General

  • Target

    nehi is gay.exe.bin

  • Size

    69.1MB

  • Sample

    230430-18y96sfh7x

  • MD5

    d955a338ef668203f26ddff88f7149c7

  • SHA1

    9b5bb53aecbd3de61d31596410939fa1132b9968

  • SHA256

    36e24ca016225e95bbb389eacb9452f4d5908ff54916edc6e2399a1b7da2d2a4

  • SHA512

    86f276ef48fa4a521a1a745a9f0a04a188b7c76c26234c7b4b573726f1119bd011cc5cc716456abda89312a8d5ff74f2c6a228ef00b3c31e226cbf1d690e232d

  • SSDEEP

    1572864:TjddGvZOdIS+6t50JBthhAQaRAVvhHUzqkbeIq6o3LuqiGCym0Lk:HGvcIb6t2HzmQ++Z8qkbeIqz3LuqLLk

Malware Config

Targets

    • Target

      nehi is gay.exe.bin

    • Size

      69.1MB

    • MD5

      d955a338ef668203f26ddff88f7149c7

    • SHA1

      9b5bb53aecbd3de61d31596410939fa1132b9968

    • SHA256

      36e24ca016225e95bbb389eacb9452f4d5908ff54916edc6e2399a1b7da2d2a4

    • SHA512

      86f276ef48fa4a521a1a745a9f0a04a188b7c76c26234c7b4b573726f1119bd011cc5cc716456abda89312a8d5ff74f2c6a228ef00b3c31e226cbf1d690e232d

    • SSDEEP

      1572864:TjddGvZOdIS+6t50JBthhAQaRAVvhHUzqkbeIq6o3LuqiGCym0Lk:HGvcIb6t2HzmQ++Z8qkbeIqz3LuqLLk

    • Detects Redline Stealer samples

      This rule detects the presence of Redline Stealer samples based on their unique strings.

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks