General
-
Target
e5dfd1803ad1d6b8a4575950264620c15681a88e18fc17bb0164a284d2ee7ce3
-
Size
1.3MB
-
Sample
231011-hp5nqsac79
-
MD5
3bda4f6f71dfbe036d71e6160c95b6f5
-
SHA1
64ba645af7f0f1111bce0467375684513c4a9ba5
-
SHA256
2a7fae50fdecb378d3b2769f24bed66230a9e76d0ba0ac868f5a66eb255709f6
-
SHA512
dfe5dc6953814434ded3b30bc05b99fb56637d29a4730e97a45f6a1fbd1bac9c56197933a84cbcab73afb49d7a028b950a4a097cbda57c3b280f5fb286cb3e23
-
SSDEEP
24576:UOrjyZRWrfNP66p5SMnBMZRNheAJ1bSS5CSwhCmvGOKdhncc3QfA+:UnvWZPDp5b+Z3hfNjwhL5kccf+
Static task
static1
Behavioral task
behavioral1
Sample
e5dfd1803ad1d6b8a4575950264620c15681a88e18fc17bb0164a284d2ee7ce3.exe
Resource
win7-20230831-en
Malware Config
Extracted
redline
gruha
77.91.124.55:19071
-
auth_value
2f4cf2e668a540e64775b27535cc6892
Extracted
amadey
3.89
http://77.91.68.52/mac/index.php
http://77.91.68.78/help/index.php
-
install_dir
fefffe8cea
-
install_file
explonde.exe
-
strings_key
916aae73606d7a9e02a1d3b47c199688
Targets
-
-
Target
e5dfd1803ad1d6b8a4575950264620c15681a88e18fc17bb0164a284d2ee7ce3
-
Size
1.3MB
-
MD5
2395508e36fc4e464e4d58eb4f47fee7
-
SHA1
5f262052c8770a555399d3e7bbe920469ad75850
-
SHA256
e5dfd1803ad1d6b8a4575950264620c15681a88e18fc17bb0164a284d2ee7ce3
-
SHA512
2302488a1a3059a59b54c957189e45abea4207ce2e803259ca675c4b7b3650d9a5b2eda10b712d5ca248ff1195d8069fc34528fb67007230012fdacfa3ace943
-
SSDEEP
24576:QyZgMP6up5iM/nMZRNhsAJaGSS5Mamg007bjccrm/L:X7PZp5TMZ3hlaUMjg0Mcc4
-
Detect Mystic stealer payload
-
Detects Healer an antivirus disabler dropper
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1