General
-
Target
aad0024d7c30bf6fee7c90d90371ca14.exe
-
Size
37.0MB
-
Sample
220609-yyt7csbgbp
-
MD5
aad0024d7c30bf6fee7c90d90371ca14
-
SHA1
a503d2586a3eab062b1696fc1602bae9faaeb221
-
SHA256
69a22a0c352f37433ae833dcffed41e1b6d6c5aeefe6167aa4e0be3fe2f07e07
-
SHA512
b8aa5a82c7b3366bc93dee6bfffbb6d5e6fefeff12d8073f8a86993e0a4c985fd88dd33ef87b89384cd094dc34444fc505bfcb3b90cc647bd01088692c3f970a
Static task
static1
Behavioral task
behavioral1
Sample
aad0024d7c30bf6fee7c90d90371ca14.exe
Resource
win7-20220414-en
Malware Config
Extracted
http://thddghdd3.com/hfile.bin
Extracted
redline
Main
185.250.148.104:23290
-
auth_value
128a196090d81c16477a2ef82c42859f
Targets
-
-
Target
aad0024d7c30bf6fee7c90d90371ca14.exe
-
Size
37.0MB
-
MD5
aad0024d7c30bf6fee7c90d90371ca14
-
SHA1
a503d2586a3eab062b1696fc1602bae9faaeb221
-
SHA256
69a22a0c352f37433ae833dcffed41e1b6d6c5aeefe6167aa4e0be3fe2f07e07
-
SHA512
b8aa5a82c7b3366bc93dee6bfffbb6d5e6fefeff12d8073f8a86993e0a4c985fd88dd33ef87b89384cd094dc34444fc505bfcb3b90cc647bd01088692c3f970a
-
Modifies security service
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-