General
-
Target
4a35d67996cdcde8da42ba8e40015738.bin
-
Size
601KB
-
Sample
230227-bpap2abc75
-
MD5
6b6d43a00598cc5bcef99c98f72ffb84
-
SHA1
8d2464bf6913b8ae794f53fd4247262d0884a0c2
-
SHA256
8d73747ba178784cf760985cb4254b8d178ec2a8ce07b58e782fcd3cd40ada51
-
SHA512
83cd51c02c508bdce3f8b76f6da9c61b7059c308eddd16b15ab851180697865174d525331fcc1916fc1f265ce054bb64cb4d463d8a3beef4c7cf60c8bff3f279
-
SSDEEP
12288:f00wQdW6ZlBcS3zEwzvKvV+JZI0+zLGf8K/1B9GYa2J8l0r:ZWEkSzTu8JZT+zLKN/AsF
Static task
static1
Behavioral task
behavioral1
Sample
76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
asyncrat
0.5.7B
DefenderSmartScren
217.64.31.3:8437
DefenderSmartScren
-
delay
3
-
install
false
-
install_file
SecurityHealtheurvice.exe
-
install_folder
%AppData%
Extracted
asyncrat
1.0.7
WindowsDefenderSmarttScreen
217.64.31.3:9742
WindowsDefenderSmarttScreen
-
delay
1
-
install
false
-
install_file
WindowsDefenderSmarttScreen.exe
-
install_folder
%AppData%
Extracted
asyncrat
0.5.7B
LWRTX
20.199.101.68:3161
LWRTX
-
delay
3
-
install
false
-
install_file
LWRTX
-
install_folder
%AppData%
Targets
-
-
Target
76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe
-
Size
622KB
-
MD5
4a35d67996cdcde8da42ba8e40015738
-
SHA1
21342be12a055a2c1caffd73cc7866c81cb3e585
-
SHA256
76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c
-
SHA512
96f3904de25540397b1a499828f1781c943ffba4d42e2028b6ab322dbb3916bc03adf5ca084bf2afa3a90272a9c986e7d11b23e26ab86856225b0d0aef9f8ad2
-
SSDEEP
12288:U/C3Xp1sthiBKo+NJv9B3K6EwC2EQcmowOmA9BRMsrLS3t5r0I1Uu:e+Xp14hiBr+NJDvEwFQBPMqLS3kIC
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Async RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-