General
-
Target
753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd
-
Size
2.3MB
-
Sample
230716-d3pr8add5t
-
MD5
9b06361b484531e8d71b64fbb32534d9
-
SHA1
6c47e8bfaf1b82c57c861312f1fe130cc5e21c96
-
SHA256
753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd
-
SHA512
dd9ab0d96801bdc8e541c60f0cb23f8c5089f8cefd4fa9041dae5d6d7e393f27ff25cc445117e3804f235fabce0fd2ae80d284463ef2278da5afb6a81f285bbb
-
SSDEEP
49152:SgUFBrKkyuD7ug6e1NsUfgvig28JUU1y4unHZ1IxLRoV:eJK1umgBUU+n28uUMxHXIh6
Behavioral task
behavioral1
Sample
753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe
Resource
win10-20230703-en
Malware Config
Extracted
redline
150723_rc_11
rcam15.tuktuk.ug:11290
-
auth_value
0b3645317afbcac212f68853bb45b46d
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Targets
-
-
Target
753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd
-
Size
2.3MB
-
MD5
9b06361b484531e8d71b64fbb32534d9
-
SHA1
6c47e8bfaf1b82c57c861312f1fe130cc5e21c96
-
SHA256
753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd
-
SHA512
dd9ab0d96801bdc8e541c60f0cb23f8c5089f8cefd4fa9041dae5d6d7e393f27ff25cc445117e3804f235fabce0fd2ae80d284463ef2278da5afb6a81f285bbb
-
SSDEEP
49152:SgUFBrKkyuD7ug6e1NsUfgvig28JUU1y4unHZ1IxLRoV:eJK1umgBUU+n28uUMxHXIh6
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-