General
-
Target
595d937d157e6f16ad36ed379bc3294a6197c73a9eeab95299b9983c72eb737a.exe
-
Size
199KB
-
Sample
221114-1mtgssdg88
-
MD5
24aefc511e8782b3560e2ac1b6848992
-
SHA1
86853f21538d72f43a07504662fe9b2b1718bfde
-
SHA256
595d937d157e6f16ad36ed379bc3294a6197c73a9eeab95299b9983c72eb737a
-
SHA512
860c016caf49ddd91cc425811b718a196b54afae4418fa91813141b87dd542795cb50d43dccf5007ecad88c2154875dc32b60e71282439de3cfebcc95464d6b3
-
SSDEEP
3072:YF8XLVpJVntILIeKLOqbn/nRgDGOxMjHhQQE3K/AlxwV:YmHJALkOQ/WdyjG37xw
Static task
static1
Behavioral task
behavioral1
Sample
595d937d157e6f16ad36ed379bc3294a6197c73a9eeab95299b9983c72eb737a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
595d937d157e6f16ad36ed379bc3294a6197c73a9eeab95299b9983c72eb737a.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
redline
418736246_99
mechanikal.top:3306
mechanikal.top:28786
-
auth_value
de0e3c583832e10f3a5332419d78aac0
Extracted
redline
rozena1114
jalocliche.xyz:81
chardhesha.xyz:81
-
auth_value
9fefd743a3b62bcd7c3e17a70fbdb3a8
Targets
-
-
Target
595d937d157e6f16ad36ed379bc3294a6197c73a9eeab95299b9983c72eb737a.exe
-
Size
199KB
-
MD5
24aefc511e8782b3560e2ac1b6848992
-
SHA1
86853f21538d72f43a07504662fe9b2b1718bfde
-
SHA256
595d937d157e6f16ad36ed379bc3294a6197c73a9eeab95299b9983c72eb737a
-
SHA512
860c016caf49ddd91cc425811b718a196b54afae4418fa91813141b87dd542795cb50d43dccf5007ecad88c2154875dc32b60e71282439de3cfebcc95464d6b3
-
SSDEEP
3072:YF8XLVpJVntILIeKLOqbn/nRgDGOxMjHhQQE3K/AlxwV:YmHJALkOQ/WdyjG37xw
-
Detect Amadey credential stealer module
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-