General
-
Target
wyCdPrh7QF.exe
-
Size
1.0MB
-
Sample
230505-ned1xshf73
-
MD5
9f88f83efed561b5002940f8425d73bd
-
SHA1
e211bc5df1d01ed150e5f4c727ae33c021a2011f
-
SHA256
167645a3961ac8521e1db57b4a70c12adf03217b8f546fdd34c4fb770ccb4779
-
SHA512
71fc4523d93f6a9f0ba48291e54528e18c969e1dd0d3d45c75ef90a64a1b9b1a12e14a5ae1a0b23e9a7b91f8576d7e4c8c252523d684e18f0cc0f95ab38bd7b6
-
SSDEEP
24576:w0I5Wj1JZkaiSEZe1HOqJarhD85O/f6CDruxp6/XjtjWm:w0IEj1l131HOqJad85mSCDrCp6/0m
Static task
static1
Behavioral task
behavioral1
Sample
wyCdPrh7QF.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
wyCdPrh7QF.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
redline
Youtube
5.75.169.103:18374
-
auth_value
fa6349261c48cdab29f1787f5ed475fe
Targets
-
-
Target
wyCdPrh7QF.exe
-
Size
1.0MB
-
MD5
9f88f83efed561b5002940f8425d73bd
-
SHA1
e211bc5df1d01ed150e5f4c727ae33c021a2011f
-
SHA256
167645a3961ac8521e1db57b4a70c12adf03217b8f546fdd34c4fb770ccb4779
-
SHA512
71fc4523d93f6a9f0ba48291e54528e18c969e1dd0d3d45c75ef90a64a1b9b1a12e14a5ae1a0b23e9a7b91f8576d7e4c8c252523d684e18f0cc0f95ab38bd7b6
-
SSDEEP
24576:w0I5Wj1JZkaiSEZe1HOqJarhD85O/f6CDruxp6/XjtjWm:w0IEj1l131HOqJad85mSCDrCp6/0m
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Defense Evasion
Bypass User Account Control
1Disabling Security Tools
3Modify Registry
7Virtualization/Sandbox Evasion
2Install Root Certificate
1