General
-
Target
b392d04cf1c1d1f456d4c98db918adf7.exe
-
Size
141KB
-
Sample
230505-j8zghaha44
-
MD5
b392d04cf1c1d1f456d4c98db918adf7
-
SHA1
8b6485f29a5416d19085ce42c414367f61ab3717
-
SHA256
3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d
-
SHA512
99fc5271441f28cd6e1edf62c9ee64d004453b4d887f6cddf26145dad3b11b54807e224378e7b91f1dd5c19b2cd8fac4b91d004e7f240fd393dcbe9f33c40014
-
SSDEEP
3072:2bbfPwSEsGVqwkwDapiUlhK0fOWIOGPk4HWGTH+x9:2bbfPwPqyaq/WIm42GL+L
Static task
static1
Behavioral task
behavioral1
Sample
b392d04cf1c1d1f456d4c98db918adf7.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
b392d04cf1c1d1f456d4c98db918adf7.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
http://62.204.41.23/o.png
Extracted
http://62.204.41.23/r.png
Extracted
http://62.204.41.23/file.png
Extracted
systembc
185.161.248.16:4440
Extracted
redline
[ PRO ]
185.161.248.16:26885
-
auth_value
b4958da54d1cdd9d9b28330afda1cc3c
Targets
-
-
Target
b392d04cf1c1d1f456d4c98db918adf7.exe
-
Size
141KB
-
MD5
b392d04cf1c1d1f456d4c98db918adf7
-
SHA1
8b6485f29a5416d19085ce42c414367f61ab3717
-
SHA256
3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d
-
SHA512
99fc5271441f28cd6e1edf62c9ee64d004453b4d887f6cddf26145dad3b11b54807e224378e7b91f1dd5c19b2cd8fac4b91d004e7f240fd393dcbe9f33c40014
-
SSDEEP
3072:2bbfPwSEsGVqwkwDapiUlhK0fOWIOGPk4HWGTH+x9:2bbfPwPqyaq/WIm42GL+L
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-