General
-
Target
0x00070000000139ff-155.dat
-
Size
1.0MB
-
Sample
220806-q3s6vsfcem
-
MD5
e44b6cb9e7111de178fbabf3ac1cba76
-
SHA1
b15d8d52864a548c42a331a574828824a65763ff
-
SHA256
c74894fe98864ade516c9e54f2258a23ed451feadfa2de53a7c626385b549b22
-
SHA512
24129e1de024d61bcc23654450f416307be3e7911de2baced47476e02cd7df737ce012f379eb0ea5d84367113619f53d6a80971ccc652a569d6b494150bbb6bf
Behavioral task
behavioral1
Sample
0x00070000000139ff-155.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
0x00070000000139ff-155.exe
Resource
win10v2004-20220721-en
Malware Config
Extracted
redline
install
31.41.244.109:3590
-
auth_value
eb23a0ca5a38a3bf1eb16b2f08524f35
Extracted
nymaim
208.67.104.9
212.192.241.16
Extracted
redline
194.36.177.7:39556
-
auth_value
37f7baab2f9c2105ad605cd792dbb4ca
Extracted
redline
ruzki
193.106.191.165:39482
-
auth_value
71a0558c0eea274a5bd617ea85786884
Extracted
redline
ruzki 10
185.106.92.235:12654
-
auth_value
bd55c8a28ef77f4992002099164ebe01
Targets
-
-
Target
0x00070000000139ff-155.dat
-
Size
1.0MB
-
MD5
e44b6cb9e7111de178fbabf3ac1cba76
-
SHA1
b15d8d52864a548c42a331a574828824a65763ff
-
SHA256
c74894fe98864ade516c9e54f2258a23ed451feadfa2de53a7c626385b549b22
-
SHA512
24129e1de024d61bcc23654450f416307be3e7911de2baced47476e02cd7df737ce012f379eb0ea5d84367113619f53d6a80971ccc652a569d6b494150bbb6bf
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-