1973647c0eb2c61523285ad4f8820016fb26b07a6
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
OnlyLogger Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-