General
-
Target
99e0aa316be4068244b32eacf062d244b9830118cf3d51d1e4b3f27426860c31
-
Size
207KB
-
Sample
221114-yf5v5shf3v
-
MD5
4d4ff8734463c0fb9d0002edb790ef00
-
SHA1
b3636ca5fb876ddc1e08c82f5ae775334d4deccb
-
SHA256
3ef9ffb018acace3549fca087be24bf0357a1449c00ca6204ccf8bff49430e04
-
SHA512
adec5158041b31ae9f32add90c025772bbacd8542e002a1a1fc96d8f7ca4e8a3bcd5d71c7adc0f5d8e6572d79108ccb3b493d0362dd806cec0f80706a2a84d38
-
SSDEEP
6144:9EMrkc1KyHsWOyiYit++90Z+UY+4pOD6+Kwshog:9xHsdxYH+M+m44D6+Kwshog
Static task
static1
Behavioral task
behavioral1
Sample
99e0aa316be4068244b32eacf062d244b9830118cf3d51d1e4b3f27426860c31.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
99e0aa316be4068244b32eacf062d244b9830118cf3d51d1e4b3f27426860c31.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
redline
rozena1114
jalocliche.xyz:81
chardhesha.xyz:81
-
auth_value
9fefd743a3b62bcd7c3e17a70fbdb3a8
Extracted
redline
45.15.156.37:110
-
auth_value
19cd76dae6d01d9649fd29624fa61e51
Targets
-
-
Target
99e0aa316be4068244b32eacf062d244b9830118cf3d51d1e4b3f27426860c31
-
Size
308KB
-
MD5
c4393c6d88954cd6324200e23dea8bd2
-
SHA1
20db80d76140cf09171e8f129f057a3a98e86c55
-
SHA256
99e0aa316be4068244b32eacf062d244b9830118cf3d51d1e4b3f27426860c31
-
SHA512
d7cc17ad0c8bfa8b48a8ecc57d8093ecf92f74c840e33032b5f7d2ffe450da5abcf9bb4b5ff158f41a44d218ebca72c9fa42f2c9a226b98aa018fcd3a22fdf24
-
SSDEEP
6144:vTYqLfjOll8VR8GOED7Od54/0yuTPe2KT/Ns3v0En2E1a:vTbLjOlwLL/O74yeJNs3v0Uv
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-