General
-
Target
56280d91e6528367bf62eb853a01363b.bin
-
Size
482KB
-
Sample
230505-w2sftsda79
-
MD5
56280d91e6528367bf62eb853a01363b
-
SHA1
9fd3e8f0e0526b912408e20ce2cb3ea3915cbf32
-
SHA256
dff3c133d3b9008dfd2205b23cc0bb6ff10c21e3ffcca35501fb72900fb535f0
-
SHA512
1e270b8e57372512e86e892fbbb462d8d8cf4cd845f0c8a1f788a486731a0e525d9248fc7b6480799fac73e38430f6590cf51ebdea49f1518205272ed0b16652
-
SSDEEP
6144:pg0JxHI5IEaw6liixj93Q9Oo4Eq8eC4/hQ2oY4hShrz7274G/qmwp5oAmkUwfWIW:pM5TSj9gQhR/JicX27e/osUwL94zH
Static task
static1
Behavioral task
behavioral1
Sample
5faf15d82b0485d240a92b6b9d4736b4a85b477c578728f78292e51c70529e94.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
5faf15d82b0485d240a92b6b9d4736b4a85b477c578728f78292e51c70529e94.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.anahataresort.com - Port:
587 - Username:
[email protected] - Password:
Anahata#102021*
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.anahataresort.com - Port:
587 - Username:
[email protected] - Password:
Anahata#102021* - Email To:
[email protected]
Targets
-
-
Target
5faf15d82b0485d240a92b6b9d4736b4a85b477c578728f78292e51c70529e94.exe
-
Size
656KB
-
MD5
38a229cb268dd8a931ab314b82634871
-
SHA1
0dc186cc87aa69df580d948ba75ba1c6f53c71de
-
SHA256
5faf15d82b0485d240a92b6b9d4736b4a85b477c578728f78292e51c70529e94
-
SHA512
c2d8078ad839c73cd03ec51ced60472683232e392ae2d95a2c08be97c40a27ca48339550aa0ad8dfa4677440e113df40cddbd4e3d8859bce4cddafa1d330a0cd
-
SSDEEP
6144:X1mpdUb8y/pcdANedFbX3ihvT+d5sn8xT5HGlAJ35NBto1PDClpN35mEa187BCOe:XpRcdQedFr3+Csn8HcAJpziPOPV56o
-
Detects Redline Stealer samples
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Snake Keylogger payload
-
StormKitty payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-