General
-
Target
ROR.exe
-
Size
1.7MB
-
Sample
221111-2tw2yafb91
-
MD5
85ea4565608d2f6c35decb6ed8547749
-
SHA1
e15ae6c93c9e998b030609fdf4b3274925694229
-
SHA256
f6706aafbeb4e8e10478bb1fd5b171e2f7f13399416344aba46233593e6f5d69
-
SHA512
762b5e5293067c484ca54fa297f5770217275a7594083b64b15ed65955f64ba158bbf58a7713419c2dc15d265a7bf8c85b4f11c8fd27e62ba21f429493df4dd5
-
SSDEEP
24576:WVCrlD3LeNOUaHfxaBXjVId3tgErJsF36RYioPHdo/SQE9AoA5:Wut0jaH5gkxdsF3TPdo/rE9AP
Static task
static1
Behavioral task
behavioral1
Sample
ROR.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ROR.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
redline
@NoxyCloud
85.192.63.57:34210
-
auth_value
20dc074852db65a2b74addf964cf576e
Extracted
vidar
55.6
1754
https://t.me/seclab_new
https://github.com/smbfhrgc
-
profile_id
1754
Targets
-
-
Target
ROR.exe
-
Size
1.7MB
-
MD5
85ea4565608d2f6c35decb6ed8547749
-
SHA1
e15ae6c93c9e998b030609fdf4b3274925694229
-
SHA256
f6706aafbeb4e8e10478bb1fd5b171e2f7f13399416344aba46233593e6f5d69
-
SHA512
762b5e5293067c484ca54fa297f5770217275a7594083b64b15ed65955f64ba158bbf58a7713419c2dc15d265a7bf8c85b4f11c8fd27e62ba21f429493df4dd5
-
SSDEEP
24576:WVCrlD3LeNOUaHfxaBXjVId3tgErJsF36RYioPHdo/SQE9AoA5:Wut0jaH5gkxdsF3TPdo/rE9AP
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-