General
-
Target
1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94
-
Size
2.3MB
-
Sample
230713-ajh9jsfh7x
-
MD5
3c55617e6b69330386a0350e9f6aa0b4
-
SHA1
99bff391433cfc610b27f3b2b7ebc3239314f831
-
SHA256
1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94
-
SHA512
46eac86da241ab7b98d449e31111c9da154109b493bf62e807cffcdb43767167c994a165d78ec9a4ce24ea4f64ec76edee39daf9408bad3d6e65b64b1b6b1c28
-
SSDEEP
49152:X4MR20Q9Xz2p2pizrXPHaBXtHqNQ6cBUX0biao10PzFyPawde5Gir:X41MEpyHaZUNFcBUEfoIgPFTir
Behavioral task
behavioral1
Sample
1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94.exe
Resource
win10-20230703-en
Malware Config
Extracted
redline
120723_rc_11
rcam.tuktuk.ug:11290
-
auth_value
3a7b4b38a7116be1f337083fb37de790
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Targets
-
-
Target
1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94
-
Size
2.3MB
-
MD5
3c55617e6b69330386a0350e9f6aa0b4
-
SHA1
99bff391433cfc610b27f3b2b7ebc3239314f831
-
SHA256
1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94
-
SHA512
46eac86da241ab7b98d449e31111c9da154109b493bf62e807cffcdb43767167c994a165d78ec9a4ce24ea4f64ec76edee39daf9408bad3d6e65b64b1b6b1c28
-
SSDEEP
49152:X4MR20Q9Xz2p2pizrXPHaBXtHqNQ6cBUX0biao10PzFyPawde5Gir:X41MEpyHaZUNFcBUEfoIgPFTir
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner payload
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-