General
-
Target
42596f7e2d1ab5a726d7e1536ad9670ee164ee25f4228480505cbdb745bfe5f6
-
Size
527KB
-
Sample
230205-3z9qnaeg5z
-
MD5
a668f43511ce53a706ff49889845e0a7
-
SHA1
c82d47d512eb019f95a4d7981dbf595de3978c66
-
SHA256
42596f7e2d1ab5a726d7e1536ad9670ee164ee25f4228480505cbdb745bfe5f6
-
SHA512
5f582fb8776becb808f58d135e21a1ed9421c305e002ea19bd4604d8b541ee3a2f204ac360c127c7f83e229615aca7838d994ebc4aabb0ae06aa5a1ef8afda4a
-
SSDEEP
6144:Kty+bnr+8p0yN90QEsa2csE15PmkGc0l/ZYjiZ+KmEJUas6bDNlb+8RtcZ2/71Id:nMroy90EcsSN0l/qWZt7JoQDw2F78
Static task
static1
Behavioral task
behavioral1
Sample
42596f7e2d1ab5a726d7e1536ad9670ee164ee25f4228480505cbdb745bfe5f6.exe
Resource
win10-20220812-en
Malware Config
Extracted
amadey
3.66
62.204.41.4/Gol478Ns/index.php
Extracted
redline
ringo
176.113.115.16:4122
-
auth_value
b8f864b25d84b5ed5591e4bfa647cdbe
Extracted
redline
temposs6678
82.115.223.9:15486
-
auth_value
af399e6a2fe66f67025541cf71c64313
Extracted
redline
ringo1
176.113.115.16:4122
-
auth_value
373b070fb57b7689445f097000cbd6c2
Targets
-
-
Target
42596f7e2d1ab5a726d7e1536ad9670ee164ee25f4228480505cbdb745bfe5f6
-
Size
527KB
-
MD5
a668f43511ce53a706ff49889845e0a7
-
SHA1
c82d47d512eb019f95a4d7981dbf595de3978c66
-
SHA256
42596f7e2d1ab5a726d7e1536ad9670ee164ee25f4228480505cbdb745bfe5f6
-
SHA512
5f582fb8776becb808f58d135e21a1ed9421c305e002ea19bd4604d8b541ee3a2f204ac360c127c7f83e229615aca7838d994ebc4aabb0ae06aa5a1ef8afda4a
-
SSDEEP
6144:Kty+bnr+8p0yN90QEsa2csE15PmkGc0l/ZYjiZ+KmEJUas6bDNlb+8RtcZ2/71Id:nMroy90EcsSN0l/qWZt7JoQDw2F78
-
Detect rhadamanthys stealer shellcode
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-