General
-
Target
8334e0db86904c86bd662bc875f37172163c93f6a117f15f7d417f3785ff952a
-
Size
560KB
-
Sample
230810-26eneshe49
-
MD5
d7d9d5ed7d6307a398e02250d7cf01e4
-
SHA1
66969c093077667a76118de419bd3641ad029563
-
SHA256
8334e0db86904c86bd662bc875f37172163c93f6a117f15f7d417f3785ff952a
-
SHA512
a45119444ede1ba663a52ae1bd9313061aa8e9ab25a89499e963ffb255ef75d599779f10bc2d7146917305b29484e1e0173321bd3feb0a2efc159ddc79dafd41
-
SSDEEP
12288:QMr8y909Q9svv0wzd2B6FJlC0L9bq2/Ztyy+xCiZIgIOL3:8yhC3YSQ0L5HtyyqCu3
Static task
static1
Malware Config
Extracted
amadey
3.87
193.233.255.9/nasa/index.php
Extracted
redline
kedra
77.91.124.54:19071
-
auth_value
5deceb2ef08b60cd66ae9869e3eb6e34
Extracted
quasar
1.4.1
spread
adequatelicensing.at:4040
d93e662e-a9de-4198-89ca-f18764fe29de
-
encryption_key
36FFB0B8C391E84D40C64F776A2794BCA2549D86
-
install_name
Updater.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
Java Update
-
subdirectory
Java
Targets
-
-
Target
8334e0db86904c86bd662bc875f37172163c93f6a117f15f7d417f3785ff952a
-
Size
560KB
-
MD5
d7d9d5ed7d6307a398e02250d7cf01e4
-
SHA1
66969c093077667a76118de419bd3641ad029563
-
SHA256
8334e0db86904c86bd662bc875f37172163c93f6a117f15f7d417f3785ff952a
-
SHA512
a45119444ede1ba663a52ae1bd9313061aa8e9ab25a89499e963ffb255ef75d599779f10bc2d7146917305b29484e1e0173321bd3feb0a2efc159ddc79dafd41
-
SSDEEP
12288:QMr8y909Q9svv0wzd2B6FJlC0L9bq2/Ztyy+xCiZIgIOL3:8yhC3YSQ0L5HtyyqCu3
-
Detects Healer an antivirus disabler dropper
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1