General
-
Target
c6896ba1acb874b2947371a0b75e933cef4343b95dad1c61416277585ed0a060
-
Size
1.8MB
-
Sample
240528-dem9gsdc98
-
MD5
10d5b8feb9cf6cff71fda5381171a107
-
SHA1
7637a8edee4cdb2d525fdb63f8b6e6360be71e4f
-
SHA256
c6896ba1acb874b2947371a0b75e933cef4343b95dad1c61416277585ed0a060
-
SHA512
96e1c7a1d6622c425022bbcef19bd83cad54a2828747ec811e7136b0e7710344b8e1327a00746e188647fbe37e28bfe1490c1d943d925d49864fb7cc3b9008ad
-
SSDEEP
24576:Az2tnh+56UtddlUkn2OT1O06nzTkl9Yr/ocJkhl68j+V9cH+p+1h5kKTIv:mwg57dpzoklSrQWkh1+sHqm4oq
Static task
static1
Malware Config
Extracted
amadey
4.21
49e482
http://147.45.47.70
-
install_dir
1b29d73536
-
install_file
axplont.exe
-
strings_key
4d31dd1a190d9879c21fac6d87dc0043
-
url_paths
/tr8nomy/index.php
Extracted
redline
1
185.215.113.67:40960
Extracted
stealc
zzvv
http://23.88.106.134
-
url_path
/c73eed764cc59dcb.php
Extracted
redline
@LOGSCLOUDYT_BOT
185.172.128.33:8970
Extracted
lumma
https://roomabolishsnifftwk.shop/api
https://detailbaconroollyws.shop/api
https://horsedwollfedrwos.shop/api
https://museumtespaceorsp.shop/api
https://patternapplauderw.shop/api
https://buttockdecarderwiso.shop/api
https://understanndtytonyguw.shop/api
https://averageaattractiionsl.shop/api
https://femininiespywageg.shop/api
https://considerrycurrentyws.shop/api
https://employhabragaomlsp.shop/api
https://messtimetabledkolvk.shop/api
https://stalfbaclcalorieeis.shop/api
https://deprivedrinkyfaiir.shop/api
https://civilianurinedtsraov.shop/api
https://relaxtionflouwerwi.shop/api
Targets
-
-
Target
c6896ba1acb874b2947371a0b75e933cef4343b95dad1c61416277585ed0a060
-
Size
1.8MB
-
MD5
10d5b8feb9cf6cff71fda5381171a107
-
SHA1
7637a8edee4cdb2d525fdb63f8b6e6360be71e4f
-
SHA256
c6896ba1acb874b2947371a0b75e933cef4343b95dad1c61416277585ed0a060
-
SHA512
96e1c7a1d6622c425022bbcef19bd83cad54a2828747ec811e7136b0e7710344b8e1327a00746e188647fbe37e28bfe1490c1d943d925d49864fb7cc3b9008ad
-
SSDEEP
24576:Az2tnh+56UtddlUkn2OT1O06nzTkl9Yr/ocJkhl68j+V9cH+p+1h5kKTIv:mwg57dpzoklSrQWkh1+sHqm4oq
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers
-
Detects executables containing URLs to raw contents of a Github gist
-
Detects executables containing possible sandbox system UUIDs
-
Detects executables referencing many IR and analysis tools
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
UPX dump on OEP (original entry point)
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Scheduled Task/Job
1Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Virtualization/Sandbox Evasion
2Impair Defenses
1Subvert Trust Controls
1Install Root Certificate
1Modify Registry
1