General
-
Target
853860d63c8fe8ed293fc5e3ee087046ec9ae01f0cdc9279422fbaefa82455bb
-
Size
4.2MB
-
Sample
221125-17m6hsah57
-
MD5
80bee79571b9d0d023f231814814ed5c
-
SHA1
74f91dfcde28ede04a31ac7387119d6d1ae72dcc
-
SHA256
853860d63c8fe8ed293fc5e3ee087046ec9ae01f0cdc9279422fbaefa82455bb
-
SHA512
8f66f5fc26a07e93b48324b93df73d35fcedd685ccbb2409a5cb1136eb555afc448aa922be18472ff952443d0b0a095d315ac1d4f2ae2c526154bb2698716ec0
-
SSDEEP
98304:pHX0g2E6BJH8lFEP6H7bvLupQsbJc+BNrTD5E7vqsD:pHEg2E6fH88MSpQsNc+TrxYvqs
Static task
static1
Behavioral task
behavioral1
Sample
853860d63c8fe8ed293fc5e3ee087046ec9ae01f0cdc9279422fbaefa82455bb.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
853860d63c8fe8ed293fc5e3ee087046ec9ae01f0cdc9279422fbaefa82455bb.exe
Resource
win10-20220812-en
Malware Config
Extracted
redline
@rigafox
193.56.146.20:15490
-
auth_value
26aae7097c398fbc9b5d4a08a99ab985
Targets
-
-
Target
853860d63c8fe8ed293fc5e3ee087046ec9ae01f0cdc9279422fbaefa82455bb
-
Size
4.2MB
-
MD5
80bee79571b9d0d023f231814814ed5c
-
SHA1
74f91dfcde28ede04a31ac7387119d6d1ae72dcc
-
SHA256
853860d63c8fe8ed293fc5e3ee087046ec9ae01f0cdc9279422fbaefa82455bb
-
SHA512
8f66f5fc26a07e93b48324b93df73d35fcedd685ccbb2409a5cb1136eb555afc448aa922be18472ff952443d0b0a095d315ac1d4f2ae2c526154bb2698716ec0
-
SSDEEP
98304:pHX0g2E6BJH8lFEP6H7bvLupQsbJc+BNrTD5E7vqsD:pHEg2E6fH88MSpQsNc+TrxYvqs
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies security service
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-