Overview

overview

10

Static

static

rovwer.exe

windows7-x64

10

rovwer.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    rovwer.exe

  • Size

    38.4MB

  • Sample

    220919-zjg4xsghc9

  • MD5

    7f6bde7964c323190a8e5a54ddfe1646

  • SHA1

    358f7bb03e0d743bf7a900276017c1aa7debcea5

  • SHA256

    e1376d29bc25574d0779428815cb7c4dd52d04d7e55005d2b031f66eaaa12c84

  • SHA512

    2e91e71cdef9e78d1c43cff06fa0120b1dfb61ec0a9e17fb9202fb1072738757aabcf05b5169425d06888f04b3a78dcca84d8fd0400a844e3bc47234261a00fb

  • SSDEEP

    12288:UkxChSElpRh/Alk2ReyATGdBoSNgFKTkjmhFPry83I3LBemU41REa:UkxChSEfQk6eOozFKXFPL3I3LBvUWRL

Score
10/10
redlinecrypt_cryptexmicrosoftinfostealerpersistencephishingspyware

Malware Config

Extracted

Family

redline

Botnet

Crypt_Cryptex

C2

194.36.177.60:81

Attributes
  • auth_value

    695fd213fb1982a368936f037db38e54

Targets

    • Target

      rovwer.exe

    • Size

      38.4MB

    • MD5

      7f6bde7964c323190a8e5a54ddfe1646

    • SHA1

      358f7bb03e0d743bf7a900276017c1aa7debcea5

    • SHA256

      e1376d29bc25574d0779428815cb7c4dd52d04d7e55005d2b031f66eaaa12c84

    • SHA512

      2e91e71cdef9e78d1c43cff06fa0120b1dfb61ec0a9e17fb9202fb1072738757aabcf05b5169425d06888f04b3a78dcca84d8fd0400a844e3bc47234261a00fb

    • SSDEEP

      12288:UkxChSElpRh/Alk2ReyATGdBoSNgFKTkjmhFPry83I3LBemU41REa:UkxChSEfQk6eOozFKXFPL3I3LBvUWRL

    Score
    10/10
    redlinecrypt_cryptexinfostealerpersistencespywaremicrosoftphishing

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Detected potential entity reuse from brand microsoft.

      phishingmicrosoft

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks