General
-
Target
8dd7d5a85e9955332283dfc92fd2a25a5671f1bcbe2d0b9fb53d8f74f47bdb99
-
Size
1.1MB
-
Sample
230220-1hta8scf33
-
MD5
27ae1b43ac044b7de3ca0f355be89db5
-
SHA1
05ef021e4cf666f6d5e68ca43ee0a45ca052e09b
-
SHA256
8dd7d5a85e9955332283dfc92fd2a25a5671f1bcbe2d0b9fb53d8f74f47bdb99
-
SHA512
9899681bf24e4e2460a2a31b15bf8224d0ea59dcb3ba228d0ee1956213d4a275a05c6de3e19d6b0841180a7d0ba4d885626da690e0d0bef08b61ee9c1be48154
-
SSDEEP
24576:Jy7G8+80ZRC2HOMEZqlcC8eWU3FoRxyiJRgK9xu9/Gyb:87G8+Dm2bEZC89emRYiJRgKCA
Static task
static1
Behavioral task
behavioral1
Sample
8dd7d5a85e9955332283dfc92fd2a25a5671f1bcbe2d0b9fb53d8f74f47bdb99.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Extracted
redline
fucna
193.233.20.17:4139
-
auth_value
16ab0f6ba753ccbeb028722745cf846f
Extracted
amadey
3.67
193.233.20.15/dF30Hn4m/index.php
Extracted
redline
kk1
176.113.115.17:4132
-
auth_value
df169d3f7f631272f7c6bd9a1bb603c3
Extracted
amadey
3.66
62.204.41.88/9vdVVVjsw/index.php
Extracted
amadey
3.65
77.73.134.27/8bmdh3Slb2/index.php
Extracted
redline
85.31.44.66:17742
-
auth_value
e9a89e5b72a729171b1655add99ee280
Extracted
aurora
167.235.18.89:8081
Targets
-
-
Target
8dd7d5a85e9955332283dfc92fd2a25a5671f1bcbe2d0b9fb53d8f74f47bdb99
-
Size
1.1MB
-
MD5
27ae1b43ac044b7de3ca0f355be89db5
-
SHA1
05ef021e4cf666f6d5e68ca43ee0a45ca052e09b
-
SHA256
8dd7d5a85e9955332283dfc92fd2a25a5671f1bcbe2d0b9fb53d8f74f47bdb99
-
SHA512
9899681bf24e4e2460a2a31b15bf8224d0ea59dcb3ba228d0ee1956213d4a275a05c6de3e19d6b0841180a7d0ba4d885626da690e0d0bef08b61ee9c1be48154
-
SSDEEP
24576:Jy7G8+80ZRC2HOMEZqlcC8eWU3FoRxyiJRgK9xu9/Gyb:87G8+Dm2bEZC89emRYiJRgKCA
-
Detect rhadamanthys stealer shellcode
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
2Install Root Certificate
1Modify Registry
4Scripting
1Web Service
1