General
-
Target
file.exe
-
Size
704KB
-
Sample
230217-3h9z4aaa37
-
MD5
a9e463f4f08d89754a695ce5809b3324
-
SHA1
968947c4a10638ba686e1e6872fbc6737da0cd04
-
SHA256
bc93341696c3c1ea7a3079cc1dfc0152db125588be5f935739d84bb25658d21c
-
SHA512
aca7c8f38a3d894e14f339dfc1926d06acf09b1b2240b007330ba6fe01159594247c88f3e67549ee12839011b65f121c4acc1de6df66ef768621ea5508934e2c
-
SSDEEP
12288:5MrXy90fVD/6WX6GRFWcrKhRiboWpsbgDNYjKVtHgB+jPAftsJWCy0G:iyoDivGRFvr6YoWY6NYGVRwTCFG
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
redline
furka
193.233.20.17:4139
-
auth_value
46dae41be0c00464bf56eddcc93e1bec
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Extracted
amadey
3.67
193.233.20.15/dF30Hn4m/index.php
Extracted
amadey
3.66
62.204.41.88/9vdVVVjsw/index.php
Extracted
redline
dubik
193.233.20.17:4139
-
auth_value
05136deb26ad700ca57d43b1de454f46
Extracted
asyncrat
0.5.7B
Default
100.42.65.218:8080
100.42.65.218:6606
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
winsyd.exe
-
install_folder
%AppData%
Targets
-
-
Target
file.exe
-
Size
704KB
-
MD5
a9e463f4f08d89754a695ce5809b3324
-
SHA1
968947c4a10638ba686e1e6872fbc6737da0cd04
-
SHA256
bc93341696c3c1ea7a3079cc1dfc0152db125588be5f935739d84bb25658d21c
-
SHA512
aca7c8f38a3d894e14f339dfc1926d06acf09b1b2240b007330ba6fe01159594247c88f3e67549ee12839011b65f121c4acc1de6df66ef768621ea5508934e2c
-
SSDEEP
12288:5MrXy90fVD/6WX6GRFWcrKhRiboWpsbgDNYjKVtHgB+jPAftsJWCy0G:iyoDivGRFvr6YoWY6NYGVRwTCFG
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Async RAT payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
4Disabling Security Tools
2Scripting
1Install Root Certificate
1