General
-
Target
a6184c9199dbb3af92d8e8a8ab98f972316104e1ad2cb4c5f8108a6ac6b6a95b
-
Size
1.0MB
-
Sample
231011-gylrjsgc86
-
MD5
4701e0d6127b1dbbd13c34e97fec1204
-
SHA1
99a638c8aca246e511687bb127a01f8ca861d352
-
SHA256
1e6b4e47be53552c7ceadce7f3a231e9849374c0387649d94f161135390df022
-
SHA512
57cb0c6b8254821b5f47cd29e274399db2ef32e90ccf145e09b5fb57d39a0826fe277d006118c647142c77154f5a33c634807cb56b0e089363b438c368f69d78
-
SSDEEP
24576:EyylKmIhKzp4ES1PilEVMxoUBxqi2syslU1rSYfxvRhPL:UlKmtzTkyfxSJH1TfxvrT
Static task
static1
Behavioral task
behavioral1
Sample
a6184c9199dbb3af92d8e8a8ab98f972316104e1ad2cb4c5f8108a6ac6b6a95b.exe
Resource
win7-20230831-en
Malware Config
Extracted
redline
gruha
77.91.124.55:19071
-
auth_value
2f4cf2e668a540e64775b27535cc6892
Extracted
amadey
3.89
http://77.91.68.52/mac/index.php
http://77.91.68.78/help/index.php
-
install_dir
fefffe8cea
-
install_file
explonde.exe
-
strings_key
916aae73606d7a9e02a1d3b47c199688
Targets
-
-
Target
a6184c9199dbb3af92d8e8a8ab98f972316104e1ad2cb4c5f8108a6ac6b6a95b
-
Size
1.1MB
-
MD5
31b3ab9a4fa33fa9ce8b5682f0c0b45d
-
SHA1
e6641583051afd1e9af9e4b8339fd888b9a3fe40
-
SHA256
a6184c9199dbb3af92d8e8a8ab98f972316104e1ad2cb4c5f8108a6ac6b6a95b
-
SHA512
41dec9e411733a610746e54b98525cf512a0c7423ff53d1dafe540b973ea157f3070c901481a404208721c87e19c1f5a65503e322a172e4cd8019df2bf24f0e6
-
SSDEEP
24576:+yNNiBKRv4WC1PmlSLMRoeB/8iesCV21r4YfxclU:NbFRx0GB/UfV211fxc
-
Detect Mystic stealer payload
-
Detects Healer an antivirus disabler dropper
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1