General
-
Target
FINAL.exe
-
Size
13.2MB
-
Sample
221217-ca46rsga43
-
MD5
8c9180cfa2862e68b9beaf9b9e14a1c2
-
SHA1
09011f6b0b5d48e9bb61e65f10872fe4b344f66a
-
SHA256
b8e6b01b8e7598bd8b01bedfe1232eb936a12f852a90a3a545bc2af7e4667c43
-
SHA512
4657b171e3594370a8c9086bd2436b5ec7deaba73975856baafce4391582c6ce45d0820922706e0de3346bb85ffe8854fe419baa88a6cca83b94d67214bdf6c3
-
SSDEEP
196608:7+ww4z5xjkyIte8YHX0QoLPT7M18ZKhib/sV83V+Uj3iI9NeTA4cxXD4JF:7+x4FSyI88Ekprw1/f8R3roTAY
Static task
static1
Behavioral task
behavioral1
Sample
FINAL.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
FINAL.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
quasar
1.4.0.0
windowsfirewall
xmarvel.ddns.net:4782
2.58.56.188:4782
hMAbT9pppBWPnLDPSK
-
encryption_key
iZ94RsK8uKM1BvRnYlBk
-
install_name
wfmsc.exe
-
log_directory
Logs
-
reconnect_delay
1
-
startup_key
windowsdefender
-
subdirectory
windowsfirewall
Targets
-
-
Target
FINAL.exe
-
Size
13.2MB
-
MD5
8c9180cfa2862e68b9beaf9b9e14a1c2
-
SHA1
09011f6b0b5d48e9bb61e65f10872fe4b344f66a
-
SHA256
b8e6b01b8e7598bd8b01bedfe1232eb936a12f852a90a3a545bc2af7e4667c43
-
SHA512
4657b171e3594370a8c9086bd2436b5ec7deaba73975856baafce4391582c6ce45d0820922706e0de3346bb85ffe8854fe419baa88a6cca83b94d67214bdf6c3
-
SSDEEP
196608:7+ww4z5xjkyIte8YHX0QoLPT7M18ZKhib/sV83V+Uj3iI9NeTA4cxXD4JF:7+x4FSyI88Ekprw1/f8R3roTAY
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-