General
-
Target
E3135F01A3B76A91BB1082FD5B53259FE2D59EB6AB550.exe
-
Size
2.7MB
-
Sample
220821-rk413saefn
-
MD5
5dd2b1966b6379a9abcbfe75b750e6e7
-
SHA1
29c1b1e24a22513e91af7bb3302991a4ec3c36f8
-
SHA256
e3135f01a3b76a91bb1082fd5b53259fe2d59eb6ab550fcc6fa6c866412920f8
-
SHA512
363cc4b21e9c39110e8e7cfe8da183633bab5ced61a58394c6f41c4827ddb58c8998b9385e86da1a9adaeb1da8649c43e6c46efdb98af92e4a4edf09c9227860
-
SSDEEP
49152:xcBiPkZVi7iKiF8cUvFyP0/hX4Pl4C+AVMo88hll5PtrKcJ0U8EwJ84vLRaBtIlD:xsri7ixZUvFyP0ZCl+AVMoxDjPtr7+e4
Static task
static1
Behavioral task
behavioral1
Sample
E3135F01A3B76A91BB1082FD5B53259FE2D59EB6AB550.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
E3135F01A3B76A91BB1082FD5B53259FE2D59EB6AB550.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
redline
Cana01
176.111.174.254:56328
Extracted
vidar
39.5
933
https://olegf9844.tumblr.com/
-
profile_id
933
Extracted
redline
Ani
akedauiver.xyz:80
Extracted
redline
LogsDiller Cloud (TG: @mr_golds)
193.233.193.14:8163
-
auth_value
4b2de03af6b6ac513ac597c2e6c1ad51
Extracted
redline
FireFire
185.200.242.47:44993
-
auth_value
b04bc465d7318d111ca211c58d1c8d69
Extracted
redline
nam6.1
103.89.90.61:34589
-
auth_value
b5784d2217d2fd4ce7dab9bdb9fcaa62
Extracted
tofsee
svartalfheim.top
jotunheim.name
Extracted
redline
ruzki6
176.113.115.146:9582
-
auth_value
38e72b9900920c8c7ebdafc46578969c
Targets
-
-
Target
E3135F01A3B76A91BB1082FD5B53259FE2D59EB6AB550.exe
-
Size
2.7MB
-
MD5
5dd2b1966b6379a9abcbfe75b750e6e7
-
SHA1
29c1b1e24a22513e91af7bb3302991a4ec3c36f8
-
SHA256
e3135f01a3b76a91bb1082fd5b53259fe2d59eb6ab550fcc6fa6c866412920f8
-
SHA512
363cc4b21e9c39110e8e7cfe8da183633bab5ced61a58394c6f41c4827ddb58c8998b9385e86da1a9adaeb1da8649c43e6c46efdb98af92e4a4edf09c9227860
-
SSDEEP
49152:xcBiPkZVi7iKiF8cUvFyP0/hX4Pl4C+AVMo88hll5PtrKcJ0U8EwJ84vLRaBtIlD:xsri7ixZUvFyP0ZCl+AVMoxDjPtr7+e4
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar Stealer
-
XMRig Miner payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-