General
-
Target
file.exe
-
Size
704KB
-
Sample
230217-zrj89ahd93
-
MD5
b56c91de8cff86f80cae6d363eb0b91e
-
SHA1
7f158ffe127b3dedf6c0e0c2b434433aa8069eb3
-
SHA256
516908fc95c6c31806a19b5a9108c0a99fff52371426fb77a10e1d75d1ae8a79
-
SHA512
7ca42d809d04d2cee838436b2881a088454e27a0f1b66e649bbb7254312d85b2161695d9ebba6fc705661bf3a53dab85e48c16bcfd06695a0bed14b39e79d3e3
-
SSDEEP
12288:8Mruy90YkAElGG0HKcaPqgopAC9E1kLWHEW5L4yglmyDoL:6ytkNGG02PaAUE3LwwyDoL
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
redline
furka
193.233.20.17:4139
-
auth_value
46dae41be0c00464bf56eddcc93e1bec
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Extracted
amadey
3.67
193.233.20.15/dF30Hn4m/index.php
Extracted
amadey
3.66
62.204.41.88/9vdVVVjsw/index.php
Extracted
redline
dubik
193.233.20.17:4139
-
auth_value
05136deb26ad700ca57d43b1de454f46
Extracted
redline
215
149.28.150.159:12304
-
auth_value
9377c129c1845959c54733992bf8dfb9
Extracted
asyncrat
0.5.7B
Default
100.42.65.218:8080
100.42.65.218:6606
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
winsyd.exe
-
install_folder
%AppData%
Targets
-
-
Target
file.exe
-
Size
704KB
-
MD5
b56c91de8cff86f80cae6d363eb0b91e
-
SHA1
7f158ffe127b3dedf6c0e0c2b434433aa8069eb3
-
SHA256
516908fc95c6c31806a19b5a9108c0a99fff52371426fb77a10e1d75d1ae8a79
-
SHA512
7ca42d809d04d2cee838436b2881a088454e27a0f1b66e649bbb7254312d85b2161695d9ebba6fc705661bf3a53dab85e48c16bcfd06695a0bed14b39e79d3e3
-
SSDEEP
12288:8Mruy90YkAElGG0HKcaPqgopAC9E1kLWHEW5L4yglmyDoL:6ytkNGG02PaAUE3LwwyDoL
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Async RAT payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
4Disabling Security Tools
2Scripting
1Install Root Certificate
1