General
-
Target
b6886ffe6ca1c02c8dc599ed1bb7f0c4.exe
-
Size
2.3MB
-
Sample
220623-ef7vysbegr
-
MD5
b6886ffe6ca1c02c8dc599ed1bb7f0c4
-
SHA1
1b82158d56530c4a8ae83fee7ecdc1d91cbafb0c
-
SHA256
3e6f7f9456ae9906e40da831c58f9b78a2eee8af2682cac7a9abf1a854142aa0
-
SHA512
1b81d29cc15091196ab94afabaf1520807459141bd5edb5cf40fafa469e422dec0e77014cb1dd6cae7e077a2ea993f7b03b729846898f6729a2efe6d1a681974
Static task
static1
Behavioral task
behavioral1
Sample
b6886ffe6ca1c02c8dc599ed1bb7f0c4.exe
Resource
win7-20220414-en
Malware Config
Extracted
redline
Bartho
45.67.35.151:20686
-
auth_value
a33b211fae3d9b87a1d711957edd752e
Extracted
gozi_ifsb
20000
apghn.msn.com
188.126.76.221
-
base_path
/budweiser/
-
build
250235
-
exe_type
loader
-
extension
.bbu
-
server_id
50
Extracted
gozi_ifsb
20000
apggn.msn.com
188.126.76.221
aphgn.msn.com
176.97.65.105
-
base_path
/budweiser/
-
build
250235
-
exe_type
worker
-
extension
.bbu
-
server_id
50
Targets
-
-
Target
b6886ffe6ca1c02c8dc599ed1bb7f0c4.exe
-
Size
2.3MB
-
MD5
b6886ffe6ca1c02c8dc599ed1bb7f0c4
-
SHA1
1b82158d56530c4a8ae83fee7ecdc1d91cbafb0c
-
SHA256
3e6f7f9456ae9906e40da831c58f9b78a2eee8af2682cac7a9abf1a854142aa0
-
SHA512
1b81d29cc15091196ab94afabaf1520807459141bd5edb5cf40fafa469e422dec0e77014cb1dd6cae7e077a2ea993f7b03b729846898f6729a2efe6d1a681974
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
-
suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
-
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Suspicious use of SetThreadContext
-