General
-
Target
red1.zip
-
Size
10.2MB
-
Sample
240513-l1r4kahd4v
-
MD5
b44ee27734b455367ef50d17f9feb4a4
-
SHA1
5765049c82a2070cca5c66626bf9a9a0aaef2fd6
-
SHA256
b20d3b5caab986390a57d9b858c330d6fa12fa368809dfc94b90991735dc89d1
-
SHA512
404d56ad2e05bf0eb9268520feb602d8ab40c107a342d12fd52e55ed4e5d868a392339e03dadf67c920ea2689218ceb35d67a974aea0eef8339d70e1f59f6db9
-
SSDEEP
196608:o1C9L5rYNgcg6vSlQDGLKuqrJWMBXReg1ut6YLnbEgN0GU4NfelS:o1K2CcfvSlQDGHgoMBheULawg2kfl
Malware Config
Extracted
redline
7001210066
https://pastebin.com/raw/KE5Mft0T
Extracted
redline
debro
185.161.248.75:4132
-
auth_value
18c2c191aebfde5d1787ec8d805a01a8
Extracted
lumma
https://zippyfinickysofwps.shop/api
https://acceptabledcooeprs.shop/api
https://obsceneclassyjuwks.shop/api
https://miniaturefinerninewjs.shop/api
https://plaintediousidowsko.shop/api
https://sweetsquarediaslw.shop/api
https://holicisticscrarws.shop/api
https://boredimperissvieos.shop/api
https://smallelementyjdui.shop/api
https://sofaprivateawarderysj.shop/api
https://lineagelasserytailsd.shop/api
https://tendencyportionjsuk.shop/api
https://headraisepresidensu.shop/api
https://appetitesallooonsj.shop/api
https://minorittyeffeoos.shop/api
https://prideconstituiiosjk.shop/api
Extracted
redline
5728088920
https://pastebin.com/raw/NgsUAPya
Extracted
redline
mixa
185.161.248.75:4132
-
auth_value
9d14534b25ac495ab25b59800acf3bb2
Targets
-
-
Target
07ebb70eb02d84c732bd46e5b46e84abf9aa23a5b1f307bbd9247381b0bd075f
-
Size
389KB
-
MD5
ece85f1fc696b53bd985cce25c940840
-
SHA1
0634870a3264efb14a8f04218b0d8e669e7f7e00
-
SHA256
07ebb70eb02d84c732bd46e5b46e84abf9aa23a5b1f307bbd9247381b0bd075f
-
SHA512
eb463097b480cb525cecef853fa88ad89d4c4510ee1b2b51144168ebe984d2e45413df1e445ed64a7c32a2808f7649ce2ab4d35938ddf9f5658b67dc443ab542
-
SSDEEP
6144:TCUNxCcCs9IJe74/RY7HXpGscui/AeZTbKA6WYtK4K+l3jrNBh9Vespl:TLx99v7xzXpGscu8ZPAK+lTrcspl
Score10/10-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Suspicious use of SetThreadContext
-
-
-
Target
0b4bb67302386646ed679bf7dbfd9e44d9c5eb985f2c043ef415113edb2b2eca
-
Size
3.2MB
-
MD5
ebae2001c178349478be67bcab2f95e3
-
SHA1
53f98b5a0e55f4fea161e69ef617e6225270914b
-
SHA256
0b4bb67302386646ed679bf7dbfd9e44d9c5eb985f2c043ef415113edb2b2eca
-
SHA512
c8f48338abb5e7c95dc316cc25352286344fa297cfc507328379f23fc819c47490bbb529ba5854a6ccd99c8345c773d8800dfed48ce914754464d2ad13adc378
-
SSDEEP
98304:PeI0efBuRWQ88ctBoLsh/Q7G9ao7cwdizRS:PeIdBuT8bthSG0oc
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Executes dropped EXE
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Detected potential entity reuse from brand paypal.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
0fbb8ff4cb39375b064e85f8aef7950a25795f035ac41fb2e1af59b5bf042d49
-
Size
488KB
-
MD5
f237dee40ba985649f8a1e58c274d61a
-
SHA1
e5b2c7cb39a46dfa76a753e1bcd4f54a5778f3e9
-
SHA256
0fbb8ff4cb39375b064e85f8aef7950a25795f035ac41fb2e1af59b5bf042d49
-
SHA512
3ffdf0bfbcf9b606ad90e8fbb3129eb510cd91bdc54a41e3ea8aa1378a6a0aa033282223aec6924739d9ec1df4396f51e9eb42926ae9829f459f3240038671a1
-
SSDEEP
6144:KTy+bnr+Sp0yN90QEZnSB+ubeqXjtm1skdmVzgbIuWyYeAqxu2KcJGAW2Mj:lMr+y90zvubeCKIuWyYeL8hc8AW2Mj
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
108e20eafa34f2b549a14e6780b7a0479474d59c97c41c728d0a2d851e0fd1c7
-
Size
1011KB
-
MD5
ecfa7da7abe27005f4cada27871853b6
-
SHA1
cefaa979c2d77e42455a1a148e6422b9b827a269
-
SHA256
108e20eafa34f2b549a14e6780b7a0479474d59c97c41c728d0a2d851e0fd1c7
-
SHA512
bf7a8988dc1ec2bb874131842dd06855e39c4a33e6ecc6a44d19e0d5a3c544989af975636b9a4ae306cf61b6677addf236da9fb108c523d2721a0842d1cc4085
-
SSDEEP
12288:S3A133xtXpwiTveEutKZoSeHfXhgD8w/i+5sVuMsM9bmB7DZuQc9XXZOs/d:Sm3GiTveEutLSeHfXy3/kIMsM9bWDjs
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
1522207077e3aee47dc9624ce4766267091ae87f7e349887943791322b38480f
-
Size
316KB
-
MD5
4f8d4db03ff7302c8233cbccf51b9e7a
-
SHA1
91379a4e8eb9b75379b3c924e1b5b95ed60bf66b
-
SHA256
1522207077e3aee47dc9624ce4766267091ae87f7e349887943791322b38480f
-
SHA512
7d60af1999d078ac0060380b570c03e8f7c665b5ef9de52af88d85aabf8d593c608709d696e627e4ef4edc7c53c0ba9d95029d2ddad2f6bfb0cb7c3c15e56d3f
-
SSDEEP
6144:KRy+bnr+Vp0yN90QEW96G62nMR71s9dmVzgbITrydeAqe:HMr1y90ug2MRvKITrydeLe
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
23fcf9bc69ee1c0d5089103821b4a531b975fae897eba7a91861452d69803225
-
Size
316KB
-
MD5
f712934f99fbfc9b1ff2398abc331fbd
-
SHA1
8efdec052dddd0cda493feb71e6e19699b29cdd4
-
SHA256
23fcf9bc69ee1c0d5089103821b4a531b975fae897eba7a91861452d69803225
-
SHA512
fd5e93f020a606ead8f3d667fdc68caf87250839b494e0e1055894d13d0fe0e4b413af2a6b42fc741d95794e3d0dcbfc2ee93d7925ee457cdc3f771b768390ab
-
SSDEEP
6144:Kyy+bnr+Cp0yN90QE46vZrMgXGma0+qSNF1li6HpvZ7W:KMr+y90KmNRGfNHpQ
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
2ca913545183cade199d442f191ec899bc998b01a3aac8ad506c95f995b6a423
-
Size
297KB
-
MD5
f541756a13e547cbe70109b2209d77a2
-
SHA1
00cdd1b1fcc6d76d665d6e7ef445caa9ba93676b
-
SHA256
2ca913545183cade199d442f191ec899bc998b01a3aac8ad506c95f995b6a423
-
SHA512
31affc158042c2081fff2abdca584555076fcb8ab3e1586f13d7541cbbeb4c50c513624871194d72778380c376d98618f79c281995a8bec9d0ecde44ece73b99
-
SSDEEP
6144:gk87zE8yF+JnF/1VVWNx0X0ok+IReDCUexHO5o7eWsMaWvCoCe:J87zE5iaN0052CUSQojsFoCe
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
42f53acaac143c0dc23d3b1f603e96b42301e6fe138cc5cbee3f2db8f619ba33
-
Size
316KB
-
MD5
f4ab419fe0ec588cd73be7d2453fd89f
-
SHA1
d16b306445962fa9457bac9871813321fd43d0cc
-
SHA256
42f53acaac143c0dc23d3b1f603e96b42301e6fe138cc5cbee3f2db8f619ba33
-
SHA512
85b8e503ad455cc21cbf225f3b15e8596b1718068a902c7250761697f215eee8447196b6ad5a719c3957e461ad8e8ca5b416f94491f318bd82121b6c3313c64d
-
SSDEEP
6144:Kny+bnr+tp0yN90QEn6vZrMgX3eYK41E8OBURKaJ+c:ZMrly909mN3rKWOmEakc
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
45af188d235d1046544f5d37f950851a088373ba96053250f62b51f24faf22c0
-
Size
488KB
-
MD5
e7d13d29726acf30c95c3713ce4b304b
-
SHA1
7a072a9638ba547e25d80cc4984c436b60cd1179
-
SHA256
45af188d235d1046544f5d37f950851a088373ba96053250f62b51f24faf22c0
-
SHA512
4966540b0a8f23be47bf6f57067eed271f95b17ae6a85e007f020eae286e2e0c1bd66a8e3f28e575abe2054a654f6ddae4c2985be414a4419ed8ef347e20c530
-
SSDEEP
12288:fMrmy902pcCuYEm/7HyjkjzKlO8eaxOTuKob:FytEcjx8eaxOTunb
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
82fa18f52c10283bc449dce7ab0c71346c6fdc17c9fa67f8c63939216010d632
-
Size
1.2MB
-
MD5
eb1ad5019026c8dfef57d1d4df7c3e40
-
SHA1
4dc7dbebf103ed649d22cd46dbd06dd15a639d41
-
SHA256
82fa18f52c10283bc449dce7ab0c71346c6fdc17c9fa67f8c63939216010d632
-
SHA512
df2296e3ebf3ce50c073edbc5e7aea6319fc08843bf23805ec83503f808b7bd50b931559360c45711b1dfb3725900c4f174a2745ea8c1e727ba62e634971268d
-
SSDEEP
24576:/uBSiJH28+VLmn1zWVbGRMs2OpZDkePyMftUs:/u0PVLmn1zWIFIePyctUs
Score10/10-
Detect ZGRat V1
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
8672d19897720829ca8e3d11e92f295b615d0fb57d0ae1c17f1358f55bcdc74f
-
Size
762KB
-
MD5
56b4ec09b7959eab1c27ee19fc26f92e
-
SHA1
ec6547336820cd65aa0b5122b46dd154f7235c48
-
SHA256
8672d19897720829ca8e3d11e92f295b615d0fb57d0ae1c17f1358f55bcdc74f
-
SHA512
c037beb0258697df44828b0902ba5d054160aa8e8a5877c7d151d11614a0bb81af284a223985c367d2978142a80e604efc21bf02730451c5ad36d0f0a4597508
-
SSDEEP
12288:HMr6y90cYfR5WWXXxFeVB5U5MZOVQTsX1YKFcL9B0Pf/aG9fn0Ev5:JytYffPXr5ATsELb0PT1n0Ev5
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
8ceedf9abd5ab64ee87ff77e364bebcf1f92bae8cce4dbdd5e39e548446350f7
-
Size
488KB
-
MD5
ea9ad66163324caac677bb341af1f84d
-
SHA1
8ffd94daefcf4655099184472faeb1e187b60852
-
SHA256
8ceedf9abd5ab64ee87ff77e364bebcf1f92bae8cce4dbdd5e39e548446350f7
-
SHA512
f04d33d8aa67538399cc33e0ac3afa337fb216e3d69f575fe154456e787d24d1a21d97a3e5b9a3f2ba0b08107c5484aa1b19c334c139e635a83c7de83879d701
-
SSDEEP
12288:bMrNy90rEAlHO0RFsfSMSkKKjpboG1eTeF/S8PqWr5M6Vo:Oy9iHODQkK+bDqIh+9
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
99cc81196caa729f2e35b124dfb021fe9203a2023c94b1fb01a466af49ced615
-
Size
527KB
-
MD5
f2ff32554f5ad69b9a760ebb447eee5e
-
SHA1
8e73076cab6776ced34defffbdcc98a4882a966f
-
SHA256
99cc81196caa729f2e35b124dfb021fe9203a2023c94b1fb01a466af49ced615
-
SHA512
c3e4fcbe3c44968e5dab8d3888defd321579282cac09d4782a283e138707bac8266019008cc17401a510c92203b29ebfdc6228737e4cdcfce5aea2783642e4a7
-
SSDEEP
12288:HZIeZiEvQJt6ygClo+PceAj4gVLxN8u/AwxcLtap90Xp:HZIgvQdUGS8u4gsapu
Score10/10-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Suspicious use of SetThreadContext
-
-
-
Target
a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383
-
Size
1.2MB
-
MD5
56e7d98642cfc9ec438b59022c2d58d7
-
SHA1
26526f702e584d8c8b629b2db5d282c2125665d7
-
SHA256
a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383
-
SHA512
0be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f
-
SSDEEP
24576:7JXyijJIK8li6v93OhJjuMsYqRwDMIYonUbWkR5mPtIs:7Jixli6v93OreuIFRwPKs
Score10/10-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Suspicious use of SetThreadContext
-
-
-
Target
c467adbd485a649a7ae2b7f63d49aaa84868c2b05a43f328f7e2377a5126099e
-
Size
488KB
-
MD5
f5127b719ba22e54d6bcf513f4cbe0d7
-
SHA1
a353c309287004081e231952b8c022fcfd97f156
-
SHA256
c467adbd485a649a7ae2b7f63d49aaa84868c2b05a43f328f7e2377a5126099e
-
SHA512
2c13e2921750cbe16b12165464c42055cf3212635f242299b7b4e95774d294b058ebaba9fe53ed23755d88ade74af5e39e5ca9f22c456263071996f271628e7e
-
SSDEEP
12288:MMrAy90NvJh+0ie0+oyxA/gQTxeEYdlF69CSrV:EyQj+U0+1xA/9TYEQF69ZV
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
f7dfe59831b88cf2cf291d2b9f3ccd94964abeb10a6e137c4bc2206c9a9346a0
-
Size
488KB
-
MD5
f43eefd57a11c5a5596c3eefb9898432
-
SHA1
0af5c7a3ba4038a905aa626808bfa60fc3ec11de
-
SHA256
f7dfe59831b88cf2cf291d2b9f3ccd94964abeb10a6e137c4bc2206c9a9346a0
-
SHA512
d458d3dc0c997f929c5b26f34f9a2ca5df0996aec6ccf907819f711d65d747433bfbe7f0d52b59a0562b528008b2e92c32b3e84ea05471bc53519cc1de158957
-
SSDEEP
6144:KVy+bnr+sp0yN90QEBSK3101Hn8GH7dyN4Xa6yVrJCae0Kb1E8OB/QKaJlo6LVtC:DMr8y90DSaY8i7MxVwazKlOZLa8CDAj
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
fc29a80a1c0ea6d57ecb3f789dcbe2b8e849edb11597f13dbeea0b0dedb5237d
-
Size
316KB
-
MD5
ef6416e3172e673b5ada872fbed25045
-
SHA1
699e786014ee414bc2ba9eb3c8018c3374765a61
-
SHA256
fc29a80a1c0ea6d57ecb3f789dcbe2b8e849edb11597f13dbeea0b0dedb5237d
-
SHA512
c283fd9662e708d16561fc81193104d8cc90635661d9126c66269ae9f17c964aaa872c01082a70f35416fdf565a8a8b404bc0e037240918c5a8f6fbcd952db9b
-
SSDEEP
6144:KPy+bnr+vp0yN90QEC96G62nMJWeNy2DrsdeVjoLZu:ZMrDy90Cg2MN9DrsdepOu
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
fdc14a13fe0a1c3e8b74ad9d3c308ec1c42b514df6637d61f31610c48b9cd56d
-
Size
1.2MB
-
MD5
57e585df196760d720f0dee48839162f
-
SHA1
ffe95ea6f4b0826aab2f00520ad52194c169558d
-
SHA256
fdc14a13fe0a1c3e8b74ad9d3c308ec1c42b514df6637d61f31610c48b9cd56d
-
SHA512
97dc9ad30372dedeb4a8ae09ae0e5aeabe84045f5b4882bb2bda85cc2d46b578d55fc6b17805d623c16685f635fb5588b9fd55088bd1be0b52be28a8b175e48e
-
SSDEEP
24576:yI4XiLBgywllmrXX0S9LZMs0nxdTDlfJnDQ84Ps:yIOVllmrXX0ue/TnU84Ps
Score1/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
1