General
-
Target
595f3bda67bee86af6b606daff3f9930.exe
-
Size
6.7MB
-
Sample
221027-c6e7hsadam
-
MD5
595f3bda67bee86af6b606daff3f9930
-
SHA1
d94cae37a722981385e0fc09ea8201ed8810a517
-
SHA256
7aa17be3b8a5d82c4ffcb0a88cf2a64339c59fceaea5201cf6c7b3c7c906cdc3
-
SHA512
5b0e5d42ee2e65ac998d9471287c51d919fdf4888429f7ac5220b2497f60dafd7e1c4078993486d64951893e520d1093e1a72d469c1265a6649be4baed6bf339
-
SSDEEP
196608:twFCQ2xNNDtJfHNpasZUqmNcgt2FEz8jZPA:WSNJJftQsZfI0wM2
Static task
static1
Behavioral task
behavioral1
Sample
595f3bda67bee86af6b606daff3f9930.exe
Resource
win7-20220812-en
Malware Config
Extracted
redline
185.215.113.83:60722
185.215.113.69:15544
-
auth_value
6bb5192cbd9d4bb9619ed3f6f8e06498
Extracted
vidar
55.2
1707
https://t.me/slivetalks
https://c.im/@xinibin420
-
profile_id
1707
Targets
-
-
Target
595f3bda67bee86af6b606daff3f9930.exe
-
Size
6.7MB
-
MD5
595f3bda67bee86af6b606daff3f9930
-
SHA1
d94cae37a722981385e0fc09ea8201ed8810a517
-
SHA256
7aa17be3b8a5d82c4ffcb0a88cf2a64339c59fceaea5201cf6c7b3c7c906cdc3
-
SHA512
5b0e5d42ee2e65ac998d9471287c51d919fdf4888429f7ac5220b2497f60dafd7e1c4078993486d64951893e520d1093e1a72d469c1265a6649be4baed6bf339
-
SSDEEP
196608:twFCQ2xNNDtJfHNpasZUqmNcgt2FEz8jZPA:WSNJJftQsZfI0wM2
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-