General
-
Target
Evon.zip
-
Size
459KB
-
Sample
240521-sjyy4sab4s
-
MD5
6a41a30b4b63f81ae5e93e51d1f1c045
-
SHA1
101d1b15eab07166428392c8980a157f1968b018
-
SHA256
15c60b9188ef2cc9228ea576732f3b60eac10ca6e39f8a39956bad5722176650
-
SHA512
4d10c2fd0a97bb498d4999c10061bf04e1348d14c914a648e2a4d178168c0a3a675e07f085a6c304e2a11b81d1e04a9994389bdee34118c917311d01a7986446
-
SSDEEP
12288:iLSTkqudsU0Yz3jBL75xwc4XscIFl4zA6fzvBLskwRe:WSYquuKjRdxwr81FlQxfDxskV
Static task
static1
Behavioral task
behavioral1
Sample
Evon.zip
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
Launcher.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
log
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
lua51.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
luajit.exe
Resource
win10v2004-20240508-en
Malware Config
Targets
-
-
Target
Evon.zip
-
Size
459KB
-
MD5
6a41a30b4b63f81ae5e93e51d1f1c045
-
SHA1
101d1b15eab07166428392c8980a157f1968b018
-
SHA256
15c60b9188ef2cc9228ea576732f3b60eac10ca6e39f8a39956bad5722176650
-
SHA512
4d10c2fd0a97bb498d4999c10061bf04e1348d14c914a648e2a4d178168c0a3a675e07f085a6c304e2a11b81d1e04a9994389bdee34118c917311d01a7986446
-
SSDEEP
12288:iLSTkqudsU0Yz3jBL75xwc4XscIFl4zA6fzvBLskwRe:WSYquuKjRdxwr81FlQxfDxskV
Score1/10 -
-
-
Target
Launcher.bat
-
Size
539B
-
MD5
162d9e9294fb1ca66b2ef0808c37b3d0
-
SHA1
c4c12026021484ae35ab529d2be4263435762a4b
-
SHA256
6c4077874e378e3b7ff05dbe2063f0c7018f98bee429a4f4b2f8ffc7ff793d4b
-
SHA512
f467ddf08d99ec1495f32a4eef8a43b3080d976e56ce569264b38e160e6e9655b44d84d1cb5a3ebcb223a802f9b914a28dee7bc51abce48c836f4a4abbb2da88
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
log
-
Size
155KB
-
MD5
ee48ea1bb05ba311a404f4ceb4dc260b
-
SHA1
de40066072c928a1850298944fb561b3122476bd
-
SHA256
6b60e51d5969097d58f1538d8af62e2c01196fb13b1cfef0413032b1c0bf799c
-
SHA512
8d0e6b9f700a198e294ae6c20e92033581c4cc1340d2a17eb0e388fe205b79217478c15abeaef00173c3de07155aa5208f64c27b9ceaa0887147ac4ac16fcbc4
-
SSDEEP
3072:aK7jsid/HtwyCBT2nPOT/DGvPo0KOHQ09ibJVwmJ6KvoK:HB6MbK10AMmJ6BK
Score1/10 -
-
-
Target
lua51.dll
-
Size
592KB
-
MD5
3dff7448b43fcfb4dc65e0040b0ffb88
-
SHA1
583cdab08519d99f49234965ffd07688ccf52c56
-
SHA256
ff976f6e965e3793e278fa9bf5e80b9b226a0b3932b9da764bffc8e41e6cdb60
-
SHA512
cdcbe0ec9ddd6b605161e3c30ce3de721f1333fce85985e88928086b1578435dc67373c3dc3492ed8eae0d63987cac633aa4099b205989dcbb91cbbfc8f6a394
-
SSDEEP
12288:rs7/mj/73RaLHIW5BmUeUhoE4RgiF1q1bPIBKsg4Db0S:rc/u/7IoRnUKfq1Dl4DY
Score3/10 -
-
-
Target
luajit.exe
-
Size
89KB
-
MD5
f9897435f1b4edc09a6ad72f77599124
-
SHA1
162e440573e3b360e563e15dbf09a647dedb779d
-
SHA256
ae478debf2a6ec13d48276b1a6b6fea362feb412f8b995611b28dd2e9be24078
-
SHA512
56eb149c143521a3af8c44f52d3d14d885c030206a0de774fc895f6028d869f7d2f87c9b5bec5e13dd2ed3435c5872c40047ff0aae54c5a732a38408003ab72b
-
SSDEEP
1536:Ee7h7q/J6K3nHC+AGUob2f0DBFPbPWNPWp350NHcHkDsWqxcd2ZPSAv:Ee7oU8HC+AGUu2abPbPWQpO8E0A2tSAv
Score1/10 -