General
-
Target
ffc320e5f95d05b9eb4b50db80a8f2f29b20bc166ed6476c570d7276ce8432db.exe
-
Size
4.9MB
-
Sample
240325-c3cbfsgg6z
-
MD5
50d55c187abcd975629a918970b0a2f1
-
SHA1
2c248c8f093561cc2318179ea1179fd5b172e6be
-
SHA256
ffc320e5f95d05b9eb4b50db80a8f2f29b20bc166ed6476c570d7276ce8432db
-
SHA512
9a4ff95a3a2fd2b4dbeb98c7d1061d1991be5868093f3095e29ee3db8369b41e507d8d0f6bd85b77619431f60cc5532fc6a7a59612a6b30583194c07adee1d5b
-
SSDEEP
98304:9ayPd4hW/JfMkTQmWPKql6M96BRqchrx91hDORM7seCKaZSwWyQ+kivmjw38:9FJRkm6Kql6MMBRqchrx9ktBZ78jwM
Static task
static1
Behavioral task
behavioral1
Sample
ffc320e5f95d05b9eb4b50db80a8f2f29b20bc166ed6476c570d7276ce8432db.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ffc320e5f95d05b9eb4b50db80a8f2f29b20bc166ed6476c570d7276ce8432db.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
amadey
4.18
-
install_dir
154561dcbf
-
install_file
Dctooux.exe
-
strings_key
2cd47fa043c815e1a033c67832f3c6a5
-
url_paths
/j4Fvskd3/index.php
Extracted
amadey
4.18
-
strings_key
2cd47fa043c815e1a033c67832f3c6a5
-
url_paths
/j4Fvskd3/index.php
Extracted
redline
LogsDiller Cloud (Telegram: @logsdillabot)
5.42.65.68:29093
Targets
-
-
Target
ffc320e5f95d05b9eb4b50db80a8f2f29b20bc166ed6476c570d7276ce8432db.exe
-
Size
4.9MB
-
MD5
50d55c187abcd975629a918970b0a2f1
-
SHA1
2c248c8f093561cc2318179ea1179fd5b172e6be
-
SHA256
ffc320e5f95d05b9eb4b50db80a8f2f29b20bc166ed6476c570d7276ce8432db
-
SHA512
9a4ff95a3a2fd2b4dbeb98c7d1061d1991be5868093f3095e29ee3db8369b41e507d8d0f6bd85b77619431f60cc5532fc6a7a59612a6b30583194c07adee1d5b
-
SSDEEP
98304:9ayPd4hW/JfMkTQmWPKql6M96BRqchrx91hDORM7seCKaZSwWyQ+kivmjw38:9FJRkm6Kql6MMBRqchrx9ktBZ78jwM
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Detects executables packed with unregistered version of .NET Reactor
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-