General
-
Target
6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe
-
Size
855KB
-
Sample
240519-ecmevahb33
-
MD5
6930cffe3d9c4fcb467cd4be91e865b0
-
SHA1
6a96e61ec3ce3b25150adad642d5b0aac034041b
-
SHA256
e958c060aeac484632b20e3e4dc93af45eb61f483ced432778ddfc5ec9acd552
-
SHA512
5b27fe5294533d32f07a3c8c2134fdc481b13d069b819b4cf999f2cc3e5845bba2dd85023e82cfe90ba1311ea3d9a6d8f3491f6f27ed0c9c911d22f53746e42a
-
SSDEEP
24576:vxLsMs8WdDP89WPncPKXCTu/wJUHIXX4u5:tsldI9WPcyQcIX4A
Malware Config
Extracted
redline
cheat
185.222.58.55:55615
Targets
-
-
Target
6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe
-
Size
855KB
-
MD5
6930cffe3d9c4fcb467cd4be91e865b0
-
SHA1
6a96e61ec3ce3b25150adad642d5b0aac034041b
-
SHA256
e958c060aeac484632b20e3e4dc93af45eb61f483ced432778ddfc5ec9acd552
-
SHA512
5b27fe5294533d32f07a3c8c2134fdc481b13d069b819b4cf999f2cc3e5845bba2dd85023e82cfe90ba1311ea3d9a6d8f3491f6f27ed0c9c911d22f53746e42a
-
SSDEEP
24576:vxLsMs8WdDP89WPncPKXCTu/wJUHIXX4u5:tsldI9WPcyQcIX4A
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-