General
-
Target
127a94e7fb165ff5d8cd5746629307e83786942be88bf7afcc89e370532221e4
-
Size
174KB
-
Sample
221113-pen2kabb52
-
MD5
98b981184838c8bf3f08408841fcaa0d
-
SHA1
87f9e982b0b5e79d5942c40243fccadc4c045363
-
SHA256
127a94e7fb165ff5d8cd5746629307e83786942be88bf7afcc89e370532221e4
-
SHA512
4186fe4ef788b40c80b4667a6d9c56b631d27414940ff9a58635f31acb4b75ae817d5ccc32935da715376ee6595efd43b39cbde538ea4f0f10be635ce66d4212
-
SSDEEP
3072:UM4eHHDhLcpFN2Y/zRpMgEsufJZYHsdG3xRrC:NtlLSFN28YgRBMdGv
Static task
static1
Behavioral task
behavioral1
Sample
127a94e7fb165ff5d8cd5746629307e83786942be88bf7afcc89e370532221e4.exe
Resource
win10-20220901-en
Malware Config
Extracted
redline
123
78.153.144.3:2510
-
auth_value
cd6abb0af211bce081d7bf127cc26835
Extracted
redline
Google2
167.235.71.14:20469
-
auth_value
fb274d9691235ba015830da570a13578
Targets
-
-
Target
127a94e7fb165ff5d8cd5746629307e83786942be88bf7afcc89e370532221e4
-
Size
174KB
-
MD5
98b981184838c8bf3f08408841fcaa0d
-
SHA1
87f9e982b0b5e79d5942c40243fccadc4c045363
-
SHA256
127a94e7fb165ff5d8cd5746629307e83786942be88bf7afcc89e370532221e4
-
SHA512
4186fe4ef788b40c80b4667a6d9c56b631d27414940ff9a58635f31acb4b75ae817d5ccc32935da715376ee6595efd43b39cbde538ea4f0f10be635ce66d4212
-
SSDEEP
3072:UM4eHHDhLcpFN2Y/zRpMgEsufJZYHsdG3xRrC:NtlLSFN28YgRBMdGv
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-