General
-
Target
119cff9d23a95a710c99b9cf5d5365bf3921028d3a8ff7a2aca3b919072af4a2
-
Size
147KB
-
Sample
221126-pnejgsfg3y
-
MD5
59dc37ca194d7ccbfb7466815949cab3
-
SHA1
b8ce1b5fca030a5c1cdb166cb3efb5f10db7fab0
-
SHA256
119cff9d23a95a710c99b9cf5d5365bf3921028d3a8ff7a2aca3b919072af4a2
-
SHA512
2634c01ba06af291b505cde40e88f9b998095e98ff136a6a995d2c27b90d99cdb97a83d9c86013d4b775e27257aacf89710364de00bf64e7cb544331968aeaee
-
SSDEEP
3072:bANWy/mK+Vv5JII7n4wHI8DL3FekEyPeSJHE2mQ:WH/3++idDL3FhPDXmQ
Static task
static1
Behavioral task
behavioral1
Sample
119cff9d23a95a710c99b9cf5d5365bf3921028d3a8ff7a2aca3b919072af4a2.exe
Resource
win10-20220812-en
Malware Config
Extracted
redline
KRIPT
212.8.246.157:32348
-
auth_value
80ebe4bab7a98a7ce9c75989ff9f40b4
Extracted
redline
79.137.192.9:19788
-
auth_value
893f96bcbb13a0a44692475d92c48cfc
Extracted
redline
newlogs
77.73.133.70:38819
-
auth_value
05a73a1692c3aebb2a26f1a593237a77
Targets
-
-
Target
119cff9d23a95a710c99b9cf5d5365bf3921028d3a8ff7a2aca3b919072af4a2
-
Size
147KB
-
MD5
59dc37ca194d7ccbfb7466815949cab3
-
SHA1
b8ce1b5fca030a5c1cdb166cb3efb5f10db7fab0
-
SHA256
119cff9d23a95a710c99b9cf5d5365bf3921028d3a8ff7a2aca3b919072af4a2
-
SHA512
2634c01ba06af291b505cde40e88f9b998095e98ff136a6a995d2c27b90d99cdb97a83d9c86013d4b775e27257aacf89710364de00bf64e7cb544331968aeaee
-
SSDEEP
3072:bANWy/mK+Vv5JII7n4wHI8DL3FekEyPeSJHE2mQ:WH/3++idDL3FhPDXmQ
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-