General
-
Target
red.zip
-
Size
40.9MB
-
Sample
240514-g3k1tade3x
-
MD5
8d6d14a66b96ddabfe7ad1ca6d96350b
-
SHA1
b9da7120b47a59d36c015d36bf2c0f2b92aeadb8
-
SHA256
d929db0b4de9bed4c0750ad10440c81484f64e1f308689c0c56cdbe1bfe63b39
-
SHA512
2a5214bb52069774d9fa0577ee0680b4017f0bb9d1e839db72d9f9dee17b04d48363e674ebf84bea4745b23960c0d64d0f1698d6310940467dcd1680756af2fb
-
SSDEEP
786432:8aiC+Jcm1wKfVUNE9ymh2oJAIdoD/goa/ooRm3L1o6GqUh9q4p/aXZBJbQW:ECb1ukE96oJVea/HRmb1VGqUvViJh
Malware Config
Extracted
risepro
194.49.94.152
Extracted
redline
dimas
185.161.248.75:4132
-
auth_value
a5db9b1c53c704e612bccc93ccdb5539
Extracted
redline
5637482599
https://pastebin.com/raw/NgsUAPya
Extracted
stealc
http://147.45.47.71
-
url_path
/eb6f29c6a60b3865.php
Extracted
lumma
https://smallelementyjdui.shop/api
https://sofaprivateawarderysj.shop/api
https://lineagelasserytailsd.shop/api
https://tendencyportionjsuk.shop/api
https://headraisepresidensu.shop/api
https://appetitesallooonsj.shop/api
https://minorittyeffeoos.shop/api
https://prideconstituiiosjk.shop/api
Extracted
redline
7001210066
https://pastebin.com/raw/NgsUAPya
https://pastebin.com/raw/KE5Mft0T
Extracted
redline
5195552529
https://pastebin.com/raw/NgsUAPya
Extracted
redline
darm
217.196.96.56:4138
-
auth_value
d88ac8ccc04ab9979b04b46313db1648
Targets
-
-
Target
0033b9ed1c09bad0795150029eeb32a7620ee7b6768eb42c36c9ecdece2dd440
-
Size
1.2MB
-
MD5
79ddbf3796474af496fb1439c5eebc2d
-
SHA1
a19adecb0ac26f08d575309fdd4a9829af0b4a2a
-
SHA256
0033b9ed1c09bad0795150029eeb32a7620ee7b6768eb42c36c9ecdece2dd440
-
SHA512
49b2ee4594692e531e3f562584462b73c74c876267fa20c4207fac6fe2de9960cf1d102bc16a41b2f4320bd6a02cbb84d3516cf00f7feca6c57cb06811b4aa99
-
SSDEEP
24576:SBXCi7JIK8li6v93OhlvTMsY5BeDMZGxZYLrbdjxpl10s:SBSJli6v93OLicsjpus
Score10/10-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Suspicious use of SetThreadContext
-
-
-
Target
127723360773375a1005cb7ffdbb02b75f03e7f7a488e47fc79f18439c3371ba
-
Size
307KB
-
MD5
7ca7c1a1e3520b42ee24d3b82c215022
-
SHA1
1b2394ce0934a55e09f29874d70a41f80943608b
-
SHA256
127723360773375a1005cb7ffdbb02b75f03e7f7a488e47fc79f18439c3371ba
-
SHA512
0e115f5b0af7d7dbced850c883ef63fcac7bf4cef8d7897c9dce247ff0220e2c3273a0ce57ee426487276fdc85ac6198f83d7123576320ca4083ab5ad85c5feb
-
SSDEEP
6144:K+y+bnr+Hp0yN90QEqUHh4HZn7Erx2br2JpeFfX0vCk0uqo:SMrny90TH0gsbrOAfk6kFL
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
138ff2ce9b173f8265df2a779714f1533ce9b51c1c9823b118a7fc654853ecde
-
Size
33.9MB
-
MD5
8bca5e8930ba6be4bd9ba59bc4d2f237
-
SHA1
bd7a540af2662707c7b02871efea7e84085129fb
-
SHA256
138ff2ce9b173f8265df2a779714f1533ce9b51c1c9823b118a7fc654853ecde
-
SHA512
26945f56dc71ea5d3e5359202bc2098b23e31ad4fcf4a3fbdaade2aee2d2e50cf945c884bdf94dc5d949f14770d9d15dfc442cb58e0f50e368f58b3b923fafba
-
SSDEEP
786432:b3yJy4bYpVyTO9NQAR29u1ocoMnTtXTzr6vmU5JaYmZJR:LyJy4sjyTuNQN9aocoqJXTz2OSaFHR
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
3a88637efb4cafae6238b6c3dc5b6b17b7a535e47a3f6a230dcc5cf428db3ad4
-
Size
945KB
-
MD5
79a50ad43658e487f370e2efeddb8391
-
SHA1
755011c959efae47576d0091bb84c5b3649fa78a
-
SHA256
3a88637efb4cafae6238b6c3dc5b6b17b7a535e47a3f6a230dcc5cf428db3ad4
-
SHA512
06f3841817358434fd5ad878287f62b5ccf02c2b8b4f23b25df4eddd5afd832cf1e0ae1fd76b6881a91a729304bbdc4494d4ee05fdfcfa84762ce4a0c0760971
-
SSDEEP
12288:Tm7Ry90ebn/kwazqpDnNaHVBicWKJkc3Y7uRU2L1zmhYae+7YSF5jFLYnP5umJ9/:synEqpxTVikc3HRZL1mJEqLuBumJIx6
Score8/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
-
-
Target
5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4
-
Size
332KB
-
MD5
17c66b0d4e0365acb6ae8471066f11ee
-
SHA1
b110e57ad1e2c4d59709a733028dc9dc78244899
-
SHA256
5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4
-
SHA512
9d7ff2c650cb283a0857707d8079f094c6d82dc0a483a01c6579fe902c7e19d5de64b2b72aa2a06402cdfda283911759013f3dae03a10ab723d851065cc75052
-
SSDEEP
6144:blZwB/LgLN340nTaDpOU7riHRkygh37YwmL6ewFKbTm1OazSI+0Xp:bnhLN340nTP+ygB7YwmuTE3mhw0Xp
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
6ade7154c76ec8ac19448403d594b3b6aaaaa14c5a193f4f31694ff3643d45fb
-
Size
976KB
-
MD5
79676a5685abd3075d9225e1252fef08
-
SHA1
44ebddbfb301be20aece75ec8837789fc5a116e2
-
SHA256
6ade7154c76ec8ac19448403d594b3b6aaaaa14c5a193f4f31694ff3643d45fb
-
SHA512
067c5f880c381839135a53a2221afcf405f6c1a3267fcc887ee7786a8bb85c021e6d55ebb95ccf0ff4aae79502c28b30fc74a47279dab080315cc8d68517a36f
-
SSDEEP
12288:ZDGmkvQuIvpbmlbqYfMG7kiinXHyOWEtggrKE+eJlmuzYj1p8OzEnVWO:IzIvpbmUYfMG7I/btggrrUxEnAO
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
8167afa4960bf7ec3e9ccea8204567bf3c18d20b72fe034ca2fe482d19f96f61
-
Size
1.2MB
-
MD5
1a8a91c41fbdc6ee93cc46c3f734ccc7
-
SHA1
fadc036ad42baecea7804bd20440a69bd7cee491
-
SHA256
8167afa4960bf7ec3e9ccea8204567bf3c18d20b72fe034ca2fe482d19f96f61
-
SHA512
3cf0ccad0bde2673352baeef3777e102469ce31424034137041987112a1314ad410e7617886914cf8febd3ef2a7f9d7b5cb717236581fda0b9555665c2d53fed
-
SSDEEP
24576:BmBaiRH28+VLmn1zWVrWhMs2ehVDWsK+t3h5mTdOs:Bm8XVLmn1zW4VSdoWdOs
Score10/10-
Detect ZGRat V1
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
86a6beb6802f9ec2aa387143ba41461fb82783226223ba68b44e49b21c8d3d62
-
Size
1005KB
-
MD5
80766f346a1033b1abfeeabc7180a880
-
SHA1
2568f835441d53bc785a4ddf8537814826e3d064
-
SHA256
86a6beb6802f9ec2aa387143ba41461fb82783226223ba68b44e49b21c8d3d62
-
SHA512
029d53c19dd434b410eb61158e8a653c3d3725b50de9e5bb7dd766baed93a37574b3171509ee7e968d18158d89082029e74881630fb852c37b305053ec5c87aa
-
SSDEEP
12288:VMrry90H6OndYa8eQHWFiUDhbkYuuDu6rtRHvb6sCIoxV+pY62N7198r3GJnWIi:KypOnDiU9Pyyhj6sUx+07cSkN
Score10/10-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
8bd2da3bdd49625487058350b98633f194eeda83697690c729fefcefc188b07e
-
Size
307KB
-
MD5
a28b1e892c10ba5e054b20faf5519263
-
SHA1
d9988318cdfbb97edaa2712790cc35f3181ff7b4
-
SHA256
8bd2da3bdd49625487058350b98633f194eeda83697690c729fefcefc188b07e
-
SHA512
fe5ef2074e8f98a066568c6ecd35bae22a556c41f5546820b1e078c0e1fe5458b15e422b9cc4c8459d307e50a0c28b9256c497f47a9fdf5e6aa6de2496c5f3e0
-
SSDEEP
6144:KHy+bnr+Up0yN90QENoHmzPipcmKTbP5NuW5IEj061PG:dMrMy90AHePHRT9NRI4u
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
9b9cb00d14cf7c8d3f4e64b8dd4573bad195ee266c5cffcf820f398e5a51ae04
-
Size
479KB
-
MD5
869d623180dff73397b5f34058e106f2
-
SHA1
1af73065d328029ee3d82ddd8f625ad3a9d9bcff
-
SHA256
9b9cb00d14cf7c8d3f4e64b8dd4573bad195ee266c5cffcf820f398e5a51ae04
-
SHA512
bc8a1c93dea8662be47d3737435605efca351a80803e3b41f71da9914153eb0c320d572085e1b2671875951c3311634beae8002e984c1a69f7e98a7258c90498
-
SSDEEP
12288:NMrLy90WwlKPPzKp3NwVDYy0GqUI6TJ60b:Cy0eLqNwVDYBG7IuN
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
9e375a6be43c6fb35a506cdbbab7a9291cd783ccc69adf51e1cf73f8e1c949d0
-
Size
332KB
-
MD5
1ca532db776dbb27e5a6fcbee57de507
-
SHA1
4e4e348a558dd67d25b6b74fb10716a341ed9e22
-
SHA256
9e375a6be43c6fb35a506cdbbab7a9291cd783ccc69adf51e1cf73f8e1c949d0
-
SHA512
865c63487816ec1d44fa10f45e29807e18de7d23d6062ca8c4000626d685948ac12c08f3fdf0d5e5c1bd84c8d89f096465ee7a3b7d2114ae7c9887e307eabf1a
-
SSDEEP
6144:z3Lw7HV0BJJoa1L+ZBYo5+fR+yghj6Q5KBoxBG9jA4Su7xiKgW2+0Xp:zbBBJJoa1LfSyg5lKkujsu7QKl0Xp
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
a228d772653c687276cdf5b1bc02ef2c37eb367c1d2dbdef0e221c3b16ce87ea
-
Size
372KB
-
MD5
7fea6ee2fa2a48b8b3cf29be33437d43
-
SHA1
01eb4c37f826237968eb0a4a1d321480ef018fb9
-
SHA256
a228d772653c687276cdf5b1bc02ef2c37eb367c1d2dbdef0e221c3b16ce87ea
-
SHA512
6c2c96efd3fcbf0da5f575315aa3e963a3639807669a8403a1d1ffa39ba7f3a569394499393b08c264ebd158d7c71f5678b32fe14dedc57aa05b415bf7e87684
-
SSDEEP
6144:nlJwRf1g7CH4k3zaz84Je0L2HRAyghfFSKwpQ33fps211Nq+EiAPI9U5+0Xp:nX77CH4k3z28jSyglFm6s21ymtB0Xp
Score10/10-
Stealc
Stealc is an infostealer written in C++.
-
Downloads MZ/PE file
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
b565c9e6f0f8b9856b032a9a41f04204d306f060af94e74bea3cfb296522818a
-
Size
332KB
-
MD5
187d281b7f99aaa9958e8fd2a3ab4ca4
-
SHA1
4154b6a67a62d0fd8c15c681307658061b08d820
-
SHA256
b565c9e6f0f8b9856b032a9a41f04204d306f060af94e74bea3cfb296522818a
-
SHA512
c7b432d26a86ddd0f7304f9e3a8fa9c3ff26d936210cba7645fc6a3edaccd38ef05f62540ad29fee8ad12c6838dd948dab5ce30620246badf1ea447519688ad7
-
SSDEEP
6144:+lZwB/LgLB340nTaDpOU7riHRkyghKxWYc9GkbV9hP1l/F+0Xp:+nhLB340nTP+ygMxW9pzhPo0Xp
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
dffc83be30add96232b3b63c25cbfc4874904cd04fd2658d0ecd5979a7caa40a
-
Size
479KB
-
MD5
1f9ac4a621d3726993ba2f185215879a
-
SHA1
e412c6fce79cee62a7b2c806be2c85c1386010a1
-
SHA256
dffc83be30add96232b3b63c25cbfc4874904cd04fd2658d0ecd5979a7caa40a
-
SHA512
9d6dba40bcb85fa4209ac33f45c1c2b36e714a3438827f45effb3fce1f8110e2b015ee5d6df9d80afa9baced1af0dd486e14ff6cd2c30cbf67d9e705f6802be1
-
SSDEEP
12288:RMriy90lIiKadmmqiVkFpziI3NM0oPiiimcr:DyEZKIzoZNM0oPii/W
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
ebff69daab03914f10326e4e3ec464c00bfa9568723a75f80d74a19f1ac9dc05
-
Size
1.0MB
-
MD5
1f3bfca89128252b6de8c902012971bc
-
SHA1
3a96d92e2d30c786e55434238ef987bedc1381c0
-
SHA256
ebff69daab03914f10326e4e3ec464c00bfa9568723a75f80d74a19f1ac9dc05
-
SHA512
b0b72f05bd8532806f39445c403adb3018609d4cc3db870f6a0314452272c0dc23885a708acb5c1cc25fb191451cd14fcd66288c63af78b77f53e2096fc18153
-
SSDEEP
24576:7yTRVpYQYJaiLEA8vrRIBOsE3BcTpa4q+qlfApDerAV8:uTRVpRieIBOfcTpqhJGGA
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3
-
Size
976KB
-
MD5
1d6ed788c4432746e683db0fa5d4b441
-
SHA1
6fd5fdedf740667fcf8f70a8586ed498d5f10b52
-
SHA256
ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3
-
SHA512
32ddb59adf493537c4b074e18a5c5684b5c714503d463c69b352fde37cfb98a3f4327c789d848951973476f38c80a3867b634a7364baf3bcf2c16cd351a1eb30
-
SSDEEP
12288:ED/mkVPvnuUYmlbWIXcWzMjAcM6RYbyOuEtggbuzUB7ntu7YjDeDGiXq8h1+JdFP:Y3nuUYmYIXcWzGAcO/ztggbBfS29F
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
8Registry Run Keys / Startup Folder
8Scheduled Task/Job
1Create or Modify System Process
3Windows Service
3Privilege Escalation
Boot or Logon Autostart Execution
8Registry Run Keys / Startup Folder
8Scheduled Task/Job
1Create or Modify System Process
3Windows Service
3