General
-
Target
SkyBlade.zip
-
Size
3.6MB
-
Sample
220429-wlvagsccg3
-
MD5
bf278501d3b6620b9e407a0dfa46aff8
-
SHA1
8cf86b2176b5b614d4bc342ae862a2de870f9a20
-
SHA256
2f4436227631fbfc70b98404559985ec59119ef620bc856f127d2cf927659be0
-
SHA512
14457f00a10abc2c3027794f846db6ea3c3ea7423f1e0b931e0ff6a51018a4d283f4b729df37732bebdcefbfb80a92039f0add8f9f037147c7c1e46d0e18ff11
Static task
static1
Behavioral task
behavioral1
Sample
SkyBlade/StartGame.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SkyBlade/StartGame.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
redline
1
65.108.5.252:43673
-
auth_value
95517c2a2f56575288c35d9dfde4a6aa
Targets
-
-
Target
SkyBlade/StartGame.exe
-
Size
3.3MB
-
MD5
6cc724aeb4a4b65ec4c162f88bcd251c
-
SHA1
1eabb1cdb279a90518654f58071674bc8db62511
-
SHA256
e5963aca74fd4fca8fbd1f4189cb726f4c1acffd39fe28626e8eafdf82e147a9
-
SHA512
e9703dd68996474eaf17fbc992e766bcac89523cfc8598d180a417bdbbed832d05e01cb5fc8907ff478bc6adc020e819297a5154ad1025c9377918f1683d0186
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-