General
-
Target
04ddb9f876b3fa3956748135b50d7a9d.exe
-
Size
196KB
-
Sample
220924-zm5pdsdcer
-
MD5
04ddb9f876b3fa3956748135b50d7a9d
-
SHA1
8b0fb4d161700a0a03d9d114d494a389848ee07b
-
SHA256
2a97eefb81b0234328c6d859fdc1c1177d4850691d31162c8c5708e94a452138
-
SHA512
26dae3f269045d55d75ffb0a2d9fd6697e1d32d1483f61eff714dfa19ed1257b960d0e840612456526a2f45eba87f747a4362ce4b39dbdcbde823a47a7578af5
-
SSDEEP
3072:5Q0p5LweOX0VFA5YTp3jaZISZocXlzED2zgN81qH0KzBkS/PkkXx:dLw+Vx3GJWD2AVH0
Static task
static1
Behavioral task
behavioral1
Sample
04ddb9f876b3fa3956748135b50d7a9d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
04ddb9f876b3fa3956748135b50d7a9d.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Extracted
redline
LogsDiller Cloud (TG: @me_golds)
77.73.134.27:7161
-
auth_value
e136da06c7c0400f4091dab1787720ea
Targets
-
-
Target
04ddb9f876b3fa3956748135b50d7a9d.exe
-
Size
196KB
-
MD5
04ddb9f876b3fa3956748135b50d7a9d
-
SHA1
8b0fb4d161700a0a03d9d114d494a389848ee07b
-
SHA256
2a97eefb81b0234328c6d859fdc1c1177d4850691d31162c8c5708e94a452138
-
SHA512
26dae3f269045d55d75ffb0a2d9fd6697e1d32d1483f61eff714dfa19ed1257b960d0e840612456526a2f45eba87f747a4362ce4b39dbdcbde823a47a7578af5
-
SSDEEP
3072:5Q0p5LweOX0VFA5YTp3jaZISZocXlzED2zgN81qH0KzBkS/PkkXx:dLw+Vx3GJWD2AVH0
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
XMRig Miner payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-