General
-
Target
04694e5e78d0a3dcab0bfea22aa90cfe.exe
-
Size
539KB
-
Sample
230317-lfcs5shd9s
-
MD5
04694e5e78d0a3dcab0bfea22aa90cfe
-
SHA1
bbc04877ba04814fa13800b42f6e8ea550967e2b
-
SHA256
88262a78ce91985653afffc74d9938050e56113840efbc67ee98eb9483fe1f22
-
SHA512
953a8df5135738fcda2e47b5f63e6ad626dada1f8485fd587997c38e307fe7bd34ccc5c0164f8c25dbbf63038ea126ef44445d31c4607731ba4a692524b13c9c
-
SSDEEP
12288:UdXvDWopdu11GNJGUOXOoDscvVqILhtgpiEg/ojnSFRsQOoS9cwMd:gv6oLM2GvXOoHdqIdsg/ojn4sQ9S9c1
Behavioral task
behavioral1
Sample
04694e5e78d0a3dcab0bfea22aa90cfe.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
04694e5e78d0a3dcab0bfea22aa90cfe.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
asyncrat
0.5.7B
Wars
95.173.247.110:8806
Wars
-
delay
3
-
install
true
-
install_file
Winder.exe
-
install_folder
%AppData%
Extracted
redline
Muck
52.232.8.179:37764
Extracted
asyncrat
0.5.7B
DefenderSmartScren
217.64.31.3:8437
DefenderSmartScren
-
delay
3
-
install
false
-
install_file
SecurityHealtheurvice.exe
-
install_folder
%AppData%
Extracted
asyncrat
0.5.7B
SecurityDefenderProtokol
88.248.18.120:33918
SecurityDefenderProtokol
-
delay
3
-
install
false
-
install_file
SecurityDefenderProtokol.exe
-
install_folder
%AppData%
Extracted
asyncrat
1.0.7
217.64.31.3:9742
WindowsDefenderSmarttScreen
-
delay
1
-
install
false
-
install_file
WindowsDefenderSmarttScreen.exe
-
install_folder
%AppData%
Targets
-
-
Target
04694e5e78d0a3dcab0bfea22aa90cfe.exe
-
Size
539KB
-
MD5
04694e5e78d0a3dcab0bfea22aa90cfe
-
SHA1
bbc04877ba04814fa13800b42f6e8ea550967e2b
-
SHA256
88262a78ce91985653afffc74d9938050e56113840efbc67ee98eb9483fe1f22
-
SHA512
953a8df5135738fcda2e47b5f63e6ad626dada1f8485fd587997c38e307fe7bd34ccc5c0164f8c25dbbf63038ea126ef44445d31c4607731ba4a692524b13c9c
-
SSDEEP
12288:UdXvDWopdu11GNJGUOXOoDscvVqILhtgpiEg/ojnSFRsQOoS9cwMd:gv6oLM2GvXOoHdqIdsg/ojn4sQ9S9c1
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Async RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-