General
-
Target
316aac76c3849cea72da7c8e1e679673fc81a1a20582ac4e994452fc021603cc
-
Size
186KB
-
Sample
221123-mhxrrshd5x
-
MD5
b4b3c331cbf6fa5ad8cc37e1718a05e3
-
SHA1
812ccd9ebd7fa07689992b6bf062d10acd77222e
-
SHA256
316aac76c3849cea72da7c8e1e679673fc81a1a20582ac4e994452fc021603cc
-
SHA512
11bb4fb30dec201cb0353e095dde306fb151e9fab8e6f3ca60f94ca7d8ebff2d96d0cc7bb017c95cf7d640ae9fbd71d67a4f9eb01895eebefd9911421aee97ab
-
SSDEEP
3072:rSBJnYovRlQ1LxSwxWW8lD65qUSS7Kwb7W/9sUI2ASscAsAm:MnJsLxSwx98R/QKwb79U1AqA
Static task
static1
Behavioral task
behavioral1
Sample
316aac76c3849cea72da7c8e1e679673fc81a1a20582ac4e994452fc021603cc.exe
Resource
win10-20220812-en
Malware Config
Extracted
redline
KRIPT
212.8.246.157:32348
-
auth_value
80ebe4bab7a98a7ce9c75989ff9f40b4
Extracted
redline
185.215.113.83:60722
-
auth_value
674feb1d15af397f9322eb62587035b3
Extracted
amadey
3.50
193.56.146.174/g84kvj4jck/index.php
Targets
-
-
Target
316aac76c3849cea72da7c8e1e679673fc81a1a20582ac4e994452fc021603cc
-
Size
186KB
-
MD5
b4b3c331cbf6fa5ad8cc37e1718a05e3
-
SHA1
812ccd9ebd7fa07689992b6bf062d10acd77222e
-
SHA256
316aac76c3849cea72da7c8e1e679673fc81a1a20582ac4e994452fc021603cc
-
SHA512
11bb4fb30dec201cb0353e095dde306fb151e9fab8e6f3ca60f94ca7d8ebff2d96d0cc7bb017c95cf7d640ae9fbd71d67a4f9eb01895eebefd9911421aee97ab
-
SSDEEP
3072:rSBJnYovRlQ1LxSwxWW8lD65qUSS7Kwb7W/9sUI2ASscAsAm:MnJsLxSwx98R/QKwb79U1AqA
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-