General
-
Target
b56d0cd766644407a05a0a03286b27a71628830a789a8539b54a4e64ccc72304
-
Size
560KB
-
Sample
230811-l2pptscc25
-
MD5
c99cf21a0a1d468e7c9cd7e6898a0fd3
-
SHA1
de22abb54ee3ee4c81086bbbe84ec603fa6538fb
-
SHA256
b56d0cd766644407a05a0a03286b27a71628830a789a8539b54a4e64ccc72304
-
SHA512
32662844b99c5ee858feccb7f090bd2985ca0012114d71ea07e0078459f25732a140887ff21c5cc54105baebcc2250d0220c969749ffb7045e61062de4288039
-
SSDEEP
12288:3MrKy90Aw7KB5XXs5EcUCrYOtzi9UW4eR:dyJUK3ncwOzcR
Static task
static1
Malware Config
Extracted
amadey
3.87
193.233.255.9/nasa/index.php
Extracted
redline
turop
77.91.124.54:19071
-
auth_value
288bd34bce1667b91e279fa0e1085613
Extracted
quasar
1.4.1
spread
adequatelicensing.at:4040
d93e662e-a9de-4198-89ca-f18764fe29de
-
encryption_key
36FFB0B8C391E84D40C64F776A2794BCA2549D86
-
install_name
Updater.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
Java Update
-
subdirectory
Java
Targets
-
-
Target
b56d0cd766644407a05a0a03286b27a71628830a789a8539b54a4e64ccc72304
-
Size
560KB
-
MD5
c99cf21a0a1d468e7c9cd7e6898a0fd3
-
SHA1
de22abb54ee3ee4c81086bbbe84ec603fa6538fb
-
SHA256
b56d0cd766644407a05a0a03286b27a71628830a789a8539b54a4e64ccc72304
-
SHA512
32662844b99c5ee858feccb7f090bd2985ca0012114d71ea07e0078459f25732a140887ff21c5cc54105baebcc2250d0220c969749ffb7045e61062de4288039
-
SSDEEP
12288:3MrKy90Aw7KB5XXs5EcUCrYOtzi9UW4eR:dyJUK3ncwOzcR
-
Detects Healer an antivirus disabler dropper
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1