General
-
Target
red.zip
-
Size
57.0MB
-
Sample
240513-mze82scb25
-
MD5
56c4888676cddb763e7702c4ea619e45
-
SHA1
4732ccb7767a70bba6feb845ad389bb28daac392
-
SHA256
e7f6f5bdc43ac7d3592abd41c145023459c70f3386ead747bf12a8d4eef69995
-
SHA512
e17b196a209182c4d70e04124525686ffcc2bb89bdc7416989d7170cfadbd845abc47556f17163c1fc38f735572ff062c73bbcfa10a9232f650b914752336f06
-
SSDEEP
1572864:AbT2gJol5kjVEtpaxs2kwji1p/y+9aOg8hW:A/3Jol5knkUi1pnFg8hW
Malware Config
Extracted
risepro
194.49.94.152
Extracted
redline
debro
185.161.248.75:4132
-
auth_value
18c2c191aebfde5d1787ec8d805a01a8
Extracted
lumma
https://acceptabledcooeprs.shop/api
https://obsceneclassyjuwks.shop/api
https://zippyfinickysofwps.shop/api
https://miniaturefinerninewjs.shop/api
https://plaintediousidowsko.shop/api
https://sweetsquarediaslw.shop/api
https://holicisticscrarws.shop/api
https://boredimperissvieos.shop/api
Extracted
redline
mixa
185.161.248.75:4132
-
auth_value
9d14534b25ac495ab25b59800acf3bb2
Extracted
redline
@qwerabuse
45.15.156.167:80
Extracted
redline
7001210066
https://pastebin.com/raw/KE5Mft0T
Extracted
redline
5345987420
https://pastebin.com/raw/NgsUAPya
Targets
-
-
Target
0cc30df7f6ff94fab7858c7361a84798ffe5198fda1df8e7320f4e14124fd535
-
Size
1.6MB
-
MD5
db49775df584d04028c83082753a41e4
-
SHA1
4c5e66c25845497bbc4181dd5e601cf49ae54830
-
SHA256
0cc30df7f6ff94fab7858c7361a84798ffe5198fda1df8e7320f4e14124fd535
-
SHA512
93ddb8d4f97263fc55df13832695ba63692016c840db1bdd629aa0f463e46c97bbf88cdc471423875c87956ffa2b66d6653474970123822e4515f182ff586eaf
-
SSDEEP
49152:9MsyWtfsl+3i5O5xzr6W/RFze49CMU1b:Os7m030k1lz//2
Score10/10-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
149cd41e04afd54119c40358aa55b0d0de72a8c1e612ff1d1d4d79ab20ba8a01
-
Size
488KB
-
MD5
d2baad5181035b853d37213e96ab5cb0
-
SHA1
ea7d2a47054b24b4c3f9569f6440e241448696c2
-
SHA256
149cd41e04afd54119c40358aa55b0d0de72a8c1e612ff1d1d4d79ab20ba8a01
-
SHA512
074df38a24e951caa6f69cda76683bcd9058e0ff87406a96f8d18a95998484a55e3401f89c59f28ffe029fcf581f028e40da8cf0d24deef53b1662539df3e291
-
SSDEEP
12288:CMrOy90tPjCZopOsfm8DfbuusCN3Tv1lpqokW4md:Yy1A+8DdsCR1/FkW4c
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
224cc5582a9ac886fdd93fbf84f5c94ce0cbf206de2d7defc6c50dc8e03974c7
-
Size
488KB
-
MD5
c970c0f3c54d3b026f962562c9c31562
-
SHA1
2726deeff32a0c3d297d80e27f0f2bb9347ed051
-
SHA256
224cc5582a9ac886fdd93fbf84f5c94ce0cbf206de2d7defc6c50dc8e03974c7
-
SHA512
fe5098ddd3804fae377bfefc852ee66d9d478854daec8d40547ce1f5b6dcb76db5d83e2d24902a7a63e034f6ede8f2fd37106adc77cdabdc73419de893012395
-
SSDEEP
12288:JMr7y90GoBdBgIjV9jZIHS494fEgp7IMwbj/8ymW:CyOBdJV9ji8fL7IMMj/8ymW
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
2489ba0556a2d308110025f336bb741c15538f7a7711d47ebb9765ce58c94026
-
Size
316KB
-
MD5
882d286f0c6f245572eb0481657d90db
-
SHA1
21e9879f7ccd03b084bf8376a7facdfb03ee1040
-
SHA256
2489ba0556a2d308110025f336bb741c15538f7a7711d47ebb9765ce58c94026
-
SHA512
d4936c477106ed874097dac7c040bf8db82fe942771c654c30d7d6e427588bf5eb1c0d00db75c03c588de20477db426d3651deb8776f30a5176f46238bf702e0
-
SSDEEP
6144:Koy+bnr+jp0yN90QEq6vZrMgX3eYK41E8OBURKaJCd:wMr3y90YmN3rKWOmEawd
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
24bb66f25f5846f5ea1f67380d2e9e03d5b0407a21b48ff5b74ad88f86154c0a
-
Size
208KB
-
MD5
cafa54d0f7116e1325925205a0e8229a
-
SHA1
a698fb6c82c6d3e2e015eddff0daf5be03387c08
-
SHA256
24bb66f25f5846f5ea1f67380d2e9e03d5b0407a21b48ff5b74ad88f86154c0a
-
SHA512
4d0807a5e5b7bbfe5efdb1ad0bb62f1fe207f6e588f2647bd762bf6e4e06966e483cc8ea193f6e9d5ab20cbbba5ab247544e92d52afe346c391c172cfa09bfe7
-
SSDEEP
6144:3FbbHh7i9t/DXyR3T7SmHPIl09jkugp+spq:3JbA9JDCR02g8spq
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
3ec1481872e34c0f6b2c41f3f178fb42c073b52fa885bcf975535f131944bbd9
-
Size
488KB
-
MD5
ce979609d69a348ac7a39b4abef5c446
-
SHA1
95baefc94c34cfc8fc3e7d02b1bb12a23cf95b8a
-
SHA256
3ec1481872e34c0f6b2c41f3f178fb42c073b52fa885bcf975535f131944bbd9
-
SHA512
82e639fc3c48584ebda03c2974a1a6fdc7415eb0547733dff9a682ac199927b095f755e7f407c3a9f9ccaf0aad678104d84d4233750c72daeccca552e6f9c42e
-
SSDEEP
12288:QMrjy900RuFvquqgly2mPzKlOUaaA9qiTGAb0XL:jyHu9qXXUaaAJb0b
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
44efe38f040788ef3e091f6ec5536329a08a93f3ae01120fb17d29059c0d6d65
-
Size
316KB
-
MD5
dc31d2f5d82b0fc86ae383a9ea97b1c7
-
SHA1
6b33c2cf7e9b8e8646eaa1af1ee475638e327a11
-
SHA256
44efe38f040788ef3e091f6ec5536329a08a93f3ae01120fb17d29059c0d6d65
-
SHA512
e4a340379a3bd38789d5049a35988726e28d5a2e888a1b36e57d4071b54958c506175f349f63417e14406ef3d1c4b452b0aee15f5aa9762858a8715c2e5b20fb
-
SSDEEP
6144:KQy+bnr+5p0yN90QEw96G62nM3TdEeTdLHAQnIu5/EO:cMrRy90kg2MREeTey/58O
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
58538be19fa40ec83a9d96c6576c8198302e1cf5f48359fca0b7b25ac749fbb1
-
Size
316KB
-
MD5
86da2c21503fddafa0b106963f6d1791
-
SHA1
d7eed4ba91e50833b01611ae8a8dd088cd086e75
-
SHA256
58538be19fa40ec83a9d96c6576c8198302e1cf5f48359fca0b7b25ac749fbb1
-
SHA512
63d744a515c7643cb3db897d8b83cdfb3fd591d0bcf9c4511344fb7c808caf7ad101cea2cd2a00f02fa87b5d23c7556f52591561d7414c4f320f1a98811f879f
-
SSDEEP
6144:KXy+bnr+Rp0yN90QEf6vZrMgX3eYK41E8OBURKaJy:VMrZy90NmN3rKWOmEaU
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
585b7ec0bc0b3b0cdd09aa45f34f46984cc2526cb60f30f17ae1ee481c5af417
-
Size
316KB
-
MD5
86a80836219856467f3d6c6306a78d01
-
SHA1
ba5efffffe7a8475e307c94f5e2ad8376fa03fea
-
SHA256
585b7ec0bc0b3b0cdd09aa45f34f46984cc2526cb60f30f17ae1ee481c5af417
-
SHA512
98863826016da09cf9057ec859f8ac328183944dd7b84d2c8f7f2b54349af58162db512e68a92cd7eb9aceb9ad374213c477af014d694319ff7eb9e4019670c2
-
SSDEEP
6144:KIy+bnr+Tp0yN90QEI96G62nMwGk4BbSwO3gxCjTBlWX1BLmKRKPK:IMrHy90Qg2MwWSwyTmX1YKYK
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
5f9071e3a804db19f6735c85278679cdd55ce6627ce4e4df6fcea01101c0ec93
-
Size
532KB
-
MD5
e2ac1d989fcd2b35d3a67d185bb23f83
-
SHA1
5343377d6cf33facba30cc5a133fd5051f991ddd
-
SHA256
5f9071e3a804db19f6735c85278679cdd55ce6627ce4e4df6fcea01101c0ec93
-
SHA512
971d3848b7fa092631fe250d7b611d6ea567559759e048693a50f9aa9237741a1f10b8423c58db3a2dd2e1d8b5847ab808c6fa77928e0a70bf1bf21746d1ce92
-
SSDEEP
12288:xx0qyLsLsDEGIyg2X9MyvZCm19ptkx88dFo7gEifr0Xp:xx0yLs/McZCmL7gEiQ
Score10/10-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Suspicious use of SetThreadContext
-
-
-
Target
628eb5e58da922f1ec2c7e11dcd4c6cabba8c691205bf118898876a7c1231c90
-
Size
488KB
-
MD5
ce17138e84e3d3fb7fc10266b95ee07f
-
SHA1
a89d73b42ad44a70c349dead2f0ad47043a75266
-
SHA256
628eb5e58da922f1ec2c7e11dcd4c6cabba8c691205bf118898876a7c1231c90
-
SHA512
08c4e34ed1059ae3c8909ad4eff1f642c02c75181d49fc10a8f3485df3eb721ad128599d2edf4ddcd3310d1b0f1a4e6cd656af55152e8cb0238d03918eeb4f0c
-
SSDEEP
6144:KNy+bnr+ap0yN90QEoR2wkWcnZNDQR5T0FONdpmOQN/5WjWYNiPma0AqSeF16iXo:/MrOy90C4ZFOpmvsVx4feDpVNnJA2Di
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df
-
Size
308KB
-
MD5
d5f61fc6a8c52e0a93619aa88abf0823
-
SHA1
e8ab904b74f798424102a1739f810f09f1987d60
-
SHA256
6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df
-
SHA512
3b5a5f2a02c8788cb4e7245073766e30d3bbb4cb635ae648502d80ceed32a876b0103bc90ecc4fb1749f84d354cc3ba91034aad95f3fd1ea82fe12eca0b6b85f
-
SSDEEP
6144:K0y+bnr+jp0yN90QE3lEY+zbPsn4Jkb2LPrKRc57uiL4P7:MMrby901b+zYebLPrKG5fL8
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
77b8709187b6802be16e005b1139331349304c04ecd4e741e8609229f0134806
-
Size
1.2MB
-
MD5
d1e1389d7394ab7fd98f90373af3c315
-
SHA1
b64dc6b0be03d27fc358ce333fbdf56eab28447b
-
SHA256
77b8709187b6802be16e005b1139331349304c04ecd4e741e8609229f0134806
-
SHA512
0399874bcd6c22dbc7813a0284bed230d3c9bf6100e47b3674d4e623608da032b2583c78e0292b7d5344e0d0841074d69f55a1682946fa04b164ef944c6bde9f
-
SSDEEP
24576:jqhdhAS3onZANlQWEwhv8Pu7CRydP3B0IyIV62:jgponZANlQWEwSyCRydP3qI1V62
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of SetThreadContext
-
-
-
Target
80a61aa8cf25695a9f716e44c730ff90e095337b215aae6d732cf04f807bf34c
-
Size
43.5MB
-
MD5
dd3a6450fa298cdb5971a66bf60f9e4d
-
SHA1
533a8b5ba8380e7d849382dd6b6e35385aff9d80
-
SHA256
80a61aa8cf25695a9f716e44c730ff90e095337b215aae6d732cf04f807bf34c
-
SHA512
2dac5dc47d70cb4044b985b02c39bcfc726d4befe349d5b5a62e54d01c222be9463adb9dd868ca81023a899a4e6926cb08b24ccf41ec9568c516c68949cfafc0
-
SSDEEP
786432:CVTtG42LQOiWTx/iNFcFXBHx+rEpTyfgcRMQS7bYC/vswAdlk1MUO8:CPGFM0RwcFXBHx+wgGV4ydAdxUh
Score1/10 -
-
-
Target
94a701520b1541ce168a4e497a826d85bec77dc049bdd7de9e4665fd8ccb7fa3
-
Size
316KB
-
MD5
d471076bfb9f30f64ac99bfe96c6ced7
-
SHA1
e89e8ccc76693986411584e5195ddfe6ad8fb5e7
-
SHA256
94a701520b1541ce168a4e497a826d85bec77dc049bdd7de9e4665fd8ccb7fa3
-
SHA512
5262eaf6b6b5634ebd1a397b4f5256c48fc875292cb0d0784bad47fdf76676e4c3881441f9dd998203c133d970aae8738ad4663fc0f54be2258595fc25bf3066
-
SSDEEP
6144:K/y+bnr+tp0yN90QE56vZrMgX3eYK41E8OBURKaJOf:BMrdy90/mN3rKWOmEaMf
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
a28e9417b361c758d0b891938a206a546508d3343b8205873f07d50ee02a0b3c
-
Size
769KB
-
MD5
8732cc39ea99d0615df368eaa4c20abc
-
SHA1
4141a2bf5cff04f0362e8b3ba852048bd27b793d
-
SHA256
a28e9417b361c758d0b891938a206a546508d3343b8205873f07d50ee02a0b3c
-
SHA512
c4548dafe3362f9ae224fc9c7f70f344d1fd965fd38ac69cf274e0fc230543f4468cd016ecf6c610c8bacf5f730c3c0200d04d5c84eb11fc9a2abbd2d7f11328
-
SSDEEP
12288:hMruy90qIRYa76rKOTZCfFruHWUXstomukpf7YXch7QSqTkE/8lroHl:XydicKQZCFigam9fMsh7oAMAoHl
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
d9d3f90c8cee71d17c70e5d1c7d465726e06b1c7cb5b617fd47d203403a1e439
-
Size
315KB
-
MD5
cdff25efc7f7e69dc426b36f31b873ed
-
SHA1
339a84e0af5d6442c2b11eea5f802635cbc0c776
-
SHA256
d9d3f90c8cee71d17c70e5d1c7d465726e06b1c7cb5b617fd47d203403a1e439
-
SHA512
f1ca99cbe6e504d5e695ccb31dafc3b8b4e01faaed77d3058163011add4a47159ba4629e98b422145cefbea0dc07216e5c36837545911f800378f636bf700fa3
-
SSDEEP
6144:aH9pI60nbM8uPZy3+8KIDwZuNVXSZmn3qPOYTn/MHBXHS:e9+60nbnujZaMY6pjGHS
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
f02b51da6b6ee268ba4e404af6561d6ba14b5517acb7a394deaeebb29740329b
-
Size
488KB
-
MD5
891f6632cb79d1a9f0c188bb814ddf7d
-
SHA1
4997b9b5b1a5e6deeab98e624c86e3b3169a14f8
-
SHA256
f02b51da6b6ee268ba4e404af6561d6ba14b5517acb7a394deaeebb29740329b
-
SHA512
dbc5639275d774c895a31d6426755931e5d7adb3ba53a0a443c4688f80bd74b1ef772697c0e5234aafea1f57658a1bcb850c4f4273990de5e575189cc0df959d
-
SSDEEP
12288:6MrXy90wdCHRMJriKLzKlOkuagW50P60q:RybdCx0riKnkuagL69
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
f358ce518b566bea6bdd08924ef70ab740c7135042e1d38e8776afca44f4c2e2
-
Size
6.1MB
-
MD5
dff304091a81ae5204d3c2d959b8b919
-
SHA1
46a965af549abd1cd9a5f5dc10ac3775e6e1f7d4
-
SHA256
f358ce518b566bea6bdd08924ef70ab740c7135042e1d38e8776afca44f4c2e2
-
SHA512
0a1b7e83c5db4f3ab567c79f3654698543d2055b1ab296632fd30711f44315024b15b9c19b22162a6c6072118eac7e8506660ee4141bafbd5cc6f980082aaa25
-
SSDEEP
98304:Ve166GzhKA37Mpd/LYMbK7JOa9WJDOAR598zW5E7Zpshx+gsV5GQrTIrmp0dFyo:Ve1szhv3SOM0J19Em9UYgsfPvIrmHD
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Executes dropped EXE
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Detected potential entity reuse from brand paypal.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1