General
-
Target
ExpressVPN.exe
-
Size
186KB
-
Sample
220629-skcr9scbc5
-
MD5
2620c49e134e1d07fbefe1d3700d72a5
-
SHA1
592f0a98c0143750393635bcf419736c1498f1c1
-
SHA256
7e9e6feb29bbd8c51fb07675a8083b2613ae20b5f121e49d1489432cf00d7a67
-
SHA512
dce4326cde61a37a1e65316cc1419089caa456d0b2f959585c1c982abd62f29031c37e6f86bcdca19a0c50fe4ab69ad2b6f73901c5c8fa38ef5703ab4169a265
Static task
static1
Behavioral task
behavioral1
Sample
ExpressVPN.exe
Resource
win7-20220414-en
Malware Config
Extracted
redline
2
23.88.39.22:43679
-
auth_value
06ade036180b58333a41a7537c92df05
Targets
-
-
Target
ExpressVPN.exe
-
Size
186KB
-
MD5
2620c49e134e1d07fbefe1d3700d72a5
-
SHA1
592f0a98c0143750393635bcf419736c1498f1c1
-
SHA256
7e9e6feb29bbd8c51fb07675a8083b2613ae20b5f121e49d1489432cf00d7a67
-
SHA512
dce4326cde61a37a1e65316cc1419089caa456d0b2f959585c1c982abd62f29031c37e6f86bcdca19a0c50fe4ab69ad2b6f73901c5c8fa38ef5703ab4169a265
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-