General
-
Target
c29d669344e0afd40f8633d838c4db137afdfb532b0ad13b88ca68f7bcaa6f46
-
Size
187KB
-
Sample
221124-q3jmesbh4t
-
MD5
51d2d06c7f11d0bd41aa3293d0e2cb8f
-
SHA1
68cedfd617feaaaf5e4b25c0ea0669aa9ed245f2
-
SHA256
c29d669344e0afd40f8633d838c4db137afdfb532b0ad13b88ca68f7bcaa6f46
-
SHA512
93a6e31477cb21f8dbad0161f3969b2aaa3d6608e786e6e65d69b2f5a858cd47c620485e27987e73c389ce960676ec18f7d524b0c2e2ff29b04122bd99445994
-
SSDEEP
3072:msKDuIEwcRAV4CbpLDH7acTGP5IeDa0Z2MwJdHhWskm2ifG2+QJVAdHWF5tGWFfB:kDIwoGpLDH+cEPw7h/NBfyQUHWF5wDG
Static task
static1
Behavioral task
behavioral1
Sample
c29d669344e0afd40f8633d838c4db137afdfb532b0ad13b88ca68f7bcaa6f46.exe
Resource
win10-20220901-en
Malware Config
Extracted
amadey
3.50
193.56.146.174/g84kvj4jck/index.php
193.56.146.194/h49vlBP/index.php
1h3art.me/i4kvjd3xc/index.php
Extracted
redline
KRIPT
212.8.246.157:32348
-
auth_value
80ebe4bab7a98a7ce9c75989ff9f40b4
Targets
-
-
Target
c29d669344e0afd40f8633d838c4db137afdfb532b0ad13b88ca68f7bcaa6f46
-
Size
187KB
-
MD5
51d2d06c7f11d0bd41aa3293d0e2cb8f
-
SHA1
68cedfd617feaaaf5e4b25c0ea0669aa9ed245f2
-
SHA256
c29d669344e0afd40f8633d838c4db137afdfb532b0ad13b88ca68f7bcaa6f46
-
SHA512
93a6e31477cb21f8dbad0161f3969b2aaa3d6608e786e6e65d69b2f5a858cd47c620485e27987e73c389ce960676ec18f7d524b0c2e2ff29b04122bd99445994
-
SSDEEP
3072:msKDuIEwcRAV4CbpLDH7acTGP5IeDa0Z2MwJdHhWskm2ifG2+QJVAdHWF5tGWFfB:kDIwoGpLDH+cEPw7h/NBfyQUHWF5wDG
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-