General
-
Target
RustExternal_nls..scr
-
Size
658KB
-
Sample
230121-chntraad33
-
MD5
556084cf64aec63e0babdf10a61afaa6
-
SHA1
b7fa21295db0657d1767c05bb440b218cecdf521
-
SHA256
d016fcbdb988d56df4c26d75a12e87a61010ed2366b52eefb8b409a1d8bcbaab
-
SHA512
6c896594ea47228f71f1dea7d9fd9f9842b5f178748a39c785ded34fb9dfd574c9bd781f1f65176e436453257078255803d729b79d823c01c6629fddfb3ce33e
-
SSDEEP
12288:LC/74rdbHgVBnqvFprkrUolVATWZXYm7ljg9hG80NEKXo1Y1UHC+O:LC/UGTWrkrUovUKfhkQNEwUnO
Static task
static1
Behavioral task
behavioral1
Sample
RustExternal_nls..scr
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
RustExternal_nls..scr
Resource
win10v2004-20221111-en
Malware Config
Extracted
redline
Muckk
3.66.213.216:60782
Extracted
asyncrat
0.5.7B
WHostProjess
95.70.151.185:8805
WHostProjess
-
delay
3
-
install
false
-
install_file
WHostProjess
-
install_folder
%AppData%
Extracted
asyncrat
0.5.7B
UWUISCOMIC
20.100.196.69:9281
UWUISCOMIC
-
delay
3
-
install
false
-
install_file
DerenderScuriry
-
install_folder
%AppData%
Extracted
asyncrat
0.5.7B
DefenderSmartScren
217.64.31.3:8437
DefenderSmartScren
-
delay
3
-
install
false
-
install_file
SecurityHealtheurvice.exe
-
install_folder
%AppData%
Extracted
asyncrat
0.5.7B
System Guard Runtime
85.105.88.221:2531
System Guard Runtime
-
delay
3
-
install
false
-
install_file
System Guard Runtime
-
install_folder
%AppData%
Targets
-
-
Target
RustExternal_nls..scr
-
Size
658KB
-
MD5
556084cf64aec63e0babdf10a61afaa6
-
SHA1
b7fa21295db0657d1767c05bb440b218cecdf521
-
SHA256
d016fcbdb988d56df4c26d75a12e87a61010ed2366b52eefb8b409a1d8bcbaab
-
SHA512
6c896594ea47228f71f1dea7d9fd9f9842b5f178748a39c785ded34fb9dfd574c9bd781f1f65176e436453257078255803d729b79d823c01c6629fddfb3ce33e
-
SSDEEP
12288:LC/74rdbHgVBnqvFprkrUolVATWZXYm7ljg9hG80NEKXo1Y1UHC+O:LC/UGTWrkrUovUKfhkQNEwUnO
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Async RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-