General
-
Target
75c3eec8fb73808a164306423f673479d794c8d34a7cf55ae38d63623201d831
-
Size
344KB
-
Sample
221022-17cd1sfag6
-
MD5
3690cf078a73caed866daa16b8736379
-
SHA1
e3b003bb6b7cd55934db7adeb8fe7637d3551585
-
SHA256
75c3eec8fb73808a164306423f673479d794c8d34a7cf55ae38d63623201d831
-
SHA512
d7aa02e12541693abce188a34076fb415ec362fecae72b57702be69651645e75cdd5d59d255317c868ccd3f0b8dd387a19493bebefcb6bdb43be50ef5bf35f5b
-
SSDEEP
6144:/q6LFGh9VpSaYmn9EqgJ/kv4yuoohDR8rxws7VtXLcBFlpSLMCo:/nwnu4Eqkyuoo/iruBFlJ
Static task
static1
Behavioral task
behavioral1
Sample
75c3eec8fb73808a164306423f673479d794c8d34a7cf55ae38d63623201d831.exe
Resource
win7-20220901-en
Malware Config
Extracted
redline
875784825
79.137.192.6:8362
Targets
-
-
Target
75c3eec8fb73808a164306423f673479d794c8d34a7cf55ae38d63623201d831
-
Size
344KB
-
MD5
3690cf078a73caed866daa16b8736379
-
SHA1
e3b003bb6b7cd55934db7adeb8fe7637d3551585
-
SHA256
75c3eec8fb73808a164306423f673479d794c8d34a7cf55ae38d63623201d831
-
SHA512
d7aa02e12541693abce188a34076fb415ec362fecae72b57702be69651645e75cdd5d59d255317c868ccd3f0b8dd387a19493bebefcb6bdb43be50ef5bf35f5b
-
SSDEEP
6144:/q6LFGh9VpSaYmn9EqgJ/kv4yuoohDR8rxws7VtXLcBFlpSLMCo:/nwnu4Eqkyuoo/iruBFlJ
-
Modifies security service
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner payload
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-