redline

General

Target

a53d50df7fd45816d60dae9008440e5a.exe
Size

12.0MB
Sample

220823-pl6vysheg2
MD5

a53d50df7fd45816d60dae9008440e5a
SHA1

4965f08f4c2013bf1e42c07cc1e10dc4e1d3280a
SHA256

9dfc2b987cfac7d4b2dc842bef5d9680724a0d8a65bef2ef175ad2e5672e429b
SHA512

f4bc8bb64e41e99538e499a537ce495883410891604bd7e31e66a06f69761aabb02eaa9a52cf011ed08881f34a6054254440d8b1028ac5546934af05e15a20e2
SSDEEP

196608:cJPNkpvG050OTEK3WaCA/poracPhgviuif28YHr1DGBPrcQcOODq/Os2W2a8l2pa:myP5LTE9cprcPhIa2nrgQQcLDq/OPYpa

Score

10^/10

redline socelars 5 crym nam3 discovery infostealer persistence spyware stealer vmprotect

Malware Config

Extracted

Family

socelars

C2

https://hueduy.s3.eu-west-1.amazonaws.com/nbsdg818/

Extracted

Family

redline

Botnet

Crym

C2

15.235.171.56:30730

Attributes

auth_value
cbe4e2f707ccba3ef47d8390a845041f

Extracted

Family

redline

Botnet

nam3

C2

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

5

C2

176.113.115.146:9582

Attributes

auth_value
d38b30c1ccd6c1e5088d9e5bd9e51b0f

Targets

- Target
  
  a53d50df7fd45816d60dae9008440e5a.exe
- Size
  
  12.0MB
- MD5
  
  a53d50df7fd45816d60dae9008440e5a
- SHA1
  
  4965f08f4c2013bf1e42c07cc1e10dc4e1d3280a
- SHA256
  
  9dfc2b987cfac7d4b2dc842bef5d9680724a0d8a65bef2ef175ad2e5672e429b
- SHA512
  
  f4bc8bb64e41e99538e499a537ce495883410891604bd7e31e66a06f69761aabb02eaa9a52cf011ed08881f34a6054254440d8b1028ac5546934af05e15a20e2
- SSDEEP
  
  196608:cJPNkpvG050OTEK3WaCA/poracPhgviuif28YHr1DGBPrcQcOODq/Os2W2a8l2pa:myP5LTE9cprcPhIa2nrgQQcLDq/OPYpa
Score

10^/10

redline socelars crym discovery infostealer spyware stealer 5 nam3 persistence vmprotect
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2