Overview

overview

10

Static

static

1

winprofile

windows7-x64

1

winprofile

windows10-1703-x64

10

Resubmissions

20-03-2023 01:51

230320-b9373sbc53 10

20-03-2023 01:06

230320-bgk6ssda8t 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac

  • Size

    1.5MB

  • Sample

    230320-bgk6ssda8t

  • MD5

    103f1dc5270469cf9414ee95dee9561f

  • SHA1

    f44b74ac4e35943c1b9f85ca560595bb64a8c918

  • SHA256

    5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac

  • SHA512

    a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

  • SSDEEP

    24576:E5SH0+xjXR3uO29j3w/2H+vttmPoADPn7axIGXliWvVznOs0O9dDNh:NhJq1HYtm+xLiWvVS+DNh

Score
10/10
redlinerhadamanthysbuild_maininfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

build_main

C2

80.85.156.168:20189

Attributes
  • auth_value

    5e5c9cacc6d168f8ade7fb6419edb114

Targets

    • Target

      5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac

    • Size

      1.5MB

    • MD5

      103f1dc5270469cf9414ee95dee9561f

    • SHA1

      f44b74ac4e35943c1b9f85ca560595bb64a8c918

    • SHA256

      5d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac

    • SHA512

      a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88

    • SSDEEP

      24576:E5SH0+xjXR3uO29j3w/2H+vttmPoADPn7axIGXliWvVznOs0O9dDNh:NhJq1HYtm+xLiWvVS+DNh

    Score
    10/10
    redlinerhadamanthysbuild_maininfostealerspywarestealer

    • Detect rhadamanthys stealer shellcode

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks