General
-
Target
36a33e7da8ad27ce449d6bc53c6ca650bc283b8f96d5fe797187aea40e0dcc68
-
Size
8.0MB
-
Sample
240515-k6z6paae7w
-
MD5
08d73729db85b5fcf996d5b14fb85af0
-
SHA1
f31955b85cf90c03fadb89497ca0f51f8da7f94f
-
SHA256
36a33e7da8ad27ce449d6bc53c6ca650bc283b8f96d5fe797187aea40e0dcc68
-
SHA512
d5a67e0e22c30d316125d43ea79c41601f0ada96de71ab137f3790e147ee193fee5e02a4f062faedf7e8a4489606cf0f81855c3c269289fe6822beb3676e0f46
-
SSDEEP
196608:8D4iY/n9u/N8wG5QgXn/CaoEwXUJOtAA+LS7DyS8P3Srf:f/ncV8ASqCaNtQiwP+f
Malware Config
Extracted
redline
dimas
185.161.248.75:4132
-
auth_value
a5db9b1c53c704e612bccc93ccdb5539
Extracted
redline
5195552529
https://pastebin.com/raw/NgsUAPya
Extracted
redline
ditro
217.196.96.101:4132
-
auth_value
8f24ed370a9b24aa28d3d634ea57912e
Extracted
redline
5637482599
https://pastebin.com/raw/NgsUAPya
Extracted
redline
@deeqsio
45.15.156.167:80
Extracted
lumma
https://boredimperissvieos.shop/api
https://acceptabledcooeprs.shop/api
https://obsceneclassyjuwks.shop/api
https://zippyfinickysofwps.shop/api
https://miniaturefinerninewjs.shop/api
https://plaintediousidowsko.shop/api
https://sweetsquarediaslw.shop/api
https://holicisticscrarws.shop/api
https://sloganprogrevidefkso.shop/api
https://sofaprivateawarderysj.shop/api
https://lineagelasserytailsd.shop/api
https://tendencyportionjsuk.shop/api
https://headraisepresidensu.shop/api
https://appetitesallooonsj.shop/api
https://minorittyeffeoos.shop/api
https://prideconstituiiosjk.shop/api
https://smallelementyjdui.shop/api
https://cleartotalfisherwo.shop/api
https://worryfillvolcawoi.shop/api
https://enthusiasimtitleow.shop/api
Extracted
redline
7001210066
https://pastebin.com/raw/NgsUAPya
https://pastebin.com/raw/KE5Mft0T
Extracted
redline
5345987420
https://pastebin.com/raw/NgsUAPya
Targets
-
-
Target
100e14f03bac13fc1c4e178555a3dd9d1c0a021aa089b6b88cb8065f8163e837
-
Size
876KB
-
MD5
cbb4108b51ced31cee714f2b6ad2379f
-
SHA1
997d33ef7a7c427c7ddf6f6e602e344aa8921049
-
SHA256
100e14f03bac13fc1c4e178555a3dd9d1c0a021aa089b6b88cb8065f8163e837
-
SHA512
ddd69d3b12724a9872433b63f39c7a3dac9c0b0687d5d08bfe04da05d7f89681af1b0ae05e886fb2ce8c89d089b62f145d79aaab4874f08da5525df2a49c1429
-
SSDEEP
12288:bMrMy90R7CQPeL/WMx8cSRmr8fXzw8ZPahvKGf6DMARjFlsMmSIOFMopKDD9VJ5Y:PyrRmU+mvVARJlbIY7pKDd0+Y
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
14e92d75842bf0e1bcae35adc805c07925a4a6d97655b90182b6147b5efbaffd
-
Size
523KB
-
MD5
6cd6b5811846dd00cbb4a5f3048d164d
-
SHA1
92ecb7a8fcf6ab701548c8d69fdf331ffe24c20c
-
SHA256
14e92d75842bf0e1bcae35adc805c07925a4a6d97655b90182b6147b5efbaffd
-
SHA512
e125311c3fd8a6fe573a945c1301dfb1996788fed1d48c293331a31c52e2d183403f8f7a2f258eec292a0b9913705428c58948a6e500c39b0b5946e75289a439
-
SSDEEP
12288:AZ4uNyEfgpt6yg1atRqj1SjvvM9iOrCc/AMN3JJb2C0Xp:AZ4sfgXQ1Sjs9iOPPhf+
Score10/10-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Suspicious use of SetThreadContext
-
-
-
Target
228c35043919b5a4d810fd11dbb1b9646333aa6e75788617e4cc4ac41ab07a1a
-
Size
1.2MB
-
MD5
70c96bf7fd8b873fd3d55511a01b38fa
-
SHA1
84fe856169f0018cada3ecc77b9afcbeef830459
-
SHA256
228c35043919b5a4d810fd11dbb1b9646333aa6e75788617e4cc4ac41ab07a1a
-
SHA512
0c8bdbd699dcfc757302cbec0cd7a0f1f97f1061eef1f6c4739b31625c335504c20c8d4b4095e02963c378a0bad10018264a35eceeb88553bc679676ef1e8fc5
-
SSDEEP
24576:n2z0iTPmcOFrydXT0i9JYMsMy9XD6QmFQBLqs:n2AhFrydXT0EoHmWqs
Score10/10-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Suspicious use of SetThreadContext
-
-
-
Target
236732ce453b741f26e2fb94d54ade44d3d1ae332c52f6d420a1dcc1c8d05dd5
-
Size
694KB
-
MD5
c8032b42738527a70de1dadc4a7bff5b
-
SHA1
f5f778df15d4e14503bea0f654cf9427ba050a38
-
SHA256
236732ce453b741f26e2fb94d54ade44d3d1ae332c52f6d420a1dcc1c8d05dd5
-
SHA512
babddfaac51c11952a79047852b01c499075acfe24e91dac46a5c590a31be1e4e71df5b1daf27254d9d608fa7345839790f8a550e04392de7f625c5d6b22a97d
-
SSDEEP
12288:OO0Jg3ZJ7hWFArUqHsjumNFcF9gopM3bcgsqV5P3JkTC:OJJU7hWFuHyumzcCLUqV5v0
Score10/10-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
-
-
Target
2a0ae333a9b72768e8a05e7ebbfe4b15cf581f8c08129c0639aeed58eaf7901a
-
Size
333KB
-
MD5
70b649dc98496fdd95d3c31dd28c8a96
-
SHA1
8ac9a901047426fcaec73a4fa061b85ab28a378a
-
SHA256
2a0ae333a9b72768e8a05e7ebbfe4b15cf581f8c08129c0639aeed58eaf7901a
-
SHA512
5a3c19ceee7df6d988bb3ad15c6242820629da8c941f69773f30fc7491a63629f6b1cfc603b2167b04ddbb85d304c1938b3f0d6f1af89af468a6ab5fb0ad873a
-
SSDEEP
6144:R1RwZfFQDiioMvzATd5W0jbSXRYyghzqjjjjjjjfMNV4iJBcp+0Xp:R/zDiioMvzA+iyg9qjjjjjjjf+V4iJB+
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
2b467ee19e1542f60392c1b29a264ffabce3e9a8da48a4707e8d8f1bea1d1244
-
Size
976KB
-
MD5
be9ab75d36757186f2dd7ff0409992fc
-
SHA1
aebd4f46a7c6c2c434799c24b53518a69c1e746a
-
SHA256
2b467ee19e1542f60392c1b29a264ffabce3e9a8da48a4707e8d8f1bea1d1244
-
SHA512
55fd789402126f83046de4c0177e86c08cdd93f49e63d46c0bbf65d649f6e3ea76c25143823cfb527f81b531128ed3c8f30922d866f3ceef45db3e16acb414f3
-
SSDEEP
24576:1vnuUYmYIXcWzGAcq/ztggbB1A+xI9rz:0mYIXcWzGAcq/zE+29X
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
399f6dfec39b77c21a8b31e45c5c8fb863a8b28a73a4923ff7543886ebfa0c0c
-
Size
307KB
-
MD5
c707329775778d23ea0f4097ce097a59
-
SHA1
009a8997852eea8bf1449167afae6c7842714a19
-
SHA256
399f6dfec39b77c21a8b31e45c5c8fb863a8b28a73a4923ff7543886ebfa0c0c
-
SHA512
9a4bd7e678a323297ad3c88fd15d1c7fae422e6f813816deb0261953906049b37251d94f1891c7b2c75133450950a9cde135136c886cb1befb010c7f36ab2f7d
-
SSDEEP
6144:KUy+bnr+ip0yN90QEcx5QofdhZQ1Gr6VLNGiWH+2ZYXBAT:UMr6y90I5QmXO11TWHSXc
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
3ddd80ba692516ca1977cdf6eb25ad59de7b9e87f447a412e2468a77ad1bbd8c
-
Size
332KB
-
MD5
cc374f6af71bc0a4356047a5632665f7
-
SHA1
0aad0c3600a0b007bef4847c257ccaeef1ef0955
-
SHA256
3ddd80ba692516ca1977cdf6eb25ad59de7b9e87f447a412e2468a77ad1bbd8c
-
SHA512
94b400ae0de8b33f8804e7be2c2c304e26f6b28b523398966160078f97bf996cb3f3ed2539085c2460eca9589134c2d0399c0f8152af9c7b09549600020f9761
-
SSDEEP
6144:S3zwDH1EpC8wM4ydBrEBniBBu0RSyghWvX/ZDsOJ5G+/GVy4+0Xp:SjZpGM4ydBm/ygQZDsOfGjVyV0Xp
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
4be1f370e880d06da141a2c9957de478c40592a3abf6312aa8c2ef401a37d36b
-
Size
306KB
-
MD5
d41a5cd7a3a7870992cfd75c5eff1637
-
SHA1
8365910e5f8fff802cd8d928351270432128abaa
-
SHA256
4be1f370e880d06da141a2c9957de478c40592a3abf6312aa8c2ef401a37d36b
-
SHA512
893c73fe37c917bf3c8557c1344e03daef3d1264a0296847fbd5e667e0070b6c920a58f709ec96bb2c1afd22a485d366479f57911eb5073e4c77e6f43243604e
-
SSDEEP
6144:vBZd9vSWh60RVAtljy11yiI8iz2jaYO9eGoW/JyL985:JZiWhHE4i6qfRyL985
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
65a31de21fb11e9ed0db8f58105c54bbfc7953f539d85a946293e38e9065bbf0
-
Size
307KB
-
MD5
cd8ea3b63e20a3f928c87c1b8d03fbdf
-
SHA1
3c2a074d94cfa7bd8506eac6662496c5c825c86a
-
SHA256
65a31de21fb11e9ed0db8f58105c54bbfc7953f539d85a946293e38e9065bbf0
-
SHA512
4aad5f7b258602ec851f5a9cb1177187ed4c3a9cb661a067aef17ebc442f768478f9b83ea1da709817bcca2857afdd52a8ab6b49fe56262a7318b920b007931d
-
SSDEEP
6144:K5y+bnr+8p0yN90QEIoHmzPipcmKTbP5NuW5IEj0F1PTnV:XMrMy909HePHRT9NRIDx
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
790345d8c07ae982c606f2db111e6ff6a2bae42847c106a6f096f208f1653d0a
-
Size
1.1MB
-
MD5
c753cb8ff44d0a7c82c7ea5bccac55b4
-
SHA1
bf39a9a1c512affc8c88d99b1bb41c0be91d2214
-
SHA256
790345d8c07ae982c606f2db111e6ff6a2bae42847c106a6f096f208f1653d0a
-
SHA512
60c861ab900217234c317f31a7a60e893a7290e2d220acf83f0a1d1395af39ad08916d083035c2c0d0474f75dcb8ad32e0ace390eaf1834ef097961c78e32d23
-
SSDEEP
24576:xvHCA1uHM1oyR5FvYpIgPFyqUakXu0d0H4F+hy:luHM1oyR5FvYb+/0YF8y
Score10/10-
Detect ZGRat V1
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
7a5164cea09551d97475639ab8fb782d5fff907df5db0ff94ae2cb2a3b40dcf7
-
Size
511KB
-
MD5
c3db92ad91d83ae759f9b62d1dc60690
-
SHA1
cba0187e53f0418353650dd711b8f29c59ee3740
-
SHA256
7a5164cea09551d97475639ab8fb782d5fff907df5db0ff94ae2cb2a3b40dcf7
-
SHA512
fc4034f2ebfde839e0ded47af5da25feef5013a181801e51080ed2f99ae3634dc0dd1924829db258421bc5805e8bcf4141030aa1ad17fe7472c688ad63f10a76
-
SSDEEP
12288:G/w6V3Dq1uUpoLIIt0gSmmufejAdo1jQBAeZXoCe9:J6VzqHpafSmPGjMo1EB0R9
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of SetThreadContext
-
-
-
Target
9a7761a218bd7bd89d897848e3eafea1a05f151c3ab44668124ffa35c4d3a743
-
Size
527KB
-
MD5
cda96eb769b520de195cae37c842c8f3
-
SHA1
a1c8d0bbee8c109fabf1cf26ac3e9af0fc110341
-
SHA256
9a7761a218bd7bd89d897848e3eafea1a05f151c3ab44668124ffa35c4d3a743
-
SHA512
11fe27e375077ad59f0adee3de6ccc32783244d68911b82d76e5a49001dcd3f1e0311abcb1f7e6f51a11dc057cd17b32ae4af36cd25d227ce8f0710ca5cc2e44
-
SSDEEP
12288:6piut3k/AJLoyg8UwaEHQ9Ec131pHBF3tZ60juFF0Xp:6pi1/A8zEw9Ek31dD3P60V
Score10/10-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Suspicious use of SetThreadContext
-
-
-
Target
a26df59e48ff80e63c4ae80b1ca4da56cf0629cdcaaa173b3f510b0b20722f78
-
Size
876KB
-
MD5
c4f94db419675a2bd6a16b83fe8c381a
-
SHA1
9df4ba3bf6ec393244a8c765e463e597bb64b217
-
SHA256
a26df59e48ff80e63c4ae80b1ca4da56cf0629cdcaaa173b3f510b0b20722f78
-
SHA512
564e7abd509ee71988cd0550846eb241fddd44fb7557a4c76c520a14d1f88f9b2464083f86fe3d8cb6660e2526536e4ea37800d1d957d7ea3a191425eab35855
-
SSDEEP
24576:yyrZFRyjL8oVVYRBh7I21NQxRXsNeo6BP:Z/MjInz1SxR+e
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
c0c8fc8c3baf26ce045fa13a8b1bf6d6051171f13321183317fc587bd5217e49
-
Size
976KB
-
MD5
6d001bfef69bd5ba214890560410dfb3
-
SHA1
61ecf49a6d2e3aee64704e53386f8bf2587d2b01
-
SHA256
c0c8fc8c3baf26ce045fa13a8b1bf6d6051171f13321183317fc587bd5217e49
-
SHA512
2e83fd72e0c2f3cae79066f135c88f70af09375761c73b00c617b2ef10b9011609ed4732fd068818995cc14d0bdbd2c323dea968631b06558141a1a048729486
-
SSDEEP
12288:LDSmk3QSIvpbmlbqYfMG7k+ezHvyOWUtggrafGeZleuzYrA5nOkNFR65a:eXIvpbmUYfMG7M/LtggrypVlR
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
c4172a7d8d27c8367cd7a3b7b3d410e4678ddfd8748e6bf631c21e8f639c7efa
-
Size
297KB
-
MD5
c2f5800951ca0e25d1c9c4a304584dc5
-
SHA1
ce90444d162d1a9309374f052bac3bd8b12e3884
-
SHA256
c4172a7d8d27c8367cd7a3b7b3d410e4678ddfd8748e6bf631c21e8f639c7efa
-
SHA512
6280df39b12c1069e4c54173674ffb00494eda397ff212a5ee21679d5fb3f696b1dec2ccb6ddbc6519b6728df361786934c15646517dc2806993260f25837d2a
-
SSDEEP
6144:sk87zE8yF+JnF/1VVsNx0X4j2UwnGp6m7Bzg5+671wW4WvCoCe:187zE5iwNo4cGBK+cwWMoCe
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
d3855d0640853387bc0df63e4ddcbc8af40e8cbb259b6be8049d23526e31dd68
-
Size
1.2MB
-
MD5
6c68a256a5ce9897ebe5bb882738ded6
-
SHA1
330c5800275066e14ccd07c1131eae7a1349a441
-
SHA256
d3855d0640853387bc0df63e4ddcbc8af40e8cbb259b6be8049d23526e31dd68
-
SHA512
1665a85da3c6394127f8f60b200cb4e6e15a388e3a6e10b0897b90729c4473c90920f2e4f07f38b6ae75d7ae059d3fda6e84db45f9dd86bb8e35f258ec635897
-
SSDEEP
24576:7qcTlAulwiqGeOeerZnwgbwc15305b02iwyu:kulwiqGeOprZocwB
Score10/10-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Suspicious use of SetThreadContext
-
-
-
Target
d6c7041aa6a01fcdc7f6a9f60c8eaf8edcbcc73cb1802bc3623346b3b3219693
-
Size
332KB
-
MD5
ce35bf4ea4182f8e3524a14e10e90972
-
SHA1
c9a5c28fdbff5ad0a285291142abe592fe9e8688
-
SHA256
d6c7041aa6a01fcdc7f6a9f60c8eaf8edcbcc73cb1802bc3623346b3b3219693
-
SHA512
fd454377a77f900510b2855e6e9954cc7648277404cdd85b8e85b1f2d8e0667e9aea261c660b8d88551d1cdd816bc77d8719edac10b63067aa75f1fc7ee38341
-
SSDEEP
6144:U1Bwp/lwz9PI8/T6f5mUz7S3RMyghFbHDju9DPUgAOGsf+0Xp:UPjz9PI8/Tzeygzbjju9YgAd0Xp
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
4Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
4Create or Modify System Process
2Windows Service
2