General
-
Target
5a54f6c46d49e8d2b54ffb96fc3aa512c9dbf30820921148fd160a1d4b7acd70
-
Size
560KB
-
Sample
230810-2pxsnsbc2w
-
MD5
afa363a12d8bbcac0bd638997c7dea4e
-
SHA1
ba2f5dacfc1bf4fe2b2adedad1cbf829d8dc08ae
-
SHA256
5a54f6c46d49e8d2b54ffb96fc3aa512c9dbf30820921148fd160a1d4b7acd70
-
SHA512
80824ab1af28d7a9ec7f6b0008444614f8e70f0330d3221be8e905b6d6a73aafe65d118fda01e78d8a0021b9cc2cca0459910e15f30350bff3252f47d7cc4640
-
SSDEEP
12288:JMrAy90p3XVsHIH7XlGeoNnp3AUVnStyYbNijATbPx+HG7:9yG3X+oHbQpwiEyyNjLxYG7
Static task
static1
Behavioral task
behavioral1
Sample
5a54f6c46d49e8d2b54ffb96fc3aa512c9dbf30820921148fd160a1d4b7acd70.exe
Resource
win10-20230703-en
Malware Config
Extracted
amadey
3.87
193.233.255.9/nasa/index.php
Extracted
redline
kedra
77.91.124.54:19071
-
auth_value
5deceb2ef08b60cd66ae9869e3eb6e34
Extracted
vidar
5.1
ef53b6b1b2b41bb26f156380d493f1dd
https://t.me/tatlimark
https://steamcommunity.com/profiles/76561199536605936
-
profile_id_v2
ef53b6b1b2b41bb26f156380d493f1dd
Extracted
quasar
1.4.1
spread
adequatelicensing.at:4040
d93e662e-a9de-4198-89ca-f18764fe29de
-
encryption_key
36FFB0B8C391E84D40C64F776A2794BCA2549D86
-
install_name
Updater.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
Java Update
-
subdirectory
Java
Targets
-
-
Target
5a54f6c46d49e8d2b54ffb96fc3aa512c9dbf30820921148fd160a1d4b7acd70
-
Size
560KB
-
MD5
afa363a12d8bbcac0bd638997c7dea4e
-
SHA1
ba2f5dacfc1bf4fe2b2adedad1cbf829d8dc08ae
-
SHA256
5a54f6c46d49e8d2b54ffb96fc3aa512c9dbf30820921148fd160a1d4b7acd70
-
SHA512
80824ab1af28d7a9ec7f6b0008444614f8e70f0330d3221be8e905b6d6a73aafe65d118fda01e78d8a0021b9cc2cca0459910e15f30350bff3252f47d7cc4640
-
SSDEEP
12288:JMrAy90p3XVsHIH7XlGeoNnp3AUVnStyYbNijATbPx+HG7:9yG3X+oHbQpwiEyyNjLxYG7
-
Detects Healer an antivirus disabler dropper
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1