General
-
Target
623bca798c05a1e5dc5a26ff57329459.bin
-
Size
2.3MB
-
Sample
230719-bvhb3aff91
-
MD5
6f45c2f05be83fc45abe1a6217aaef22
-
SHA1
75ea8cb74e30b44086b7f81ca4d606d629b8974c
-
SHA256
43ca13b1d4234eea47695bce03ff36180038896a84d6bd3004a2a17730c710fc
-
SHA512
bdfb6553957e3b6ff024b9194e6b20945194cfe6c32174e9931bec2fc766de21a2562c76f1e2e516f2016d9ed27edec9eb9d0c6aa6a0ce99d1b5168fb3a27082
-
SSDEEP
49152:Kt6nplMbi+lY6yVSD2GxfnR/FDG2e5Ej1ACRnSD+DvS9ZLz7XzRr1VpT3:g6nHMbXY6MU2Gxfn7G2e5EjpS629ZLf7
Behavioral task
behavioral1
Sample
8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe
Resource
win10v2004-20230703-en
Malware Config
Extracted
redline
170723_rc_11
rcam17.tuktuk.ug:11290
-
auth_value
ddbd29a91f6321652fef2b14e5ac70d5
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Targets
-
-
Target
8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe
-
Size
2.3MB
-
MD5
623bca798c05a1e5dc5a26ff57329459
-
SHA1
5d3db9376a7581fad4db73b87bcf6ce555e6138b
-
SHA256
8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c
-
SHA512
1923e4bf43651cd2423275d4383b013dbbe0f05870245229d6bd6ca650c536368f44d4b72cd9ca393b4269c88f5d4954826a4d1042144c5053140f463f54032d
-
SSDEEP
49152:magq7j1kTKNpT+1OzKamfw3Fryxqu4m/YjsqV51RoipOm5FGWCmP9:Zgq7STKNUA7mfEO4cYjsq1RoinZCml
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-