General
-
Target
tmp
-
Size
107KB
-
Sample
220728-fw3fvaggd3
-
MD5
f8a7a4c5d75bfda7dbadf09e3a39e089
-
SHA1
4527a2ff764c084e55c190d98824ef664a6f1892
-
SHA256
6bb0ee5036962c86db2292f5ccd21d63a22cbb17a6937c0d89b53ea97b77e8e6
-
SHA512
54887714264f38063eb6166b3d77ba949ddf2b70d169f5d24fdddadb4cee8572d25031b0bcb0ecaa87deccce7b4449d41e7017debf2db7933598c9f18bd735e1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220715-en
Malware Config
Extracted
redline
cheat
nicehash.at:1338
-
auth_value
8095fccd90c93353aaa1fc77bca0ff3f
Extracted
quasar
1.4.0
Office04
nicehash.at:4000
dc4bad02-e33b-461d-8bb2-c976586d2ac0
-
encryption_key
51DF8E701C6F05B28BEC40BEB21419EF5FEC8A38
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
300
-
startup_key
JavaClient Startup
-
subdirectory
JavaTools
Extracted
bitrat
1.38
nicehash.at:6000
-
communication_password
74963e9852aafd36ba521fa22b39e244
-
install_dir
localappdata
-
install_file
Java.exe
-
tor_process
tor
Targets
-
-
Target
tmp
-
Size
107KB
-
MD5
f8a7a4c5d75bfda7dbadf09e3a39e089
-
SHA1
4527a2ff764c084e55c190d98824ef664a6f1892
-
SHA256
6bb0ee5036962c86db2292f5ccd21d63a22cbb17a6937c0d89b53ea97b77e8e6
-
SHA512
54887714264f38063eb6166b3d77ba949ddf2b70d169f5d24fdddadb4cee8572d25031b0bcb0ecaa87deccce7b4449d41e7017debf2db7933598c9f18bd735e1
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-