General
-
Target
aef619f1c892e20591b6f57ae94919de0f64321bb3199992a6be157396451828
-
Size
842KB
-
Sample
220803-tsqjrseagp
-
MD5
8c29805d45b0c6d6f040154f47cb7962
-
SHA1
2caed38ca2e6cd7435b7b3acace465b11e15e659
-
SHA256
ef978c10e527d8156e7fa53b036584b0fe6354eed606161cfd839a3315d67eec
-
SHA512
fa5536b265c51adeb33fe1ab7fea865525474b1c48ac122891ebc7b9b8ddf9bbdaae1c52bb8316efd44a3490007fc9b395a6f5adb74678af0f16eb642ec0816d
Static task
static1
Behavioral task
behavioral1
Sample
aef619f1c892e20591b6f57ae94919de0f64321bb3199992a6be157396451828.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
aef619f1c892e20591b6f57ae94919de0f64321bb3199992a6be157396451828.exe
Resource
win10v2004-20220721-en
Malware Config
Extracted
redline
nam3
103.89.90.61:18728
-
auth_value
64b900120bbceaa6a9c60e9079492895
Extracted
redline
4
31.41.244.134:11643
-
auth_value
a516b2d034ecd34338f12b50347fbd92
Extracted
redline
5076357887
195.54.170.157:16525
-
auth_value
0dfaff60271d374d0c206d19883e06f3
Extracted
raccoon
afb5c633c4650f69312baef49db9dfa4
http://77.73.132.84
Extracted
raccoon
f0c8034c83808635df0d9d8726d1bfd6
http://45.95.11.158/
Targets
-
-
Target
aef619f1c892e20591b6f57ae94919de0f64321bb3199992a6be157396451828
-
Size
926KB
-
MD5
8403aafb699102c31454cd352a849553
-
SHA1
9dc9d5b7898e0ed77e1613adeb9f94eacafbe257
-
SHA256
aef619f1c892e20591b6f57ae94919de0f64321bb3199992a6be157396451828
-
SHA512
f77e0f1af74bb1f8efd4feadb3b94c87ac7f05bec360b23da8a2ca586b18d74cac4a134016a8a899615086386afc9de3ff51e8bfe598385e699bf2556ef2f208
-
Raccoon Stealer payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-