General
-
Target
tmp
-
Size
235KB
-
Sample
230223-sz6znaab8y
-
MD5
ebd584e9c1a400cd5d4bafa0e7936468
-
SHA1
d263c62902326425ed17855d49d35003abcd797b
-
SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
-
SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
SSDEEP
6144:pLUoeyDABOdDubDXqgraG0JzSRuVyL+VYLQqgE:plu0LgwJ4uVyaVqJ
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
amadey
3.66
62.204.41.88/9vdVVVjsw/index.php
Extracted
redline
Hack
154.17.165.178:10377
-
auth_value
50233687e98ee274b44a32fcc741f9a4
Extracted
amadey
3.65
hellomr.observer/7gjD0Vs3d/index.php
researchersgokick.rocks/7gjD0Vs3d/index.php
pleasetake.pictures/7gjD0Vs3d/index.php
Extracted
amadey
3.67
specialblue.in/dF30Hn4m/index.php
specialblue.pm/dF30Hn4m/index.php
specialblue.wf/dF30Hn4m/index.php
Extracted
http://79.110.62.167/link/agent.exe
Targets
-
-
Target
tmp
-
Size
235KB
-
MD5
ebd584e9c1a400cd5d4bafa0e7936468
-
SHA1
d263c62902326425ed17855d49d35003abcd797b
-
SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
-
SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
SSDEEP
6144:pLUoeyDABOdDubDXqgraG0JzSRuVyL+VYLQqgE:plu0LgwJ4uVyaVqJ
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-