General
-
Target
2419035aff27fb789dbef913dc3b8a41571c7d92b7803c945b96fe10f07934f7
-
Size
188KB
-
Sample
221109-xvs98adagq
-
MD5
5c3ac9c46404bb118bb004998d57a0e4
-
SHA1
532c4c1d2059352851d4c99b8b46957c43e132d7
-
SHA256
2419035aff27fb789dbef913dc3b8a41571c7d92b7803c945b96fe10f07934f7
-
SHA512
ab412ff8f7cf108ca9c41270a2212d47bbfe3a4fd8725dedd83c6122e40c96abfc5fef47150cdc34301c08c5d2dc9dc784dc01b0b586877657ad38d45b18813a
-
SSDEEP
3072:ryXgqLKU5oRu3NmmL6xbY5ng7RMt8XzhtYbKk5czWVkzbf1TyE/mTH:WgyLLOY5nIkN5eW2DoEOr
Static task
static1
Behavioral task
behavioral1
Sample
2419035aff27fb789dbef913dc3b8a41571c7d92b7803c945b96fe10f07934f7.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
raccoon
53508e7dc4e08bd33122d190a04a1200
http://45.15.156.105/
Extracted
redline
Google2
167.235.71.14:20469
-
auth_value
fb274d9691235ba015830da570a13578
Targets
-
-
Target
2419035aff27fb789dbef913dc3b8a41571c7d92b7803c945b96fe10f07934f7
-
Size
188KB
-
MD5
5c3ac9c46404bb118bb004998d57a0e4
-
SHA1
532c4c1d2059352851d4c99b8b46957c43e132d7
-
SHA256
2419035aff27fb789dbef913dc3b8a41571c7d92b7803c945b96fe10f07934f7
-
SHA512
ab412ff8f7cf108ca9c41270a2212d47bbfe3a4fd8725dedd83c6122e40c96abfc5fef47150cdc34301c08c5d2dc9dc784dc01b0b586877657ad38d45b18813a
-
SSDEEP
3072:ryXgqLKU5oRu3NmmL6xbY5ng7RMt8XzhtYbKk5czWVkzbf1TyE/mTH:WgyLLOY5nIkN5eW2DoEOr
-
Detect Amadey credential stealer module
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Suspicious use of SetThreadContext
-