General
-
Target
199c2d8e24c0cc919d0400773938ed3cca76860e7be93b5d1f2f8ee12004a5f7
-
Size
1000KB
-
Sample
230621-gzfxpahb2v
-
MD5
83ef65a424e1baf1d7b861acec54ecb4
-
SHA1
9273c6cd941d801626ac0f35ae687cab0055e208
-
SHA256
199c2d8e24c0cc919d0400773938ed3cca76860e7be93b5d1f2f8ee12004a5f7
-
SHA512
55b9478928ca32d400eab67aec7c1c337a47d188a04fa89c989fc35e5ba107776e29b1d03bceed6ffd193515e6f84430b1256c1b2476799858038df6ca6d4085
-
SSDEEP
12288:xCAtA8KIiEVqjmG09laoIqLtTmAGiDd4CT7s6Z46E2W0aBjbaxZAj0VQTj7nO62z:htAIi0/9EoTJmIDKgWWa5axZfVQTl
Static task
static1
Behavioral task
behavioral1
Sample
199c2d8e24c0cc919d0400773938ed3cca76860e7be93b5d1f2f8ee12004a5f7.exe
Resource
win10-20230220-en
Malware Config
Extracted
redline
top
83.97.73.124:53
-
auth_value
053e5ccc53982413753b68419138b23a
Extracted
redline
Lyla1906
94.130.176.65:13400
-
auth_value
5c6d9077ba684b0add99731765896e7e
Targets
-
-
Target
199c2d8e24c0cc919d0400773938ed3cca76860e7be93b5d1f2f8ee12004a5f7
-
Size
1000KB
-
MD5
83ef65a424e1baf1d7b861acec54ecb4
-
SHA1
9273c6cd941d801626ac0f35ae687cab0055e208
-
SHA256
199c2d8e24c0cc919d0400773938ed3cca76860e7be93b5d1f2f8ee12004a5f7
-
SHA512
55b9478928ca32d400eab67aec7c1c337a47d188a04fa89c989fc35e5ba107776e29b1d03bceed6ffd193515e6f84430b1256c1b2476799858038df6ca6d4085
-
SSDEEP
12288:xCAtA8KIiEVqjmG09laoIqLtTmAGiDd4CT7s6Z46E2W0aBjbaxZAj0VQTj7nO62z:htAIi0/9EoTJmIDKgWWa5axZfVQTl
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-