General
-
Target
e891b42605aed838a3c8e5be6e5bf491.com.exe
-
Size
1.3MB
-
Sample
221014-pp216sddg4
-
MD5
2385e8dfbfb88478214c112b5752da42
-
SHA1
bcfd36722ac110657b8629359d0a85d91dfc4158
-
SHA256
5323dc8bea28e435e02e60851888f0bec221a2e89128443f985a3adc1ff12353
-
SHA512
63bb666ff1bb875ed0988fc15963d8ee72b8dd41feb6726d526af0b6cb8bfe89a5cf1a1a20e997dc4e0d05718e9c756e843a2f2bfd78642fa59173e25bf4a007
-
SSDEEP
24576:0AOcZ2i7SEOWDLUpG8hCyJV0TB4PQdTr+Mo5pemHI0YuyqC8guTl:iiH8hCoit4Cxo5EmHWqC8n
Static task
static1
Behavioral task
behavioral1
Sample
e891b42605aed838a3c8e5be6e5bf491.com.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e891b42605aed838a3c8e5be6e5bf491.com.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
remcos
EXPLORER WDs
198.23.207.34:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-563ZPZ
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
PingPongWD
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
vjw0rm
http://129.204.138.203:7974
Extracted
redline
Grace
149.56.226.65:5985
Targets
-
-
Target
e891b42605aed838a3c8e5be6e5bf491.com.exe
-
Size
1.3MB
-
MD5
2385e8dfbfb88478214c112b5752da42
-
SHA1
bcfd36722ac110657b8629359d0a85d91dfc4158
-
SHA256
5323dc8bea28e435e02e60851888f0bec221a2e89128443f985a3adc1ff12353
-
SHA512
63bb666ff1bb875ed0988fc15963d8ee72b8dd41feb6726d526af0b6cb8bfe89a5cf1a1a20e997dc4e0d05718e9c756e843a2f2bfd78642fa59173e25bf4a007
-
SSDEEP
24576:0AOcZ2i7SEOWDLUpG8hCyJV0TB4PQdTr+Mo5pemHI0YuyqC8guTl:iiH8hCoit4Cxo5EmHWqC8n
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-