General
-
Target
5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361
-
Size
186KB
-
Sample
221201-q79z6shd3x
-
MD5
98e9926dc94f2e19a162caa2f69c0923
-
SHA1
b5780ca5951d762f73b3df1ec77f6b0b13aeb970
-
SHA256
5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361
-
SHA512
c966e8f8502d8311e0f6b8c4d5fc14285a05f416889389cd1378e03ccf4118c1e39fdcfd018b7e8bec8204374201e31733d8bbdaff733c511302b1b448be2d1f
-
SSDEEP
3072:1lYYMWAkYsG5y3j6/XwSYcLpsGPqqi3zfSDAbEaqd:OkYsj3j6YSYcLKGPqrjf3Ea0
Static task
static1
Behavioral task
behavioral1
Sample
5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
amadey
3.50
62.204.41.252/nB8cWack3/index.php
Extracted
redline
@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)
151.80.89.233:13553
-
auth_value
fbee175162920530e6bf470c8003fa1a
Extracted
redline
Lege
31.41.244.14:4694
-
auth_value
096090aaf3ba0872338140cec5689868
Targets
-
-
Target
5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361
-
Size
186KB
-
MD5
98e9926dc94f2e19a162caa2f69c0923
-
SHA1
b5780ca5951d762f73b3df1ec77f6b0b13aeb970
-
SHA256
5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361
-
SHA512
c966e8f8502d8311e0f6b8c4d5fc14285a05f416889389cd1378e03ccf4118c1e39fdcfd018b7e8bec8204374201e31733d8bbdaff733c511302b1b448be2d1f
-
SSDEEP
3072:1lYYMWAkYsG5y3j6/XwSYcLpsGPqqi3zfSDAbEaqd:OkYsj3j6YSYcLKGPqrjf3Ea0
-
Detect Amadey credential stealer module
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-