General
-
Target
0x00070000000126b7-154.dat
-
Size
773KB
-
Sample
220827-vcpg7sddgm
-
MD5
51e7f03ae54c977764c32b0dedf0b9ac
-
SHA1
03cf8e81b1b8a96097c9e3da11f925e7dc6819b7
-
SHA256
0580678f81e9801e3678c5d4cf1cfe674aa52ce95092e67908d6a7d4192a429b
-
SHA512
03ea4d2dd652c3fd858c54cf579c410a12c7296acf222ebad57bcfaea33b71fc411122bc35a7b8ff56cb0254e42a6042fbe6efdb47a97ba61fb6ed15c9931661
-
SSDEEP
24576:Wu/phBzW6ZEaA9Wip9TPP+szWC7SORTwrGKcq:LhzJG6E3TCGVq
Behavioral task
behavioral1
Sample
0x00070000000126b7-154.exe
Resource
win7-20220812-en
Malware Config
Extracted
redline
ruzki9
176.113.115.146:9582
-
auth_value
0bc3fe6153667b0956cb33e6a376b53d
Extracted
redline
nam6.2
103.89.90.61:34589
-
auth_value
2276f4d8810e679413659a9576a6cdf4
Targets
-
-
Target
0x00070000000126b7-154.dat
-
Size
773KB
-
MD5
51e7f03ae54c977764c32b0dedf0b9ac
-
SHA1
03cf8e81b1b8a96097c9e3da11f925e7dc6819b7
-
SHA256
0580678f81e9801e3678c5d4cf1cfe674aa52ce95092e67908d6a7d4192a429b
-
SHA512
03ea4d2dd652c3fd858c54cf579c410a12c7296acf222ebad57bcfaea33b71fc411122bc35a7b8ff56cb0254e42a6042fbe6efdb47a97ba61fb6ed15c9931661
-
SSDEEP
24576:Wu/phBzW6ZEaA9Wip9TPP+szWC7SORTwrGKcq:LhzJG6E3TCGVq
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
YTStealer payload
-
Detectes Phoenix Miner Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-