General
-
Target
red1.zip
-
Size
36.5MB
-
Sample
240513-nytkqaea77
-
MD5
249475b7d7b4ba7b956368fb15c58df6
-
SHA1
e6f1949cfccfb779e5a30d30dd4e7d3288cf2858
-
SHA256
c65fbeeb19e8ffe3f794dd544812c9626bd23f5c3a685897307f43c45270786c
-
SHA512
a7c1bb0ed16f305d974afe5cd203107b659a95251090823406bd8eb1e49da05f64baaf4537244d31ea57dacd98df449a797a211c586baa12b741d3673d923bf9
-
SSDEEP
786432:WR64dLbRB3QsqCoLrmhLjB06S35kg6UKhqJHzk13EfEw/Oy:WRJP3+hmI3XK0JHgtEl/z
Malware Config
Extracted
redline
@txthead
94.156.8.193:34427
Extracted
redline
5345987420
https://pastebin.com/raw/NgsUAPya
Extracted
redline
7001210066
https://pastebin.com/raw/NgsUAPya
Extracted
redline
5637482599
https://pastebin.com/raw/NgsUAPya
Extracted
redline
5195552529
https://pastebin.com/raw/NgsUAPya
Extracted
lumma
https://sloganprogrevidefkso.shop/api
https://sofaprivateawarderysj.shop/api
https://lineagelasserytailsd.shop/api
https://tendencyportionjsuk.shop/api
https://headraisepresidensu.shop/api
https://appetitesallooonsj.shop/api
https://minorittyeffeoos.shop/api
https://prideconstituiiosjk.shop/api
https://smallelementyjdui.shop/api
https://acceptabledcooeprs.shop/api
https://obsceneclassyjuwks.shop/api
https://zippyfinickysofwps.shop/api
https://miniaturefinerninewjs.shop/api
https://plaintediousidowsko.shop/api
https://sweetsquarediaslw.shop/api
https://holicisticscrarws.shop/api
https://boredimperissvieos.shop/api
Extracted
redline
@gennadiy_mudazvonov1
82.115.223.236:26393
-
auth_value
6bda425a78ff4c6e5a0e1be9d395ecce
Extracted
redline
dimas
185.161.248.75:4132
-
auth_value
a5db9b1c53c704e612bccc93ccdb5539
Targets
-
-
Target
0de9ceb4a3f0c63cb68673edcd3c26b70ac2ec4f12d5cdf1d81db75f95ef3e69
-
Size
1.2MB
-
MD5
a80890a0807fe59ca7331d8bae6f3768
-
SHA1
30442aad7f7129a0e9b575830b41aca203bffda7
-
SHA256
0de9ceb4a3f0c63cb68673edcd3c26b70ac2ec4f12d5cdf1d81db75f95ef3e69
-
SHA512
edf4c982d544d391366813c9310aec05a7df6c40844e467756a98d0c19e9c33bdfbff8e5595334224bed9060691f2deb3daae48e0894808430d36e90c12a07cb
-
SSDEEP
24576:BJXCijJIK8li6v93OhhvTMsY5BeDnS/8At1s:BJSxli6v93O3iJvs
Score10/10-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Suspicious use of SetThreadContext
-
-
-
Target
0e996fcc71a35f368ba66b5bcbbbd91872770dfbf086c97dd4f55f6a6a7d8df5
-
Size
306KB
-
MD5
261ee0f076bc6f7d37834fc4a3f4c21b
-
SHA1
46f6c26e73d8d1a98f0432566d3060f93ab7a7e8
-
SHA256
0e996fcc71a35f368ba66b5bcbbbd91872770dfbf086c97dd4f55f6a6a7d8df5
-
SHA512
560666a996fd57530ffdc0c9e3993978bf9875d0d0da25d6404ba262f3cce18fd4766b4202b752eb4a229846b1b6ab4473611ad41a181f80a05ac1639ba7367d
-
SSDEEP
6144:94Z19vSWh60RVAtljy114OfS0BP+DOba6pZEJyL98B:6Z6WhHO8BPeX6p2yL98B
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
2ab1df3f8fef1caee2ac62a5a72a677c82d0cc62b831066d9caa7cd26be2e26b
-
Size
1.2MB
-
MD5
f84173f34e2dde73b09e195674093006
-
SHA1
ac48cb5947b04688398d45f330497c2e2139e82b
-
SHA256
2ab1df3f8fef1caee2ac62a5a72a677c82d0cc62b831066d9caa7cd26be2e26b
-
SHA512
fee46161a9fbb2762feb9bef37ddfccf96a5de6f11f0113197ad5b13ab280c738a3ed000e655a6aec55a615c5f916d9c2b30d37de197aae2e5536f2ea6e02d58
-
SSDEEP
24576:ofRaixH28+VpdGfVDeJJmJMsGM5aDnLmXs7Ms:ofsnVpdGfVDe2PGyXsgs
Score10/10-
Detect ZGRat V1
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
2d7becaac8437a8c0258bb0f063a1a2af48f03d8a3322e7389e31d21b2350a2a
-
Size
875KB
-
MD5
a79bf80a36da2888a0165e642506d0e9
-
SHA1
b5666db7bfa8f68440a2c0839cb6aad12f6e3020
-
SHA256
2d7becaac8437a8c0258bb0f063a1a2af48f03d8a3322e7389e31d21b2350a2a
-
SHA512
895782db976539dfe02fbe0e703c8587c7200f14971e4dd4a9cf2d8073b9b1d2a5664ff9e79a43310a59fbac53d1a47102836866a278b3a13644f3da1c58f592
-
SSDEEP
12288:+MrOy901QayZqu/eRH9Wc5/dxPVQ6Yqha+jd1xDHT8/yJleErc2T:cy9ClH9P5fPVQ6YqZ5CyLeEf
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
50b189382de3005433c015bc4f22fa6a9cebf1525a24a8eeb6fb3cf59ad3489a
-
Size
208KB
-
MD5
aae5289f383018394df591dd8ae01237
-
SHA1
9e9761e8e61b59939019a14b7068bd0eb4f387a5
-
SHA256
50b189382de3005433c015bc4f22fa6a9cebf1525a24a8eeb6fb3cf59ad3489a
-
SHA512
32c248f1315b92b066fd764030db0d945dca282ca4b237959d607b04244eca88dd8cb482d32e804e3a220a40b5a7e77dbd4d964e94f87ed161bf82e7422e72b1
-
SSDEEP
6144:i6xIXRrm9NBJT8Si3Fjuk0bw6BE7Uowqyesp9:i8IU9+VjpPJsp9
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
57959e3af4c320aee2b25232e4f113ef2f450d94cb99bbef61b762a6a63ff2c6
-
Size
994KB
-
MD5
ebf683e56e67d4947a5ba992ed9d2f5a
-
SHA1
51fcc95229de29180b738f426951e85af42b041a
-
SHA256
57959e3af4c320aee2b25232e4f113ef2f450d94cb99bbef61b762a6a63ff2c6
-
SHA512
0d1955260f0a5c0a8baa232aeea2cc9492576e46de00122f31280ee115dfaa2084ae9e081138e59f9d4d2ff475ac4da0a45cdb2f8770072970808318581b73ff
-
SSDEEP
24576:6+KwiEu1zBt9qQ9fzrNXZMsCunBDwrqGYErtVs:6+/gt9qQ9fzFNie1es
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5
-
Size
332KB
-
MD5
2a84ac6a70bf18fce3d4af2b04356f16
-
SHA1
4a9d0508a54994bac1ab3543be1c19ca80db0d9a
-
SHA256
5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5
-
SHA512
554f6d13b08359b48fabedf051584c90975c1066c6dc01379f16ef360cb30bf11b13ca9a988242429a8bf7e3c25e7e405a18a5d2d844241f0850e49c7720d579
-
SSDEEP
6144:11Bwp/lwz9PI8/T6f5mUz7S3RMyghv1P9NKkY4WB4NSFUv1qcoH5+0Xp:1Pjz9PI8/Tzeyg91pY4WBJO1qcT0Xp
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
64b48352a0dd795ca6516c50657af217337775242d7cc7c6b88a2881a343a825
-
Size
976KB
-
MD5
ad83fba289a0c54dec833a0d5f52f097
-
SHA1
1293929940ff68b00adbc366558d2073697ab653
-
SHA256
64b48352a0dd795ca6516c50657af217337775242d7cc7c6b88a2881a343a825
-
SHA512
06eaa50634a1b6486373ae2cea2a16cb7a24d275559ac0536598f9618ab97a721ae6d42e97031ed3a61a5fcd5a01c69dcd37177fdbdbf1d17900792363368818
-
SSDEEP
12288:tDSmk3QSIvpbmlbqYfMG7k+ezHvyOWUtggrafGeZleuzYrx5dGsLQv6rHfNY0l:AXIvpbmUYfMG7M/Ltggry47QZ
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
8a870280a0dc165cadf46427c4e47c56d3fa42aa2cf823a54358bf48f5102435
-
Size
332KB
-
MD5
f98aa564c242bfb196410e0790d86bec
-
SHA1
c882a94a6303f80aca544fad54502ae09289d107
-
SHA256
8a870280a0dc165cadf46427c4e47c56d3fa42aa2cf823a54358bf48f5102435
-
SHA512
695ccefb3486c9a1e04eafa38f9a58b66360b0529dcaec4b73925985220be1f244b19ce59a22cd0f179245380d87bd2e3bb3f5aa394b61fede1a80f756dc2fbd
-
SSDEEP
6144:03TwjHHEJ9B4S9re5BAYhePRmygh6BSJ/Yt7wuo1+Wjnhx+0Xp:0DrJ9B4S9rPiygcBO/q++6U0Xp
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
8f1e4113cab4b08359d501a8144bada9b1e16e7c08944bd38dffc1b93f044a56
-
Size
208KB
-
MD5
acd864649f22cdb41e2a4ad5901ce604
-
SHA1
f744b0b5be5b8408c53f237cbd7bc6f8ab78fea9
-
SHA256
8f1e4113cab4b08359d501a8144bada9b1e16e7c08944bd38dffc1b93f044a56
-
SHA512
b5da95cfb3287b37c5f0f08893f8270c30193f5aa4b2497e7fac7768d365f8eb52128e544c53cf1e2c908b012dab71a2bbd115c1e944a9c1aa3ef8d37d161e7c
-
SSDEEP
6144:3SJYv5kWv99TVWSLymqaT/QOCNKulzLYbXEBmTNespV:3cY99ZVWzm9zLopoXwmTYspV
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
94cb7f4064a3c804b1fa19c3f5dc17ae361ced8153e20bd02842c65e16d1e3ae
-
Size
307KB
-
MD5
24113d3ed2dc8ba8789b2874addb0750
-
SHA1
2901dff1dd1b5b619d48c8d04d22c185922e651b
-
SHA256
94cb7f4064a3c804b1fa19c3f5dc17ae361ced8153e20bd02842c65e16d1e3ae
-
SHA512
409754870b1cf18269d84a798f69e11cb54540d12217fc0674524ef0e3d42ce38d199d45b7e1b7cb96a70fff87704561b6208bb58bc2628881b9a3d7422aecc7
-
SSDEEP
6144:Kxy+bnr++p0yN90QEA5F5OYc1u31g4TBylzQbR/JOF:HMriy90mxc1u31TTEtQb1JOF
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
9d876cd8a7ae7579651cacc17adc0cb431edfb9d97ab5211307feacb7d83fced
-
Size
531KB
-
MD5
f634c778cd8fcd6361daaf5732645b00
-
SHA1
3dfa1d4822bee408a6f69464db0b4f8dd7424e29
-
SHA256
9d876cd8a7ae7579651cacc17adc0cb431edfb9d97ab5211307feacb7d83fced
-
SHA512
0485aa3208d7a4e686fd7299205f7e639fe9064d01c32483f73a0e5b3caddba0b0d2de8981b96da2fe75cc712d3afffb12917c23a8bf4b62efdafb3b98a6fbe0
-
SSDEEP
12288:AxQcJAQhiF2Emygu3BgkBL6I8Xgxwc49Ba4xEQq53k0Xp:AxQ0hiBBt5swxwc4904qr53R
Score10/10-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Suspicious use of SetThreadContext
-
-
-
Target
a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd
-
Size
281KB
-
MD5
224ebb289e52c9f3a4c2bd583dab2d7c
-
SHA1
8cc0b7dd2fad4fac37cb87ab3c5027a061fdebb5
-
SHA256
a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd
-
SHA512
ea21feaa211f24f25106c5ec7825f575ad9a2e1d582a9908107d9a9b866db2baeedfc6fd4c6034d492c61491bc06d7c5cda14a31bce6e59c24a9c9537d7d2e2f
-
SSDEEP
6144:Wk65a4mpI1TJe8makPXbhaEW1MvBf5rXweiV/:uMVAJ8PX1aEWapxjm/
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of SetThreadContext
-
-
-
Target
b3796a101c5472ec92ed408404994548910bcae44a8f6d05925785b914dc7c4b
-
Size
22.6MB
-
MD5
f405a45c4ecd213fded56e340298c9d6
-
SHA1
73ee6bdc0b4175894fd23d58fe4696997288e7ca
-
SHA256
b3796a101c5472ec92ed408404994548910bcae44a8f6d05925785b914dc7c4b
-
SHA512
3db273d29319f8c41eb7a94098b480caf1b19bdd710471688d2e0d7b587d3cc2572c62ee0f917cc282c48405771374bca86d4138bf3d803960e6b3bb6f0abae4
-
SSDEEP
393216:Lt1OnpMR8K/HxAhnUMsXCSqOfkjABM96q7oGfM58Q5rm+qmpQo69rZkxPTWl3cdC:LtyO/Hx4UhO0hMAngM58crm4pk9rZkxo
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
f09814000e7cb43d244be02b82ed9e60e120494de3b1919428114f861d94a542
-
Size
293KB
-
MD5
211600fc9d7a1bf494c8192d479934b7
-
SHA1
fab67178bc9529a5abdd33647028ca9d7d3a61ae
-
SHA256
f09814000e7cb43d244be02b82ed9e60e120494de3b1919428114f861d94a542
-
SHA512
d23e060d62722bad4d258e0742d23e17ba375e930a23e3a6323735944b07f4f26ab74abaaf81b41f1f0fcbe3fb8f0a02097e45df40ff606c1100c9ad7f272aac
-
SSDEEP
6144:eVwlC1u/z2xPFdGXz3F/CpFbrCl1vdewk4VY1naO0:I1u/z2xt8Qp5G1vdxk4VYQO0
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
f18a59d97c873b24dac2d0b58c2c05627cd4379185e2fad2bbdbac27c2174d79
-
Size
9.2MB
-
MD5
eddba78e2b822728a58f9672933ef493
-
SHA1
da324746f626810e779ff2569f85d82ed34721a1
-
SHA256
f18a59d97c873b24dac2d0b58c2c05627cd4379185e2fad2bbdbac27c2174d79
-
SHA512
4b5576694dcdc77a1c5b2b4417facf65dbb6a5e54dfbcef0f53f4b9a1c9474989ca0d0ff8c2822d524b0282b3dad160fe5e752e1b4fed33aca4d558087792427
-
SSDEEP
196608:HUSPQiZ2PwXsow5QzwWSlv/e2FpLEvZkm7vRjJ+A8uKgiUT:HFIabQiwWqv7X4emr3+Az
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
4