General
-
Target
812b8d76e0cf1e825bbfcf787ebdd902.exe
-
Size
236KB
-
Sample
230201-sgsdjsac43
-
MD5
812b8d76e0cf1e825bbfcf787ebdd902
-
SHA1
9f981c60bb4195657340519e13f1422e5cc8967b
-
SHA256
6513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
-
SHA512
9a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
SSDEEP
6144:r0oFwGz+5JJw20a1bfjVEmAuVy1OVYvk8gF:rpLxa5VsuVy8VJ
Behavioral task
behavioral1
Sample
812b8d76e0cf1e825bbfcf787ebdd902.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
812b8d76e0cf1e825bbfcf787ebdd902.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
amadey
3.66
193.233.20.4/t6r48nSa/index.php
62.204.41.88/9vdVVVjsw/index.php
Extracted
redline
druid
62.204.41.170:4132
-
auth_value
fddcb4126f1d0ea4ac975511b3530e72
Extracted
redline
85.31.44.66:17742
-
auth_value
e9a89e5b72a729171b1655add99ee280
Extracted
redline
fredy
62.204.41.170:4132
-
auth_value
880249eef9593d49a1a3cddf57c5cb35
Extracted
redline
new1
176.113.115.16:4122
-
auth_value
ac44cbde6633acc9d67419c7278d5c70
Extracted
redline
temposs6678
82.115.223.9:15486
-
auth_value
af399e6a2fe66f67025541cf71c64313
Extracted
redline
new
176.113.115.16:4122
-
auth_value
0ae189161615f61e951d226417eab9d5
Extracted
redline
@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)
151.80.89.233:13553
-
auth_value
fbee175162920530e6bf470c8003fa1a
Extracted
amadey
3.65
77.73.134.27/8bmdh3Slb2/index.php
Extracted
redline
bigdick
185.254.37.212:80
-
auth_value
88290259fe8dc49da48b125d03e6788c
Targets
-
-
Target
812b8d76e0cf1e825bbfcf787ebdd902.exe
-
Size
236KB
-
MD5
812b8d76e0cf1e825bbfcf787ebdd902
-
SHA1
9f981c60bb4195657340519e13f1422e5cc8967b
-
SHA256
6513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
-
SHA512
9a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
SSDEEP
6144:r0oFwGz+5JJw20a1bfjVEmAuVy1OVYvk8gF:rpLxa5VsuVy8VJ
-
Detect rhadamanthys stealer shellcode
-
Detects Smokeloader packer
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
1Bootkit
1Scheduled Task
1Defense Evasion
Modify Registry
4Disabling Security Tools
2Virtualization/Sandbox Evasion
1Impair Defenses
1Scripting
1