General
-
Target
c685e8ba1cf78f850327006bd61e1aa6d8a3cbab7d67b8acb05b25e0f0c7fde4
-
Size
280KB
-
Sample
220922-1ae4msccf8
-
MD5
4ae34c82169c259eca08f15555283fcb
-
SHA1
bfe0fcb0cfc75be6906de84ed0733dac0fa2bc0d
-
SHA256
c685e8ba1cf78f850327006bd61e1aa6d8a3cbab7d67b8acb05b25e0f0c7fde4
-
SHA512
0a77108f4931cf26dad2f0364146b115f82a713588a62d00e24e9b70c59a3eb5cd142d72d34904d30dd68e38ef116f5c316e29d56ea86912024976c58d555c24
-
SSDEEP
6144:m1/j0u2A8SLeQr+KK8UrXXqBZzdpuWgH0jQbGaigavwVfwzC:m1Lk6Zr+KKBqT1sYt+
Static task
static1
Behavioral task
behavioral1
Sample
c685e8ba1cf78f850327006bd61e1aa6d8a3cbab7d67b8acb05b25e0f0c7fde4.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
redline
LogsDiller Cloud (Sup: @mr_golds)
77.73.134.27:8163
-
auth_value
56c6f7b9024c076f0a96931453da7e56
Extracted
erbium
http://77.73.133.53/cloud/index.php
Extracted
tofsee
svartalfheim.top
jotunheim.name
Targets
-
-
Target
c685e8ba1cf78f850327006bd61e1aa6d8a3cbab7d67b8acb05b25e0f0c7fde4
-
Size
280KB
-
MD5
4ae34c82169c259eca08f15555283fcb
-
SHA1
bfe0fcb0cfc75be6906de84ed0733dac0fa2bc0d
-
SHA256
c685e8ba1cf78f850327006bd61e1aa6d8a3cbab7d67b8acb05b25e0f0c7fde4
-
SHA512
0a77108f4931cf26dad2f0364146b115f82a713588a62d00e24e9b70c59a3eb5cd142d72d34904d30dd68e38ef116f5c316e29d56ea86912024976c58d555c24
-
SSDEEP
6144:m1/j0u2A8SLeQr+KK8UrXXqBZzdpuWgH0jQbGaigavwVfwzC:m1Lk6Zr+KKBqT1sYt+
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Suspicious use of SetThreadContext
-