General
-
Target
f0c179b8db5374fa9c4ef639b24bbc363cc99843bfaef5709db2dfb716ce26ba
-
Size
4.0MB
-
Sample
240605-mj4xgadh59
-
MD5
1980f26b8bb4d1bab28e14e9fba92a66
-
SHA1
1a8407e4ce990e69e00b70906f3ef76b24c7d2d7
-
SHA256
f0c179b8db5374fa9c4ef639b24bbc363cc99843bfaef5709db2dfb716ce26ba
-
SHA512
059abc42faacd9e8c96955e5dabc123a5cb0a9ff4995caeefab399b0e20cfb366789af6a3cdd56ac52aaba480bfedd516968c54a10d490bef15a94fcebf8901c
-
SSDEEP
98304:jJnn4s9iZhey5dO/fZb4ylKR/ZSuo34OGIEWutWMKVPAr:tnn4QOsIdsfZb4yKR/ZQ34/FWq4VPAr
Static task
static1
Behavioral task
behavioral1
Sample
atikmdag-patcher-1.4.14/atikmdag-patcher.exe
Resource
win7-20240215-en
Malware Config
Extracted
quasar
1.4.0.0
Office
135.181.235.186:2424
vLjWia7oT7CKQjEfGEyguygtygygg
-
encryption_key
YwwSXy4xT39hdTVPGX0J
-
install_name
csrss.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
NET framework
-
subdirectory
SubDir
Targets
-
-
Target
atikmdag-patcher-1.4.14/atikmdag-patcher.exe
-
Size
3.0MB
-
MD5
0e1cb5a76b5ed8013332712c9be3c61a
-
SHA1
b71e495ba56e1674ad202251dfa906767f011f86
-
SHA256
d98c1c6860f88f670d6a2bcce2736cc7294d88c9ca55d3b9306e784c5f336d37
-
SHA512
afb6346855cea9309f58c2c1c2ed89a0ef1a679209e75509e922477571b038349484789f4bd179446629b15e4034625bbbc43ff064cce124d52f27933391907a
-
SSDEEP
49152:Rdx4HDQNJL0VR6SgMt+k4RiP+RmXMjiINiMq95FoHVHNTQTEj9333cSP:CHDYsqiPRhINnq95FoHVB9333cO
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-