Behavioral task
behavioral1
Sample
1684-55-0x0000000001ED0000-0x0000000001F02000-memory.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1684-55-0x0000000001ED0000-0x0000000001F02000-memory.exe
Resource
win10v2004-20220414-en
General
-
Target
1684-55-0x0000000001ED0000-0x0000000001F02000-memory.dmp
-
Size
200KB
-
MD5
038ca458ecc3d2731f09dc219644f047
-
SHA1
2ce33af6fb9d00344c524af3192deb5371c41594
-
SHA256
4ae2c9fe2e06741ddcb1fc6112fc834011e9ac054d851a5a3a8301c5c1c4bf58
-
SHA512
5f6e890a296fdef00088270f2c2ff26461ac37e5ffa2c354db52d5a955fccb40c04295d594607166c38d20cb73b283dfa4ca849ede759899d410f8790c5c1da8
-
SSDEEP
3072:WGg7UavAjCDTRDZvBLs6wsD4WkkR2IYvRhRq4mLoFPz:doUUhfXVkbRhU4Co
Malware Config
Extracted
redline
$
91.242.229.130:26402
-
auth_value
81039c9bd8ac8c604b05080ab4a86168
Signatures
-
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule sample net_reactor -
RedLine Payload 1 IoCs
Processes:
resource yara_rule sample family_redline -
Redline family
Files
-
1684-55-0x0000000001ED0000-0x0000000001F02000-memory.dmp.exe windows x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 173KB - Virtual size: 173KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ