General
-
Target
3cf6f5f638bb25f273f23bfd61f6e421a840be57d0f9f7507613615761f10ba7
-
Size
184KB
-
Sample
221123-y6h43aca54
-
MD5
745ab96229559ac6ac795abd9c187dc8
-
SHA1
09063335c742542a09942eb7a571a89c9589464d
-
SHA256
3b80fa2b154e80fb2ff7bb1e9f901005f7e7dff5bd98c84562ec2857366ad825
-
SHA512
772702acba457daec9adfa243b3682996fad288e8455ad5d1318e706f1beff39f3d462132a9ce73cf4278179786a255341e16bfe5ed7155261f5dffa6a601e9d
-
SSDEEP
3072:MQaYecJc+mkE2nNWEcmqzGJXxggE/426iYnzLW4OcG5dRfHnjt57gEIXR/Fs:MQaYNmkJnNWEc9zoXxm4XzLNOcWPfHnp
Static task
static1
Behavioral task
behavioral1
Sample
3cf6f5f638bb25f273f23bfd61f6e421a840be57d0f9f7507613615761f10ba7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3cf6f5f638bb25f273f23bfd61f6e421a840be57d0f9f7507613615761f10ba7.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
amadey
3.50
193.56.146.174/g84kvj4jck/index.php
185.246.221.126/i4kvjd3xc/index.php
Extracted
redline
novr
31.41.244.14:4694
-
auth_value
34ddf4eb9326256f20a48cd5f1e9b496
Extracted
redline
@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)
151.80.89.233:13553
-
auth_value
fbee175162920530e6bf470c8003fa1a
Extracted
redline
Variant01
51.89.199.106:41383
-
auth_value
f9edc1d0874114c97679c32d442c2c61
Extracted
netwire
alice2019.myftp.biz:3360
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
Fs_Spread_0001
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
3cf6f5f638bb25f273f23bfd61f6e421a840be57d0f9f7507613615761f10ba7
-
Size
244KB
-
MD5
529dd7d863272e41eb4e8319861ac846
-
SHA1
3efb8f465ebcbfe0ea2b36aa4e0021f1c26a9a38
-
SHA256
3cf6f5f638bb25f273f23bfd61f6e421a840be57d0f9f7507613615761f10ba7
-
SHA512
89892f6afabbd558fc84787e2f2aee93ddf048997b343150ed9e0fe8c033236d8f0ac2c167685a48fa5dd686ba2f8a1394b02a875b6e3e3b7cc31e611c16d740
-
SSDEEP
6144:wuTL+CSPjWEbvxm4XHLNOcWPfJnj7zIo3B2:wuT7SP/bvYE51WPfVjwIB2
-
Detect Amadey credential stealer module
-
NetWire RAT payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-