General
-
Target
Hwid Spoofer Eac Rust Cleanernls..scr
-
Size
658KB
-
Sample
230128-ndt1ragb3x
-
MD5
556084cf64aec63e0babdf10a61afaa6
-
SHA1
b7fa21295db0657d1767c05bb440b218cecdf521
-
SHA256
d016fcbdb988d56df4c26d75a12e87a61010ed2366b52eefb8b409a1d8bcbaab
-
SHA512
6c896594ea47228f71f1dea7d9fd9f9842b5f178748a39c785ded34fb9dfd574c9bd781f1f65176e436453257078255803d729b79d823c01c6629fddfb3ce33e
-
SSDEEP
12288:LC/74rdbHgVBnqvFprkrUolVATWZXYm7ljg9hG80NEKXo1Y1UHC+O:LC/UGTWrkrUovUKfhkQNEwUnO
Static task
static1
Behavioral task
behavioral1
Sample
Hwid Spoofer Eac Rust Cleanernls..scr
Resource
win10-20220812-en
Malware Config
Extracted
redline
ff
51.103.208.104:53200
Extracted
asyncrat
0.5.7B
WHostProjess
95.70.151.185:8805
WHostProjess
-
delay
3
-
install
false
-
install_file
WHostProjess
-
install_folder
%AppData%
Extracted
asyncrat
0.5.7B
SecurityHealthService
20.4.6.16:43521
SecurityHealthService
-
delay
3
-
install
false
-
install_file
SecurityHealthService
-
install_folder
%AppData%
Targets
-
-
Target
Hwid Spoofer Eac Rust Cleanernls..scr
-
Size
658KB
-
MD5
556084cf64aec63e0babdf10a61afaa6
-
SHA1
b7fa21295db0657d1767c05bb440b218cecdf521
-
SHA256
d016fcbdb988d56df4c26d75a12e87a61010ed2366b52eefb8b409a1d8bcbaab
-
SHA512
6c896594ea47228f71f1dea7d9fd9f9842b5f178748a39c785ded34fb9dfd574c9bd781f1f65176e436453257078255803d729b79d823c01c6629fddfb3ce33e
-
SSDEEP
12288:LC/74rdbHgVBnqvFprkrUolVATWZXYm7ljg9hG80NEKXo1Y1UHC+O:LC/UGTWrkrUovUKfhkQNEwUnO
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Async RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-