Extracted

• • Target

    MavrodiBlack 2.exe

  • Size

    592KB

  • MD5

    a5f8768a97c74ecc4c26c402f2bcef11

  • SHA1

    d234ce957544025614d49e1e18f3bac6352ca994

  • SHA256

    679ecde4cd6afa60eaf6ab07179310def1cc22b0790b1efeb52ce1d80b06531c

  • SHA512

    e425b6d9f19de18465af3ea438a9ec3ee9f0ca30608146f3094fa28960a841f5d3a9a2a13655c2123d93f5bcab79e57a37b10d7201ffddd8b8991c3f0eae6009

  • SSDEEP

    6144:jS6d7abcho/OiptVSaPCpikafd5Y9k1WeR7LSxDxpaG6WiX22QbjMrgXScKl+mH1:W6dvhop3zlEyLeKXo8r2Kl+4mW/QKU6

  Score

  10^/10

  redlineevasioninfostealerspyware

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Downloads MZ/PE file

  • Stops running service(s)

    evasion

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2