General
-
Target
RQF #00811-AL WASL.exe
-
Size
1.5MB
-
Sample
220401-nxaffsbbg2
-
MD5
d870373e2ffd2b1788beaec4582f3f3d
-
SHA1
5553327f2dd0792f4d2f2171a8fb7122ecfb18fb
-
SHA256
64e046a94ea6f31a4a2cf9c77dc6e4f0d9e7455705668e8b354057c1d04f9b55
-
SHA512
b2726b8c92946e84749682dd5cb3f32e12a449f539bdfe3ae31c1c6a71974d0bcef61468e8564fa1447714fc2b62401578acf7db0ac54e312f6e88977b426bdf
Static task
static1
Behavioral task
behavioral1
Sample
RQF #00811-AL WASL.exe
Resource
win7-20220310-en
Malware Config
Extracted
redline
jd
96.47.234.207:15286
Targets
-
-
Target
RQF #00811-AL WASL.exe
-
Size
1.5MB
-
MD5
d870373e2ffd2b1788beaec4582f3f3d
-
SHA1
5553327f2dd0792f4d2f2171a8fb7122ecfb18fb
-
SHA256
64e046a94ea6f31a4a2cf9c77dc6e4f0d9e7455705668e8b354057c1d04f9b55
-
SHA512
b2726b8c92946e84749682dd5cb3f32e12a449f539bdfe3ae31c1c6a71974d0bcef61468e8564fa1447714fc2b62401578acf7db0ac54e312f6e88977b426bdf
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-