General
-
Target
68839c313f30b90541be40d8d7cbe2d8cab9ad6f507547178107d1534ff116bf
-
Size
359KB
-
Sample
220709-vrdn9ahhf3
-
MD5
467ea3d36c339565985d07a50342c8cb
-
SHA1
0a04b248297f3334c5ea31a43fa2ef2ff0eb2db8
-
SHA256
68839c313f30b90541be40d8d7cbe2d8cab9ad6f507547178107d1534ff116bf
-
SHA512
8136f125e78180a2f03f07af3bc565228b2e783047a1541ef14c8740b9a1dc858a9e5cf98af0e95432980e8953ff63a2bd6fad48dfc30b20473c4b1b760a851c
Static task
static1
Behavioral task
behavioral1
Sample
68839c313f30b90541be40d8d7cbe2d8cab9ad6f507547178107d1534ff116bf.exe
Resource
win10-20220414-en
Malware Config
Extracted
redline
1
38.17.53.140:30686
-
auth_value
7d4c8895c781964b1dd3b37efbb922d8
Extracted
redline
193.233.193.49:11906
-
auth_value
ad5cd49e075db8527ecb265d0bf18710
Extracted
eternity
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
Extracted
redline
1399237859
37.235.54.26:8362
Extracted
redline
@mahouny23
194.36.177.26:16686
-
auth_value
1e6a07738976b205f98e69f03924461d
Targets
-
-
Target
68839c313f30b90541be40d8d7cbe2d8cab9ad6f507547178107d1534ff116bf
-
Size
359KB
-
MD5
467ea3d36c339565985d07a50342c8cb
-
SHA1
0a04b248297f3334c5ea31a43fa2ef2ff0eb2db8
-
SHA256
68839c313f30b90541be40d8d7cbe2d8cab9ad6f507547178107d1534ff116bf
-
SHA512
8136f125e78180a2f03f07af3bc565228b2e783047a1541ef14c8740b9a1dc858a9e5cf98af0e95432980e8953ff63a2bd6fad48dfc30b20473c4b1b760a851c
-
Detects Eternity stealer
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-