General
-
Target
Proton_Vpn.zip
-
Size
7.0MB
-
Sample
220926-w7h5cabff5
-
MD5
b8d32cc1185306dcab5a0a5324f3006b
-
SHA1
022c5734ebdb43a17f016a9d0f94e291f804ad8a
-
SHA256
cb4344a40ff9a1ced03b49887adce3f589238e3b74f105bb1221b4c82c6faca0
-
SHA512
e4c01dfe5d4c470438736c760d934489aa1bc6e48f07efb911e7eb7c088035dfdfa59ce7c77cefcbde4e25f0c050a090963199a0ba5e109177c7078fae3cad95
-
SSDEEP
196608:EJGaxC9p7t2Rocl6I5dN/7lrdLtmUR0gcJ3:6Gaxw7t2RHl6I5dND7QZL
Behavioral task
behavioral1
Sample
YukiSoft/Setup.exe
Resource
win7-20220812-en
Malware Config
Extracted
vidar
54.7
1325
https://t.me/trampapanam
https://nerdculture.de/@yoxhyp
-
profile_id
1325
Extracted
redline
45.138.74.121:80
-
auth_value
cff2965e571d2f0e8d57a135895bec2a
Targets
-
-
Target
YukiSoft/Setup.exe
-
Size
373.3MB
-
MD5
7e89690c7da43a1896008b50eb2d740a
-
SHA1
f4c38cf2aa72509ec1a23a589154672963af6d74
-
SHA256
9d5d7b6820676ccd40a1bc3e6f76dec6c4e9a2b268798569560d54f3831ef5e6
-
SHA512
024a969620aab21362fea57b7dcc60413ab90d1780d8cd587e8ecd8d6694e75b59e95c3767c4afe51cb7d3d3323cdbef0e699fda6d4fce5f29d1d1e45b0cdcbf
-
SSDEEP
98304:G9aA7EIvAkaMxle3xCdpRojk/rgvJGUhG2C1p8rOErgDYXtlAj0ZxqnP:Gf7SkdLsvAUhC2OErgUDo+i
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-