General
-
Target
5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c
-
Size
345KB
-
Sample
221017-2f2p9sdfgl
-
MD5
f1d121ab68b439ac310fb79119ffb044
-
SHA1
f952140c206d96843baa79f2e0e8454c07fa683a
-
SHA256
5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c
-
SHA512
ca0a381a392f9ac1c2954042759955b50e6c1fa735609ac69710658e51c48191f0d99469847b3ebf3f40ce854cb0595387ad986aeacbb5ebd8d05666746e6d6d
-
SSDEEP
6144:GK5lpVV+1MszHze0x/qgMyy4oh5VyrsyaO6enVX9Pv71L8Er8:Hv1YzeDyy4osa6ljQE
Static task
static1
Behavioral task
behavioral1
Sample
5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe
Resource
win7-20220812-en
Malware Config
Extracted
redline
875784825
79.137.192.6:8362
Targets
-
-
Target
5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c
-
Size
345KB
-
MD5
f1d121ab68b439ac310fb79119ffb044
-
SHA1
f952140c206d96843baa79f2e0e8454c07fa683a
-
SHA256
5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c
-
SHA512
ca0a381a392f9ac1c2954042759955b50e6c1fa735609ac69710658e51c48191f0d99469847b3ebf3f40ce854cb0595387ad986aeacbb5ebd8d05666746e6d6d
-
SSDEEP
6144:GK5lpVV+1MszHze0x/qgMyy4oh5VyrsyaO6enVX9Pv71L8Er8:Hv1YzeDyy4osa6ljQE
-
Modifies security service
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner payload
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-