General
-
Target
a9d45156d501f8ea58ee9aea58ea98fc6fa47beb32aaea199cf1e5f3b85a530e
-
Size
169KB
-
Sample
220923-n4c5xsgfa9
-
MD5
035ffb57d85d7e9a263da599278306d9
-
SHA1
034d12575b35809dedbe02f7a7b0096375824013
-
SHA256
a9d45156d501f8ea58ee9aea58ea98fc6fa47beb32aaea199cf1e5f3b85a530e
-
SHA512
edd009b59def2c35f7c144b18a9bc511057dd66e237d16363aa3e40b2233b4c21aa44e12c16af6ce4e795b048840fca32886e10986667abf5cb7cbf220410644
-
SSDEEP
3072:UETLJBa5OjJzN0cvwYn01uf4JfnZQIqgO2BuTd/PkW4n:HLrFFNxvwYl4JfiIvO
Static task
static1
Behavioral task
behavioral1
Sample
a9d45156d501f8ea58ee9aea58ea98fc6fa47beb32aaea199cf1e5f3b85a530e.exe
Resource
win10-20220812-en
Malware Config
Extracted
redline
LogsDiller Cloud (Sup: @mr_golds)
77.73.134.27:8163
-
auth_value
56c6f7b9024c076f0a96931453da7e56
Extracted
redline
5.252.118.34:37991
-
auth_value
b5af0cad45273cbce8023bfa93cf0768
Extracted
tofsee
svartalfheim.top
jotunheim.name
Targets
-
-
Target
a9d45156d501f8ea58ee9aea58ea98fc6fa47beb32aaea199cf1e5f3b85a530e
-
Size
169KB
-
MD5
035ffb57d85d7e9a263da599278306d9
-
SHA1
034d12575b35809dedbe02f7a7b0096375824013
-
SHA256
a9d45156d501f8ea58ee9aea58ea98fc6fa47beb32aaea199cf1e5f3b85a530e
-
SHA512
edd009b59def2c35f7c144b18a9bc511057dd66e237d16363aa3e40b2233b4c21aa44e12c16af6ce4e795b048840fca32886e10986667abf5cb7cbf220410644
-
SSDEEP
3072:UETLJBa5OjJzN0cvwYn01uf4JfnZQIqgO2BuTd/PkW4n:HLrFFNxvwYl4JfiIvO
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
XMRig Miner payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Deletes itself
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-