General
-
Target
o35IyQKf1OWr.exe
-
Size
1.2MB
-
Sample
221129-s7p14sff3v
-
MD5
0157de5a2bc0a4a3ee44ce3a604b5a08
-
SHA1
8728fd4dca74a8ae0a28d0e2fb99b2727bd1b278
-
SHA256
235c44be3c65568e1550596182f0fe3b1b3540c95b62e63a00e2a4853c561b2c
-
SHA512
4dacc34bf5215de1add50d7b7332b1eaa15c0074ceb8d9fc02bfca530910333090573b39b9f7635d312aaaf6e732436d779cef39b292b51ee4082f1e68b3786a
-
SSDEEP
24576:MqoHvJlD2PGnBVrXTnuePJmt909gfuUNeye4Mrs:M1H2iBZXxPcTCgfHpeJs
Static task
static1
Behavioral task
behavioral1
Sample
o35IyQKf1OWr.exe
Resource
win10-20220812-en
Malware Config
Extracted
redline
RAMSES
77.73.134.54:19123
-
auth_value
3ba0ecb99f540fa197be387c2d886b1f
Extracted
redline
Main
109.206.243.58:81
-
auth_value
8d4fa15b87cebd556cbb5208a3db0fdc
Extracted
remcos
Main
109.206.243.58:4541
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
15
-
connect_interval
3
-
copy_file
jdk.exe
-
copy_folder
Java
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%UserProfile%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Main-IJCWI4
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Java Updater
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
o35IyQKf1OWr.exe
-
Size
1.2MB
-
MD5
0157de5a2bc0a4a3ee44ce3a604b5a08
-
SHA1
8728fd4dca74a8ae0a28d0e2fb99b2727bd1b278
-
SHA256
235c44be3c65568e1550596182f0fe3b1b3540c95b62e63a00e2a4853c561b2c
-
SHA512
4dacc34bf5215de1add50d7b7332b1eaa15c0074ceb8d9fc02bfca530910333090573b39b9f7635d312aaaf6e732436d779cef39b292b51ee4082f1e68b3786a
-
SSDEEP
24576:MqoHvJlD2PGnBVrXTnuePJmt909gfuUNeye4Mrs:M1H2iBZXxPcTCgfHpeJs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-