General
-
Target
file.exe
-
Size
704KB
-
Sample
230217-y5kaqshc57
-
MD5
cf9062024ce65bc24107008c66f9b937
-
SHA1
26557dbd46abab82bef24400ff4a7d984f10dda8
-
SHA256
dc9d065d44fcfcecd44374624fd7f1823d3355ca0a20f19c094fec43087a7d48
-
SHA512
2d62c1ff5b15d10ec5ce3696d5096ba7824904f48187dd75a44b97a3dad8dcfda2a73d97d9cebbc951dad95e0b0dc9840ba6d2020d3bd87ae927f9e8f61dd779
-
SSDEEP
12288:VMrryy90e1QnB5H1ZkuJYUZpBTuct/UHxHNZaPHyEjkSwHQc5LWfsBpn+AjkruL1:Hy9QnBnG+XfGxWvyEeLKORwKVP40n
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
redline
furka
193.233.20.17:4139
-
auth_value
46dae41be0c00464bf56eddcc93e1bec
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Extracted
amadey
3.67
193.233.20.15/dF30Hn4m/index.php
Extracted
amadey
3.66
62.204.41.88/9vdVVVjsw/index.php
Extracted
redline
dubik
193.233.20.17:4139
-
auth_value
05136deb26ad700ca57d43b1de454f46
Extracted
asyncrat
0.5.7B
Default
100.42.65.218:8080
100.42.65.218:6606
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
winsyd.exe
-
install_folder
%AppData%
Targets
-
-
Target
file.exe
-
Size
704KB
-
MD5
cf9062024ce65bc24107008c66f9b937
-
SHA1
26557dbd46abab82bef24400ff4a7d984f10dda8
-
SHA256
dc9d065d44fcfcecd44374624fd7f1823d3355ca0a20f19c094fec43087a7d48
-
SHA512
2d62c1ff5b15d10ec5ce3696d5096ba7824904f48187dd75a44b97a3dad8dcfda2a73d97d9cebbc951dad95e0b0dc9840ba6d2020d3bd87ae927f9e8f61dd779
-
SSDEEP
12288:VMrryy90e1QnB5H1ZkuJYUZpBTuct/UHxHNZaPHyEjkSwHQc5LWfsBpn+AjkruL1:Hy9QnBnG+XfGxWvyEeLKORwKVP40n
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Async RAT payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
4Disabling Security Tools
2Scripting
1Install Root Certificate
1