General
-
Target
f89d7be9b2bf898e1d7d23a19303f31f6d9b00fea130683f7163ffdce7a5655f
-
Size
5.3MB
-
Sample
230409-1737qsfc4y
-
MD5
6eea1248a188ec88b2e7d50242da4965
-
SHA1
a08f6574178ab2cc4fed339caee2e0b584a7ca38
-
SHA256
f89d7be9b2bf898e1d7d23a19303f31f6d9b00fea130683f7163ffdce7a5655f
-
SHA512
76c8c91ad1020956393b6e8fbc7ce02866fa1c99fa913c749662b74ea161d5f9137ec2691fb23f07d8d286db2e351297704898dcbdc18d08b7b276c5fd351570
-
SSDEEP
49152:ycVV1BCjBNwU6dK2NUyig6XiRlFU3CRVVGX0eRpL5nUi1JQfPU3+8qy9A+fC1pKg:7
Static task
static1
Behavioral task
behavioral1
Sample
f89d7be9b2bf898e1d7d23a19303f31f6d9b00fea130683f7163ffdce7a5655f.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
f89d7be9b2bf898e1d7d23a19303f31f6d9b00fea130683f7163ffdce7a5655f.exe
Resource
win10-20230220-en
Malware Config
Extracted
redline
cheat
154.81.220.233:28105
Extracted
quasar
1.4.1
Network1
auroraforge.art:55326
thesirenmika.com:55713
d8de8ec1-301f-4631-8c5e-1f6b72751c16
-
encryption_key
A730DFF691ED1723ED88E36A2C5E7ED5CCF91DD1
-
install_name
up2.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
f89d7be9b2bf898e1d7d23a19303f31f6d9b00fea130683f7163ffdce7a5655f
-
Size
5.3MB
-
MD5
6eea1248a188ec88b2e7d50242da4965
-
SHA1
a08f6574178ab2cc4fed339caee2e0b584a7ca38
-
SHA256
f89d7be9b2bf898e1d7d23a19303f31f6d9b00fea130683f7163ffdce7a5655f
-
SHA512
76c8c91ad1020956393b6e8fbc7ce02866fa1c99fa913c749662b74ea161d5f9137ec2691fb23f07d8d286db2e351297704898dcbdc18d08b7b276c5fd351570
-
SSDEEP
49152:ycVV1BCjBNwU6dK2NUyig6XiRlFU3CRVVGX0eRpL5nUi1JQfPU3+8qy9A+fC1pKg:7
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-