General
-
Target
2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826.exe
-
Size
402KB
-
Sample
240511-bkf19afc92
-
MD5
f02798ba573318a4ba1bb6e39c45ad5c
-
SHA1
9b81fd616e27b9aeca4a5a42775df026da28f557
-
SHA256
2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826
-
SHA512
de15b3b67063359bad041e87e1f16029775ca16d2199b2284f3b3039c11f704f208fc994f1383aa7704a7c01544e87aba7c796c407c40c8281ebd607212f2385
-
SSDEEP
6144:dzOa82gO92tYhBOl+vCit0Y0d0ggOl3yinIvSC9dRuJSo+2Aymo/un7pespk:daaR9wYhYiCDQKIvZ1uJSo+jjoS8spk
Static task
static1
Behavioral task
behavioral1
Sample
2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
5.42.65.77:6541
Targets
-
-
Target
2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826.exe
-
Size
402KB
-
MD5
f02798ba573318a4ba1bb6e39c45ad5c
-
SHA1
9b81fd616e27b9aeca4a5a42775df026da28f557
-
SHA256
2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826
-
SHA512
de15b3b67063359bad041e87e1f16029775ca16d2199b2284f3b3039c11f704f208fc994f1383aa7704a7c01544e87aba7c796c407c40c8281ebd607212f2385
-
SSDEEP
6144:dzOa82gO92tYhBOl+vCit0Y0d0ggOl3yinIvSC9dRuJSo+2Aymo/un7pespk:daaR9wYhYiCDQKIvZ1uJSo+jjoS8spk
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
UPX dump on OEP (original entry point)
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-