General
-
Target
LibreOffice_7.4.3_Win_x64.iso
-
Size
300.4MB
-
Sample
230126-eq4ahsdh7v
-
MD5
5f8e85eb1beed28c3b9c89e588f97b86
-
SHA1
f9d5736005eb7b53639e1d9c21eaba84d58ff624
-
SHA256
4db1e1b89c6750b4e1b1fad00652b669fe03e8bef93711c46b6752c08466adbd
-
SHA512
a900a2a7577b4c354fc033e8cd9113bd270e649cee7ece4fd874dbb0ef414f54b248b2e1374712aa1fcce8a6164a94b69014751eb05f1d0f626ce6a26a7aef06
-
SSDEEP
12288:gbCG7F1wjOLak1PCgqaapo2RvxC1WyOPwQOhGwYyY9ZGyooo3RZNzBj7ww43vmOC:41ww4fmOa6IglK
Static task
static1
Behavioral task
behavioral1
Sample
LibreOffice_7.4.3_Win_x64.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
LibreOffice_7.4.3_Win_x64.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
aurora
79.137.133.225:8081
Extracted
redline
redline
79.137.133.225:25999
-
auth_value
38284dbf15da9b4a9eaee0ef0d2b343f
Targets
-
-
Target
LibreOffice_7.4.3_Win_x64.exe
-
Size
300.4MB
-
MD5
e2b9ea93192c7bfc79093a107e9ae5dc
-
SHA1
db51ef38abed72a4f426a0af5a2e148f88dc4cfd
-
SHA256
303d6ec037275eb07e4e9e37efe0e6e9dc0260ce41e2cb6b3838fcf177dd1cf6
-
SHA512
dedd3d6d8140282eab2ac8243dce35d652e5753e980a318281443683b2bf1bffa3fec24466368f91d545b701f153933b26d820da15e25f39ed40f322153613d7
-
SSDEEP
12288:WbCG7F1wjOLak1PCgqaapo2RvxC1WyOPwQOhGwYyY9ZGyooo3RZNzBj7ww43vmOC:m1ww4fmOa6IglK
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-